hxxps://meplan24[.]sharefile[.]com/public/share/web-sd6a2efeea01f43eebdc14a2ededf34b4

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://meplan24.sharefile.com/public/share/web-sd6a2efeea01f43eebdc14a2ededf34b4

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670457551346865"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe
Token: SeShutdownPrivilege	4728	chrome.exe
Token: SeCreatePagefilePrivilege	4728	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe
4728	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3440	4728	chrome.exe	84
PID 4728 wrote to memory of 3440	4728	chrome.exe	84
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4712	4728	chrome.exe	86
PID 4728 wrote to memory of 4988	4728	chrome.exe	87
PID 4728 wrote to memory of 4988	4728	chrome.exe	87
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88
PID 4728 wrote to memory of 1636	4728	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://meplan24.sharefile.com/public/share/web-sd6a2efeea01f43eebdc14a2ededf34b4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad5dacc40,0x7ffad5dacc4c,0x7ffad5dacc58
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1652,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4376,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=724,i,7259534531851726946,18088998173980569581,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1108

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f39007eeb026488991eecb86426a1d51

SHA1
ec3009b30b509c288ffef700a3d954d67fec8b89

SHA256
72c38e22bc3abdfea8cf546eb37344f9fba9ba13a1b6194927931a3d7536364c

SHA512
3f7c0fca26f3c3d3c5c64307f79a53f9756722feab394c02b00b2a787df73ea312495cf469d586638dad28abed09e17095f603d4fbf160e52498f0cc62efa0c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
540d8cfae91b85e0999d70736ad54e73

SHA1
172176b99e7b910d1d013e5cb012d0358e336c05

SHA256
678b04db0c132080d0f080ff9b2ee72e3313608e1034b64b05d9d6017953b864

SHA512
c6ee995f3976c1510f0d25c3e2e7ff1d54dcc47a8315ce0bd9cbd02774eb8dedb4afff0859842c9e5f85b1445887fcbd0caaf822a68874a9769458e48c45db53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1586d9afb826c339c500af5d05436214

SHA1
48edb6664abcfedf0e868a2c45a8547c32e9ba0f

SHA256
61209d291c6e3d471277e86f43d45973cb595a9103c040634884a6c921efb564

SHA512
783417a3f94c087ca011e613e20de32627c29ed11e29dcf40345184c824c8b70188b833895d929ee0eecc80ced3d717d62b9e87b27978770bf66d481deb5bf4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17653fae8009b3a122ac23257fb906bd

SHA1
de872ac9b5470c060f9a6504d525ea103629641f

SHA256
1c6ad4e0767fc6cb0c65088bd8115d6a1155d08836c7a8d809b6d9f3ee881c54

SHA512
47a16177d152b641aacbd190aebb2e6d055f54595d32da2440ccc62d4759ec41f5ed7c2198a0e664349f5c6700ce0886ee01a0be2a001e9c54350e84a5fa98b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
734090b63b822f620494616d9326d70a

SHA1
4c8570b5b8864f32345cd1835886ee05faf6a781

SHA256
a2a72b597ce262eb394bb20449b527c1ec08a4ec58d0f002e0716105350cef07

SHA512
1e0932e9bfdca08855ae89259ad7b04bc3b2caed978955b69aebf57ba70021828eaaabf5627d4cd7a0852d18553a57c5afdbe90761348b8769d9064f9aee259e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d97a38e9-f230-4395-be8b-cf292768c2fe.tmp

Filesize
8KB

MD5
05cfc9cab7957b352db6219788ce49b4

SHA1
a5978b082bbe659f056a7cb9435bd7a9aae0e195

SHA256
253ce97b14f2c8b2810e7b4f0482ba8e0d9f9e80d036efdb62e544b48c1ceab8

SHA512
44969e59a4a5c07af836681586df9c86a13558f5fa2b5eb0ffb163c7eeb713f62a2f527b4342385ab6e515ebaff9a9c147a625c3078c2f84f69ec04ee416f3da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
dfd6b316ef723b1cc19c7ae2e623a1af

SHA1
127a2eb731401104ffa62c22309f7c0335a6e962

SHA256
04b550886751036d736324682ec0511c5bbe7839055e784a41b4a1078452150f

SHA512
de5b1bdcacc35a6224500b7386c9aa7322a27521c369ab31245076ad3c28e6e2ec85f7a07482bf3f99f7a1f49593ec0184224fe146393e2d12a53c363e602483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
197KB

MD5
798bb403aa7c2c0374b3e9219f044e77

SHA1
4d9adeec78bfd3960ce48148d34014bf0f265ca7

SHA256
3d25710ff1a8b56939228b38e4a56871fe8a6669d537f0aba7f34ebece01f855

SHA512
61dbbf9cd087076eea8d8190cb48dee38e308aca0449dc447c4a41cc183bede97897fbd3b0741705ae870f431051e82d1aea5fc2f2158ccaca3a6cd796e38352

Download Submit