hxxps://drive[.]google[.]com/file/d/1CFj1NVfvFSzdYnS22Ixvly9Huh3GYWvJ/view?usp=sharing

Analysis

max time kernel
17s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1CFj1NVfvFSzdYnS22Ixvly9Huh3GYWvJ/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
4	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673062612048560"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	chrome.exe
2588	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe
Token: SeShutdownPrivilege	2588	chrome.exe
Token: SeCreatePagefilePrivilege	2588	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe
2588	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1384	2588	chrome.exe	73
PID 2588 wrote to memory of 1384	2588	chrome.exe	73
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 2132	2588	chrome.exe	75
PID 2588 wrote to memory of 3380	2588	chrome.exe	76
PID 2588 wrote to memory of 3380	2588	chrome.exe	76
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77
PID 2588 wrote to memory of 3260	2588	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1CFj1NVfvFSzdYnS22Ixvly9Huh3GYWvJ/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa02be9758,0x7ffa02be9768,0x7ffa02be9778
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2720 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:1
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4448 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4900 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4804 --field-trial-handle=1744,i,8029912501867478276,8440134744856379092,131072 /prefetch:1
  2⤵
  PID:1136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1792c8b9d083596844d4857374d8aeba

SHA1
5a93138b1dfa88812e07f7db39f22f867886432f

SHA256
5c80fb9620d2adfecf58966b88356c0b3f63aa81424f7118a3908f5c3c6985db

SHA512
bbff805cfc27a97eaa0a68cf86a2acd8ec21b51f7f11170468dbc646f3fc87c2b3cf753cf0a382e7c6100f346668311bcceae426f7577d81599429cfde032272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5b5cc061-f6d2-4a93-8fa9-c375329626d6.tmp

Filesize
3KB

MD5
e63956c2ded8512277077dabae336b83

SHA1
a1862eda539d761dbdd41078783627f231411459

SHA256
f43fe9e9e71a9a58442c160f6928e3d8e6ada688f48086db581a006f8eb93202

SHA512
b8aedd3ca2e26d62d7ce755da916849e39d8049f07c388f2cf465a411c4f7c14c6b8bbbdaaa6515122a896a65e504cf95fa92d0b3d424833bc3adef88a2a2645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
423b4f6ce0af560d7afad69035121194

SHA1
b36e849331f4a5e731e4fbc72f77897c23d557dc

SHA256
e5f4b72e669a833fe8a6de06d03b1fa09593b539d24eab0fbf676ff365b2f99b

SHA512
d6abb41e1b0c3a02446324c260c5f66c7173bbec7f81981fccd95bc3f8c3197b943743e38503e2079a8f33f57dcda856b442a2264c7a2ceede6b908fe2be29ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b281d538f5be01558247898366af5a8c

SHA1
46e33dde3b1507f9b81d801a8a1e7235fd7248b6

SHA256
220adac2b1d7989420fc6a309f1d7d61be9ef8d22db67ad5ca474fefe6d3e83e

SHA512
aa61e5f56ed4529b080fe4af20dbf42e4e6b088f37bbb4178f6e245dae750563b9694474cf684e3049c5aeac3e7e0eb2212d917842983eeca86febcb009e46e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
01af2136b5c1e5f262d7e312fb27cddd

SHA1
049920cd5cf730614814155a924077ed95fde320

SHA256
4f9abccd4812aee958ef779f701abdd65a5b074f4d17c53986ab545eeed83ff6

SHA512
6f761344f646dcdef9280ce1a8b70d430e434ca0a97b31fc9f61c9caa4f4af07d138ef9276fc185fd34659faf45b260bbb920249e2412269731a1782714f5b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
820fd1b53251516142f5b583cdfde13c

SHA1
6ab6af19b9f967d7cf56250b9f8084e9591a56d8

SHA256
62cc2798338239a4522871193268d1c5da87744e900bdb7f4a6456e3cd184942

SHA512
5d0edabc60b18723e65ed97484f1f072cd614626d3d7e265290310c279e40d3b3574498260c1eafe4b1a0b1f6c872b0bc78c6871f161fe327dbb1760ea9afca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
f5b005f0b981b46d885bc8a0fe46632a

SHA1
0655784d8cea005ad5ebb5b3bba3210b89b5da31

SHA256
95bfca647120c279f38bffa5a47e2537dc9a49986b9b7d783ed6f3177994d516

SHA512
d3ade26381846151c768c2433a5adaf07a6043f22db34ab82c10515934645e0c9bdb457d711a2fd0db725e94110a51ece970027b649c9f3f38df6f8012c8fb5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit