hxxps://drive[.]google[.]com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view?usp=drive_link

Analysis

max time kernel
44s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
3	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133671795279388025"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2020	5020	chrome.exe	82
PID 5020 wrote to memory of 2020	5020	chrome.exe	82
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2260	5020	chrome.exe	83
PID 5020 wrote to memory of 2332	5020	chrome.exe	84
PID 5020 wrote to memory of 2332	5020	chrome.exe	84
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85
PID 5020 wrote to memory of 2272	5020	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1GZjlJx_17a_ZZZ29DVilHNZWhoa6-ueU/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb973fcc40,0x7ffb973fcc4c,0x7ffb973fcc58
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:3
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3696,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4380,i,11465230631223207182,15819752113563992783,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
d5c8c4243e5019abdd5a352aa905f13f

SHA1
dab7ebca850da73368b941c7587b41b5371a19fe

SHA256
8d88ad9c91ee48ead2bdbc06c8d32b40fcb7681d35fe4cd29f2a3cdb38452cf6

SHA512
46f210c7a476ce305bd46ec1a1ac8e1318de1b584759309c79f600b17e708bf9fdbab34496d5ac62c8b560c6a24b8320aa34b2b42fc2afbd62bbf705e3573fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
768c030d5746d3f8ae4b6b66d60adaa7

SHA1
fb7c01ee43d051b42169a5c135e0da9a7864f91c

SHA256
39b9f1520366811be3f0953104e59c9846b5a0014f6b31521d0ffc76f39f2eb2

SHA512
98de7157eee559351670d1a5fd14f2f22d51acc48c722cb25571fe8adc0c1adde6867c3428998178177cf93e9d28d5da59e876be60963fbdb21fac3dcbbef5e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fef868a26a05caee76d41877c75320eb

SHA1
f690e80a195b8c2cd0bb710d6fe371eb360c34ae

SHA256
c53c67544d3a605683c48d3b6f122a1c46e5c8f1b756f8bb708faa179f9d81d4

SHA512
6b105c764e9aaaa912453587cabfe7e963d24d6b2d1883e65b31e50345ead42db7ea94875844667c26e02798259609f2c7c8abeeb080c096276dab63199652cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6ee575fa7791d94699e72335a81fd8b

SHA1
2c54fc067720a505d61d32430b1d08d2cb06d44c

SHA256
0c79237b81cae6f3ffb6ab1aff976c56c804b6a8d47ff9089400929132007666

SHA512
7ece98a0ebcf76d8c6125d7aec3ba748c857cfbabf6dffca59ba9817ab79021ee79b20dd3627aed9f8272099bb4d7707f235002848eb48d8bb95ac4fb4b00830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c78c58af959d5aa44464fec99f91fd63

SHA1
1cb509bc19b5ff67e7873c422bc11a911de66130

SHA256
5af8698448dc40da254399f1eeaa1999bc9bfa72e89cfbb49bc492dc50c969d0

SHA512
ca6455c75af5fb9ad4a88f049e4f406781ef2f7e62330ba7d3e64dfa4feee9fd05df50008a5e987c8c40a4d86b091eee38c0c3b997d8ebb7900dedeafe976238

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c17301cb18be59145a17dec5dbbd8087

SHA1
f205b47c436fd97cd4dffde95b9e6ddf768f38fe

SHA256
8b7ebee63f46d618183db3e8ea836e2d831610169be3c91d077d085b0a83fe1f

SHA512
236e0edba63ddeb444b79b0998b601d221ee9660e0be9818649ae0b7b14d2beccc20894dc48e1bc5f1a635384acdcfbaf2345261430f2c7968abc8fa6a0951dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9e214179fb11feb2a9a58b5e1a36a9f3

SHA1
2bdf5e74705d6ce2a33ce6564e933b2c4ad92f92

SHA256
1e7f6d119bb97c6819c6a05e8c0ae66d93c5b389ed8bb548f77cd159b5cc8061

SHA512
ec08da9242db3a602af3ec3d8c50b353b37a00d7d5f639bbc16f8599548f42d4206182e2184b220d93e9207e0a09cb777a3f21e7877c5282b54205bf32331695

Download Submit