1c86159d868454de9b1666774c82463393850158321be591385247fae0f455e4

Resubmissions

05/08/2024, 21:58

240805-1vnlhszcqm 4

05/08/2024, 21:57

240805-1tzx6azcnm 3

Analysis

max time kernel
30s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChainedTogether.exe
Size

315KB
MD5

480a1128e38f2979f5b876782df24d36
SHA1

c00a19283f4a6ae93a5de561525f99d5e828751f
SHA256

1c86159d868454de9b1666774c82463393850158321be591385247fae0f455e4
SHA512

d6009d890213ce237e8e8bc5e819e6a418a725920f2f310cfaa407f30febb18de321b0898590fca6478dc8ce59cab2e11b9ee2516fe689fd2ceefc08f274640e
SSDEEP

6144:KlI4dVWd/PkzLLdpsrGV4Y8HI20KdDb5E8NegZ:KzrWd3rrYuHbL/Ogei

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673687416129966"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2012	4888	chrome.exe	88
PID 4888 wrote to memory of 2012	4888	chrome.exe	88
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 3864	4888	chrome.exe	89
PID 4888 wrote to memory of 864	4888	chrome.exe	90
PID 4888 wrote to memory of 864	4888	chrome.exe	90
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91
PID 4888 wrote to memory of 2288	4888	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\ChainedTogether.exe
"C:\Users\Admin\AppData\Local\Temp\ChainedTogether.exe"
1⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf9c7cc40,0x7ffdf9c7cc4c,0x7ffdf9c7cc58
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1716,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3552,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4552,i,3771474849339979364,5272129536622358250,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
10d20c7e9b50f2a260e82548aba5f2a0

SHA1
2baa952641ffafb7f3eac52b146f6840621823b6

SHA256
b9985f81b925ffcb04d66c6b8aad612bad63dfb5f2ad7b2545d37193c5e4d3db

SHA512
c29ee12910351dbfc2d00e7ada5a5bf586dded59827764e4cd36e85c605d7c3a1edf03f6828445a022ab821f14b7b5267f9c0cffd703ab32227980c64ee9ba49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
67995fd71484340a76fbe67243714ff8

SHA1
03f837b40119021ac9f87f087afe40a3f9bccba2

SHA256
4c9c3f788c4233cd630b9665c971b21b02dc39b4eae370ae8fb67e40cd2b1ab2

SHA512
d413eec2b5c255b77a7cff605c2b4e76bb72acee528fc406bf74aba58b711889230ed49a43822dbde7bee7805dba5ee49005a2bf1ee6cddff534bfa996bbbd3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
62d7b300f67ab088e1103b6a84b8b619

SHA1
d4a2f80170e6ee9f9566bf6fffb73dfc6e72c3ff

SHA256
121bfdaafec17af792fc75683f5da5a6a42fb9158640b1a803a49e1c0883d5dd

SHA512
d354fa59489249b5068961457c0ceaca7f962316bbeb9c93ce846f0981e3e83b15cc32bcbcd9fafd26991fdf216b58c1af61579d38fe89f85efc9be4219b1296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fb684a0655403ee7d6c6d6cad4963188

SHA1
8bcb1f2009370c4c1d6f37d87ab20c1bd0a65298

SHA256
9bdd0a48924b6e2899bc5c96d231b6703c498e06d26a8a909b554109fa2f5fdf

SHA512
ed975138885f30b50e75f287c2b125d0bd6405fcb18de5704aa22a9a7bf72d9b3c73a836fde8d61c12930b65373643c9c973bfd2765254041b9ee700bfc30538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
d52212b0d59f019c18cc9da8a2cf53bd

SHA1
0aae532eef464dae31fb97f9de1ab12ab356dbae

SHA256
b0b3aee804217ba3da3e8309ff9c586a76e5e0c78150532ba354a309d202b3cf

SHA512
cdf4d1939a1368e2eadb261d3f2973a5f381abbf92d34263adfd8c5589abd91502c2021d196471719c50659d00eadee042c9721a2f1e06e6e412f4e510560859

Download Submit