hxxps://storage[.]googleapis[.]com/gpay-emails/global/home_feedback_sad_2x[.]png

Analysis

max time kernel
15s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://storage.googleapis.com/gpay-emails/global/home_feedback_sad_2x.png

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663955623957591"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe
Token: SeShutdownPrivilege	4148	chrome.exe
Token: SeCreatePagefilePrivilege	4148	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe
4148	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4960	4148	chrome.exe	84
PID 4148 wrote to memory of 4960	4148	chrome.exe	84
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 1488	4148	chrome.exe	85
PID 4148 wrote to memory of 2756	4148	chrome.exe	86
PID 4148 wrote to memory of 2756	4148	chrome.exe	86
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87
PID 4148 wrote to memory of 736	4148	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://storage.googleapis.com/gpay-emails/global/home_feedback_sad_2x.png
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc82e4cc40,0x7ffc82e4cc4c,0x7ffc82e4cc58
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,12260659677982380735,5311709569980987762,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,12260659677982380735,5311709569980987762,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,12260659677982380735,5311709569980987762,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12260659677982380735,5311709569980987762,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,12260659677982380735,5311709569980987762,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,12260659677982380735,5311709569980987762,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:1824

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9b75cf53354e3d19d118293f5f47cb5c

SHA1
054f456f04fa1e4d13633589d8195c637c25925c

SHA256
0540a37130b5886523653513c15291ea1e3c27dcb07eb91ba6b82793107e892a

SHA512
03f88832d349c5432cee9b3625ef9088880db2f1f2418184eb46d61ce7654ed5e3a6e181c0d9c029b3f8326bb9932f696ed25154f97b661d0670a5eac82fe0c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2ecf2f3294b77c69cd55b937fa90bc8

SHA1
510692da64cf1ac769908a8ae3421d1a73d343f7

SHA256
741986cb0b91d6b3b0da6e3fe220721e9d1c7dd48c9a0f285223486fe1ab1b06

SHA512
1a56d197bd5b7e3f76dc9664ba6af949f2eed081fbabf70ecf301867232cb715cf051f5a04b3270c4195ff7bad0a720ab2a654ab112a710fbfac49d75a547982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
4918f47eb16807895c862bc5cd52b837

SHA1
4f6721b55659ab73b48cb4dd9981cdb062d451b7

SHA256
1078f70ab860d58e38be044b54d71c950da7a62f0fc0f10253e94ebb70633529

SHA512
38c6ebbde2f88329606546ebaf44d5c4ecc24d60c0d0126d5edc4494b4e2489ff5084b19f27f017ef0376317072e810c6f77339133e5f36c1bc0a5d9484698f9

Download Submit