hxxps://drive[.]google[.]com/file/d/1C8DcLoLJ_xSBz1HHIWJraHQOY0us-rXT/view?usp=sharing

Analysis

max time kernel
77s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09-08-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1C8DcLoLJ_xSBz1HHIWJraHQOY0us-rXT/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com
6	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676787284684807"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
8	chrome.exe
8	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1388	8	chrome.exe	83
PID 8 wrote to memory of 1388	8	chrome.exe	83
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 704	8	chrome.exe	84
PID 8 wrote to memory of 4464	8	chrome.exe	85
PID 8 wrote to memory of 4464	8	chrome.exe	85
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86
PID 8 wrote to memory of 1116	8	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1C8DcLoLJ_xSBz1HHIWJraHQOY0us-rXT/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4143cc40,0x7ffd4143cc4c,0x7ffd4143cc58
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3512,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,3943830064537416648,5105134132760598664,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:1580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
a993ca02187e153f63d3f996a9b7f99d

SHA1
527cb01f32f6dfdb5da6788f8a172b219f0d4eff

SHA256
af28db7350b48a8eead9aacc2424a2f3869f15531369e7d499e0adad5215fd6d

SHA512
a14bb0997350a57269b0b51dd51f71d47e04e38cfc0aa9fce52e8cb308576b8e9977818cad2c0fdae1501d55878822f2e4e66ca91cf2e103928dc885547f2b00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2d68d3da8edcd8a7038a5c18324e992c

SHA1
10a3878d3b257363395c50a1664f4008e271df48

SHA256
eece7d5cdee52e9d03a74c0c76764469fad581c860b1d862b88d304ff4f28c35

SHA512
fc4a322280d49a37b933f04ec6172d951ce1f90e32963d64403e57c7b38156bb881b303c23684d6ae922d08da79d1a958ee0f2f9f22938316e1fb8dfca1d5128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
876a41154db9c9a7197797fde9da470f

SHA1
dc0f3ab99327b12504f0f50c5c97218ea1383894

SHA256
f146110a035dc123c28d54e3ec953cbbd421c40b5e88eba61dd31a0f80fa4bce

SHA512
111cda7972183838ce08e66620db0a5dcf8778d216b532de64965fbb8a5d2c29f12c993911436f2f0ec1d68dc1dfe345304a86ed11fea3606eb43d02c94710a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
66f9395a54e24543814ce48e69340e41

SHA1
dffe0270bba298ae77f1289774a829ae1449289c

SHA256
afea5cb2cc017697182840dc3ab25a0e75f7b6df237a8a7136fa3533c3b74a27

SHA512
3e31be3483cd54cf0bcfea9c362b18352c051a31cec10ef20d1c83a3c5cdbcbc78b3893e90cfdbf6dc08d141d35ea9d901cc7dd0ac3801d0884504af8fa16902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8df46f518ba37fa55180eb704aedda83

SHA1
d6bd26b07c7ab533df4d67b8e537f4f45390477a

SHA256
9a6888a470cca8cb7dfab6df3fc24352b6fab2afb413e8ed7f0784ea250d82ee

SHA512
248d3edcb1a8d5f35a520fb9c55f122a55f72128eadec92600d42ff1e999bd2342ba850d53e255daca6f882380a19cd70369eb6b5d00518ca682eb6894f329d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e64254cdcd2e6a4eebe4c515be63396f

SHA1
1c7a0ece5e2c81eb0631692ae7a88a1ec2594e5c

SHA256
af16646ca5f283072faeac9982c77045e4f6ad56771e154622443f278740ff3e

SHA512
fb4a347945494073cb98b3d26dd88d09696bc872c45c6771c6431586805697db3a912b054f8649b22540d6d5fac8e67fb7371ba8a01b78eec50833f1c374db53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
82a333522558c93dfa2f7e5722a3e192

SHA1
85d7d5d802ae25a60c10d2d4389cb60cfba670fc

SHA256
eee44d42be2c47de3960fdb439decd12d5bc6b35ec78429dcb4a09aabe41a316

SHA512
7ae75b123ba64184ab16ee455776b0d23e2781db0093e41fbe7f770888c02fc5f248aa793066ad2b568c05cf4c6c5bae986e91dd2ef0e5d0c70251fbe8ef3abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fed16d51d16c1336b214d3c539242400

SHA1
e15777ee2ec2dee81befe6d16bfccb2d87ba6241

SHA256
4cbc7d8ab9a854ac3de6ce590776282b7c6942e0df53d619fc99112b084599c6

SHA512
da77cd17ded92f1aa80e7ac5d4afd6a6d8ba234fc6abf773bbf7f510cbfc93a29d41625cbe984fb0d0edc12f9a10b9404237d3266d566d8c6aef904f4de70797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
12d263497f92db031d66f6e64e12f1d4

SHA1
35555af14244a6c68a4d75708f7956d1bb40294d

SHA256
da6cdde86c828acf5594add4cee2cf8ef16412dca1bad1f23d30ad5d0c587db4

SHA512
00a798af86633a88668a719f13bd6d24e1970dc10a260e226bc7aead5da3061e96ce05e1d621b759c338c29f718d4c9b967348337db82ff2c9e4ed3a819faa68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1299806fb7c315cecb09103ba9375942

SHA1
78c1f83d6524320e975e03fb49981d25baa67484

SHA256
7293bc03bdbec3c4bccc2db0bcb61a9600f7a9897bb40c5d4f6ba45d1124646f

SHA512
76faef4ee15d9978e17eea97a1813395deb48f8ab41241010606a7e10a61f152e344813987cc818be774a1edbc7e8f1d4a485005fff5681d283bde3a7e72e0b1

Download Submit