c5fffd221234ea520b9b5d545d9fff65eba497a0ce1b852334d293770d7ee02d

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cuphead.exe
Size

635KB
MD5

25bd891aefdbb386f76f0c18b0139f4b
SHA1

e30747943ab6a86b4f000dd55d50a07dc490fc29
SHA256

c5fffd221234ea520b9b5d545d9fff65eba497a0ce1b852334d293770d7ee02d
SHA512

b7785c8e7e7fa81e234b61267d5d1e2852062e5452b9e1b618ce3890aa1f091e84d13921a0ad387887274a5410cd738d00729f169f308898482cb99b52b2e22a
SSDEEP

6144:w9fYunoPZPS4GWuoSfhzeNKs43sv72Ex:L+oBSTpzG4382Ex

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeCreatePagefilePrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3224	1528	chrome.exe	87
PID 1528 wrote to memory of 3224	1528	chrome.exe	87
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 1504	1528	chrome.exe	88
PID 1528 wrote to memory of 4520	1528	chrome.exe	89
PID 1528 wrote to memory of 4520	1528	chrome.exe	89
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90
PID 1528 wrote to memory of 2732	1528	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\Cuphead.exe
"C:\Users\Admin\AppData\Local\Temp\Cuphead.exe"
1⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe2cf2cc40,0x7ffe2cf2cc4c,0x7ffe2cf2cc58
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2140,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3420,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,11137527087570002477,14918190498468626325,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:824

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
592af8f46503c8066be35bfed3085e45

SHA1
2b3ac9fcc3925bff5577f24a299c4d4895826eae

SHA256
cb30181fd301b7ef4bb17b75f8d32c27885c0fe7e42fc9f6e5c6536fcb2a739b

SHA512
29cc1553f13e0edd75b77700c05a4838ae5c72c231959c00a1b8b29c5b49c91f7dec621b8c5dc0527516ae98d006dd103f00d219a08ab1138ef3e7dfbabc30e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a31aae643272ff908862f518c82a5061

SHA1
f904ac55eafbc3d2bb473213608c8b4b9e58e0db

SHA256
ea7763d65815df5950d06ed6df81278b7cc28f5f87573f5ff3de2227f388f3e0

SHA512
090f313b5e1831231cec9eaaeb9ffe9a54fb09816f3802914036d21ab055e6b8832382de8d254becd67fee34157e4b5eaaf42fd9dd0a05b92e1ee6c779201636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3ddcfb88a020a002855181e2451a9c44

SHA1
ee2c33e5f556a18b561fde5f465789062ddbcce5

SHA256
b0286b33151feaf64b99e08db924baede2bdf9f37b6169ffc83693dde1bad4de

SHA512
1bcf22bc3ef3780f92442f4b2bfdbc26af9103204e10e16ba8c6dff50b154a48965bdd8fa1ab4f9555233f04ab2cca09c746a20ef30503ab066a4c0ba69ad37b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
25cd5f1576660299fce533c953fea14b

SHA1
5ea33e33f3b5a6a8cbac4c19409c3632a6a39ec8

SHA256
1611bc3fb0254b1817ec303142fe47e5d31727cc9bdc169de4e01d89e51f5379

SHA512
31810b6287bc4e2c5582d01d77a78541dbb5821e36c64d37518d383dc73a3ba5a447590f1d0121a9ba4ddae792617b524582d845f78ddb083af0893fcbf3ca1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit