hxxps://drive[.]google[.]com/uc?export=download&id=1mYGTI-J4aG_UcR0edjEv9eSk-YaBwO-v

Analysis

max time kernel
88s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1mYGTI-J4aG_UcR0edjEv9eSk-YaBwO-v

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676097103264038"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe
Token: SeShutdownPrivilege	3100	chrome.exe
Token: SeCreatePagefilePrivilege	3100	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3624	3100	chrome.exe	83
PID 3100 wrote to memory of 3624	3100	chrome.exe	83
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 3676	3100	chrome.exe	84
PID 3100 wrote to memory of 4404	3100	chrome.exe	85
PID 3100 wrote to memory of 4404	3100	chrome.exe	85
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86
PID 3100 wrote to memory of 1792	3100	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?export=download&id=1mYGTI-J4aG_UcR0edjEv9eSk-YaBwO-v
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff82e99cc40,0x7ff82e99cc4c,0x7ff82e99cc58
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,10775888218465340587,11581930355287677004,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,10775888218465340587,11581930355287677004,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2516 /prefetch:3
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,10775888218465340587,11581930355287677004,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,10775888218465340587,11581930355287677004,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,10775888218465340587,11581930355287677004,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,10775888218465340587,11581930355287677004,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:2356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9b42d374f89a00fe24901a9fcc52542d

SHA1
1713209538eaa0e1f3b836c43f512347e0bf3ba6

SHA256
96e29914ac5785d67d09583e04cb3f16096d53c0585ee105b4b13c8f12bd58dd

SHA512
ddea3db2300b071d466d196f2e4cff67cd83f5dbbe65090dddb908339bdb774099963c7ad64fe7783475b9233641a92d719643ed1179a57504aad60c62066c4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
fa5af2268baa96dd2483f861bbabaea2

SHA1
d98ee98dbb76f87a856c2d7c2fd85b454ca604b2

SHA256
7fb8270ba1292892448eef76c2bbbff2c3146c7ce28ff22b8beebb7369194ac2

SHA512
4bb57f82e8e48bfd431be8bfbf8ec365e95ddb4cf2860e2bdac9882a397b1118c68aed3f85a553d457d220f1977179162f3897d94bcdd7596f51b77da2d6545f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92cab22a27910592c43d6302af2fd33e

SHA1
9a67686102d2d1f8802a25c1a3b0cfff7f56f605

SHA256
cd17f1fb1136d82d974a00937f5006bbf1753feb2e0e27908141e361b1e9776e

SHA512
da199c731588b3c6fe27bc2c8bde96f3f32bb2a64fd7dc3f8e3ed5ed52669b5e3196e2d9bb70685d748cedb171070bf42c93128d24517a10a226aac8873081a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
551940ea3eb0a5e704a4a09c71507250

SHA1
347af00d5e83c139aae39b4d561dd1a3fd94c6b8

SHA256
653da8ca2e70af0086420f43836bd950e4833636b9a0228249cae36a27018d23

SHA512
3f5aa5afebf1603e3fb4d277bfc7dec3b7c01d7d3177ed6ced8af70f90224d81cc7c3f426336839cee8273aea947ba96221ec8301bbc364892d741280ce4a389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
320b6730cdc33cfbc739de889a2c369f

SHA1
50372d7fe3da72ac4bce08aaea640e192a2a97e7

SHA256
fc327aafdba137150bf95e14a68c29ca4826c522f7935d76bac9d8fc3daeac27

SHA512
ab14e9f5e233613083ecc0c909daada9c9e56f3915cd01220681cbbec81900c54e7a8350d149cb295457c8d13f2bbbd715db88369f9afdee487afa9afca22c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5b232e85f87dcc0a3ace36d33055696

SHA1
ef04ceb88e46b4e580f0b46c3f5a82c07e871404

SHA256
89e66345289eb25d237049ec3cf6de70dad607a306d2d9bb10d4cd81232ed328

SHA512
42dba0708796b2d457af6299761dcf03e1f6372898cac34b85b8bbf82f58de0d688ee47d66b1630da620609ea65ace7b5882ec47804240c2b7f8be92ac7478c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
760c36ed214439286d8a9d52c933db39

SHA1
83a56dc375d993911d5242da679c8e67d54c54c8

SHA256
bf0b82f3b1f3c2e7d59f8a517f9b77c6380b01179e278e70f7c9da23a15a5a04

SHA512
67aa36f7b8a1c70aac28f683fb54ab6880a0df33cd5201f6c7ac040a27abc6f10f533718c982e9be5d6632be3250f9544fba035273d8338a73a32add081b6a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2715c00050a13acebbccec0492e2baa1

SHA1
5cea8d9abebc03b29cad594a6f1817fe776b98f4

SHA256
e22b1fed71347d8308ac78a6cd94f9ad52f89d8eb29335d68426c212e95ea533

SHA512
691c67bf22b51a1590d4e791f05519990a0e5d4f5dd5ad89cff0261bbb7cbcab7beecab43d8a72ec16c3d3b6a673a2390548386b5278d1af1c592e4d95a5ec72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ad06ca83bf85cd0d7f05324bcd2d0f16

SHA1
972eccd59c5f1c5b390b03a728913644b5c53b4d

SHA256
5e3a7d9dea9c38bd5bc3417843b754c280f30096c77ded83dc6012a370089c89

SHA512
266e97c07adcd19d50bc5f7506493e4e311802eeb3ad1e3750644346ca479a8752e7d5022b1a2917213407c079d8dff82cac6468b17674c7f46aeb95e65a2b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9302882bd8dcf79b9fb5b3a2670b2e60

SHA1
89312c84ef7781e344fdf80086adc90eff717a9f

SHA256
d301d25a52f422839e5fe5df91134e45d4e426b170acea2caf6ed8e16b365487

SHA512
0d60eb5309d272ecb19e865fa241a41db00dc7fada29ceb22068838482a642c9310df745888478481c82955bcc1f01167fa1a9ab0373c751da40edae323c447e

Download Submit