hxxps://mega[.]nz/folder/2Z9yAAKA#nY6eHCfz-h7mJGBPgPkshA

Analysis

max time kernel
13s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19/08/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/2Z9yAAKA#nY6eHCfz-h7mJGBPgPkshA

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133685379875399889"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: 33	2684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2684	AUDIODG.EXE
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3024	4116	chrome.exe	81
PID 4116 wrote to memory of 3024	4116	chrome.exe	81
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 808	4116	chrome.exe	83
PID 4116 wrote to memory of 1584	4116	chrome.exe	84
PID 4116 wrote to memory of 1584	4116	chrome.exe	84
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85
PID 4116 wrote to memory of 3440	4116	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/2Z9yAAKA#nY6eHCfz-h7mJGBPgPkshA
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1fd0cc40,0x7ffe1fd0cc4c,0x7ffe1fd0cc58
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4556,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4632,i,12725795504678069691,7286939018109251513,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2440

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000490 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0aad12c868f04da49a4426ed28fbc8e8

SHA1
2155a130552c463f3c4ab5b67d09d816dd147f14

SHA256
cd8a63d7ce327baab4457c0f3f170d56847a9dd63137339bcd05772fe06d8103

SHA512
2cacc74a2b5d6e3eedb5bfd85ff7abc49e2fc2f33b6d4caeb0fec4cb082ff4a432f0f042d900dc628b4cf295f9a2a3e1f909e0a89da6bf82a2dae74be92025ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
36KB

MD5
f90ac636cd679507433ab8e543c25de5

SHA1
3a8fe361c68f13c01b09453b8b359722df659b84

SHA256
5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

SHA512
7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
616b63002df4982ac49eb14176e2898a

SHA1
e15eaad19382651bee6d83eb26d431f0b26711e9

SHA256
2fed5b60bc341a9416140de4773f8a519c3d9fd352ff23dc20b84c216c164c85

SHA512
c18755a53af2836cf8216af4ba56fbdbfb712fbba7559f888f9aa88f15ecc9c9d08a29423b5d3a5b08d5a7c652b22f619e865365e1c199106e0c739b08648158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff3189f2b8a810c33943cfa2cbc9033a

SHA1
3ae7d8d4b61380edbc8c10adae10a1508ad55b07

SHA256
1f240003a78b3db7493195403255c8486f103085d591cd31661f1899e85f74e2

SHA512
1cb83a06693a183685c7c34c8a50acb0ab871ab28561f5a039090fbdd78283358fb3321ba4a91b611fb4ab961fab25ec5309dd18d5816cb9a7c05fa63bfc1029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
2a599a7086d9911bc4b5f35602c928cb

SHA1
97af5e5971feb1faae1eb4b86c1e2d2b5d3f91a3

SHA256
347b25d45ea8587d1579a1b98a9fcbd7fffa040ba6c5662a6be8f30b42390879

SHA512
17b7f2a0ebe75a1e60ab1e9eade31e2a41274fff963d38bdb8cfdeac614893a235f787bf61e3fc8e31fb4c2d9ca5f705b3ec7b30a884f5d0f0efa9dc8e2f3755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
a0f4679284e7d13d07ea0b5e0ff3ad47

SHA1
d244904509348cd6a0e2b7e46a8d6aa4fa06c56b

SHA256
0776e980bc0ea25d6589b4a51b0744879934af1122654a67432076c1593e4fdc

SHA512
a6749b07cceabf50721a91e3a5375fcbb593d9215e9e630cf48532f1a5a29cb78b6542a57cabe9d899d337b08add20afbd50a88e8a15ee7decd6411407a64def

Download Submit