hxxps://duo[.]app[.]goo[.]gl/ztukHcq

Analysis

max time kernel
15s
max time network
11s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13/08/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://duo.app.goo.gl/ztukHcq

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680461662682505"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
872	chrome.exe
872	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe
Token: SeShutdownPrivilege	872	chrome.exe
Token: SeCreatePagefilePrivilege	872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe
872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 3104	872	chrome.exe	81
PID 872 wrote to memory of 3104	872	chrome.exe	81
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 1724	872	chrome.exe	82
PID 872 wrote to memory of 4944	872	chrome.exe	83
PID 872 wrote to memory of 4944	872	chrome.exe	83
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84
PID 872 wrote to memory of 1728	872	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://duo.app.goo.gl/ztukHcq
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1581cc40,0x7fff1581cc4c,0x7fff1581cc58
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4672,i,4626917232395471474,5038863821255945297,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:3584

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
64a7f972e045d1febfb59173d3fd22b0

SHA1
af9fe76f06f89f775d9302005bbba59f69564a28

SHA256
6cad0a0f913b04359fe046ceb615dcc9971280dd240d86a1359f691d8b55057e

SHA512
573b87e6c82bd7dab03b70082be24059192cde61790fda5617057cd2e2885c698b8c58b8e3bed77d893f8475c1aee9779f21d7f2e25c6dffce6633f7e6c07668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
28KB

MD5
3e9b79ee679b763f743c19eb540aac96

SHA1
35090af1dd33ee2fa613f355cf5997c6339ad084

SHA256
1516abe75e71112753c3327ba728189f6fc381a95931db4b21fb08457db4d5e4

SHA512
e2b5d14b497d9a730daa17aceb70ca55803a3e291a36454840b66f4159475aea81bd5ee91e93c2524e2d0ed64edf61e4d8108a42c76bb1593b587e499902ab23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8843e54efc1ff1b4576d5b8188aec702

SHA1
4f0c368fdff53b7008c06f5c09927d3c729760bb

SHA256
02f159719ba6a353e2a7f1e325b79d99b88ac63f41bace3ff2b82a1bbda499cc

SHA512
f039c56c4b8da0039db12d83a2c06aabcab335137c2a7ce1a217f2f676a3fdb939c3ca0cdf6037c25c94a23a00dc70a64215a6c5443b9a818a4eb8d7175c19c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9029ade5e39f2815a8ab7c1790fbd882

SHA1
9bc258f839288d26a1dc65365ed722fd977891ee

SHA256
5d382db33bb465b6ccf417773b0ea73a339f1b4e93628f95c537242e5e0f1690

SHA512
4a05296ecf7a970bf4690d4a32db8d6af30cfc4d2c598538656d75812a9c7124e000d657e2b0596892a59fd6ac298efb637bf3d6a5eb2868583848e1d15c7c9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a1af486d6f91f7add1c934fa670c9ab0

SHA1
f87f6b139c25f919d952e8ed069db2f3872f6ded

SHA256
5364b7700a238b715d25d1322833d64d339368d2c3380b2cf7f493273a4d5d28

SHA512
757293bd3030724f5b82b6a7ed26fa9ea511989c8a674b7cc3b22074035c949981926ffe9d718259edefa8d4b00af0235436a98159754a837fad4051ed9d85ac

Download Submit