hxxps://drive[.]google[.]com/file/d/1kJ0YiJkIs1OWZtIjKGxyVTzzGyK6k1Pf/view

Resubmissions

19-08-2024 03:14

240819-drbq8avcrm 6

19-08-2024 03:06

240819-dlv8nsvbjk 6

Analysis

max time kernel
10s
max time network
34s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1kJ0YiJkIs1OWZtIjKGxyVTzzGyK6k1Pf/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
7	drive.google.com
8	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe
Token: SeShutdownPrivilege	1768	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe
1768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1332	1768	chrome.exe	30
PID 1768 wrote to memory of 1332	1768	chrome.exe	30
PID 1768 wrote to memory of 1332	1768	chrome.exe	30
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2876	1768	chrome.exe	32
PID 1768 wrote to memory of 2916	1768	chrome.exe	33
PID 1768 wrote to memory of 2916	1768	chrome.exe	33
PID 1768 wrote to memory of 2916	1768	chrome.exe	33
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34
PID 1768 wrote to memory of 2852	1768	chrome.exe	34

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1kJ0YiJkIs1OWZtIjKGxyVTzzGyK6k1Pf/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7839758,0x7fef7839768,0x7fef7839778
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:1
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1456 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:2
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3292 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 --field-trial-handle=1276,i,11170015715778503434,13100573741857105355,131072 /prefetch:8
  2⤵
  PID:1724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2588

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ropro Rex\" -spe -an -ai#7zMap7632:80:7zEvent25202
1⤵
PID:2364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x53c
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d45d979ffbb5f9299a52aa05d8824bb7

SHA1
54096ab5f4d719600d3466a13edd3aed66043d2d

SHA256
6debd0064ab4cf141059aae8b31d96bb4170e6f4c4c256ae11f1759819bd9787

SHA512
77d63aae8183c402e24b798c5099aa1ff722fcdbe5a07dc508822a42044dc0b855c0fac1a18c89ac13db98167e0b8992e6f8d77f65abe73a3a5b28111a1ea876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
3d3d762642b2762d48400be52384d261

SHA1
087308c0f1461af09fef9ad11f65dc07b93bafd7

SHA256
298309bb75e374438b06fab1cf45c18cfecb534986cd36014f42ba06bfa02f46

SHA512
86f6b9b1692108786e52cadf20f5fbb3267ba11e12b5877b6cbc2048aa917209d5242ecef3db8b2276d223acef3d27e4246a55a69bb927a8c36f80a7dca63228

Download Submit
C:\Users\Admin\Downloads\Ropro Rex.rar

Filesize
3.5MB

MD5
e2a0ed273194518f1deb5eee7d672306

SHA1
3e54ed28a779ecb0e4fe2bf7fabe5750f10826d2

SHA256
d2282af5830c76592ad5a51bd128f7950986d8ff2e85dd0e00db602d54910d96

SHA512
02254c517492f877fa9cb65b0ffeb9a29341c4fac81037341987bdeb6ab9af991e7c62f154a7d9e786ac4f5415f7284b9c817ffd5b1167b43b058d8aac1e3554

Download Submit
C:\Users\Admin\Downloads\Ropro Rex\_locales\en_PH\messages.json

Filesize
4KB

MD5
94a75b93caacabd05bf1a0987a14afae

SHA1
7a0606f4c9c8a8937dda955f9e2df6aae3c1da75

SHA256
21706c41c93af0d4b8d23c822e43c5b7d7011c9f4ed5048a5aecf12a0f785ac5

SHA512
103973cc303bd12d422ca329f9770eecdf5253bdd836aca681f9ef3f9818959a157621e7a61fbcdef8aa9e0caa67085ccf4c75379b1f67da0034a276a9a00a52

Download Submit
C:\Users\Admin\Downloads\Ropro Rex\_locales\es_US\messages.json

Filesize
4KB

MD5
dda454c66f68e8ae133b96078358b00a

SHA1
68a61271b24db6844776e56d19e256479252679f

SHA256
8ec49f381698bf428b7ea8f49fc6208479af3451d09a1223d4d24f93483c4438

SHA512
6d45a90ca2dea977007cc729ae580f44895bb32443aeb40ed2949b8a754cfaa1309484eb86a42a24bbdd9c53afd1e0517c5b55e8648d2dc3f3d81bdb1c1a0d07

Download Submit
C:\Users\Admin\Downloads\Ropro Rex\_locales\no\messages.json

Filesize
4KB

MD5
bd4c63bd77cf9e9d71a6879c935cc566

SHA1
ba9dec87c2a1dcdfc3b778eecea20baa97432927

SHA256
5013bd334055df78a365532496d3c1eb1e26315bb552f79d2bf6f37f9b836431

SHA512
385b14b22cd791f64d7adf1955f0ed05f6dfcb85b5821ab3dd4dd1d0525952bc82bed72739bb4b40d5883205b48e4d6d28e507a42b84663d73b20da5790bca47

Download Submit
C:\Users\Admin\Downloads\Ropro Rex\_locales\pt_PT\messages.json

Filesize
4KB

MD5
d0b1e7acc802bba89e15c735c81e0f02

SHA1
9ddbe137afe5640aacde424bc93e994523bd0b22

SHA256
4b1f62dc79f3f1307bd916efcae0204b69f46734ceef420d46aeee469c24793a

SHA512
1e9629c0f0e52535b0d93097afe1fb49c8fc9b700b295575f1c31ae227b99a2269bda4e10489dcc5b93cf00d9a5c7b0045647b1d1fe73c30d755ddbf8f0d48fb

Download Submit
C:\Users\Admin\Downloads\Ropro Rex\_locales\zh_Hans\messages.json

Filesize
4KB

MD5
671be8f15414f65774a8ddbe668a8d18

SHA1
bc84bb42cd2f63d99573fb91575361481d90c71c

SHA256
d158d4efddf442b65311bf433aa5449627225ab7632f519589879f355fa883a3

SHA512
4102268aa07d374aa272d5a4fdab90d4b35febc360fd1905167b3e1653de490166a0611ef1af8023548ae9761a2b597978394c2e93a27e029d4c6b04e6e7bf47

Download Submit