Analysis Overview
Threat Level: Known bad
The file https://palnuseo.ru/ebbrou/ was found to be: Known bad.
Malicious Activity Summary
Drops file in System32 directory
Browser Information Discovery
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-22 16:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-22 16:03
Reported
2024-08-22 16:06
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133688162251236012" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://palnuseo.ru/ebbrou/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe5fbbcc40,0x7ffe5fbbcc4c,0x7ffe5fbbcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2416 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4328,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4764,i,420391081506491273,3804451484164454911,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4628 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | palnuseo.ru | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 172.67.134.169:443 | palnuseo.ru | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 169.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cloudflare.com | udp |
| US | 104.16.123.96:443 | www.cloudflare.com | tcp |
| US | 172.67.134.169:443 | palnuseo.ru | udp |
| US | 8.8.8.8:53 | 96.123.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | bbdd57a66731445e812c1c91016a11f2 |
| SHA1 | 4dd2ee9f0ec9aa1bb958dc32a6b5bae94e208cfb |
| SHA256 | 7cd1e0d2b820a5092013b0c4d8d3c766c7c9f3e954359b1828e47d9bcd263ce0 |
| SHA512 | a0c6815506b1109ce83311563202b577799012d18ba0c7089a2cc9ac80723a3c0db3045aaf368b030ad721529016d4b5f106e4e8a2a3e5299de2dcfd5d5dca62 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 63f50c41b26132c26f4bbed648fdfa45 |
| SHA1 | b713ab3efd4fd3f549fcc9d355dbda05b340919a |
| SHA256 | 1d951b3aa54c27384806c8a53373d9386e19dbbd74070b88cd72a35ed03756c4 |
| SHA512 | 8ce2c84ab6e3bea7f8117a64fd327c6036f39ae33e58680fbbdc033d64894f597dd5d65cc3242e56b7f7a589f3eae0504188ac570292e7c0d5f12b47995513fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3f4436fc-0f2b-46de-af2e-4b76eacc8281.tmp
| MD5 | f457579477aac0b43d2379391d3d260f |
| SHA1 | 4b4dc2b529922d2f98053aeb497118054a29052e |
| SHA256 | 10df15551b12efd1648d790cf1abbd094a9ab3bb11b50c2fc867ad5b860dff1b |
| SHA512 | 7c967b2f64c5c38a3fcac4f40dfc7205fc811731aae377bbeb77bea4ab5c09b0a1d91369314ddc46c1ab6660168c75983d8592459f4b6cf44fd91a6c4a0e2cc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 132d199e18cf27393c174d06415e91a3 |
| SHA1 | ef202892e0c0136d3e5a3d7ed19d6dc1c17772b6 |
| SHA256 | 04c7f60ab0aa034a8669ad1fc35f44d6159a5cb5e47c1f7b4f0dd577dea0ee77 |
| SHA512 | 1ca5953e4fd58ba450d3567dd5f933f8b1dc5c7041cfa628c219bd4efab4943fef1afdfa078956b8e2568c34716f05d634b116fd15637fbde8b84a65bec993e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 3c034e48098a0aa8d0a6bca64d8bfc17 |
| SHA1 | 8a0c98bf68746b794c163115d8a38bbd6091a10d |
| SHA256 | 63d051b86cb9bb0f58332301b830ba348a8f7d097ca8d0df83c4679c9447cd44 |
| SHA512 | 1700d083724edd3cb1e1643f8c7c4d8279578d2e6e399624a441c971bb80b96a28fd115b4b1122a2e38c1cbfba3d129fe3fec26704dd59b0f8ead7e8ce2d6aa4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 100d7b9e87b58104fcdd60cc1a5750f5 |
| SHA1 | 84ddfda4de187671dfb27e7c238cb63ac7653394 |
| SHA256 | 6e737945af5bd2158f5a7042d58fb777c0e55a18ea90d32fc8d76de3b115a675 |
| SHA512 | bc80f7031bd616f69701e6c47c5859ff528b66d0d9b47aa4b1de5767de0a3d230a538e4d662a2eaeae005f2e33f77f104451037ff5b539fded7b17f20b606fec |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\152f6c0f-4606-44aa-a5f0-92a2f07b6a46.tmp
| MD5 | a96bc7231a5e80a75e44fe29062a76b4 |
| SHA1 | e0b87c9384dcfc5269c73591fde9f361608b7305 |
| SHA256 | 8d117fc257d33c96289a28fc0847878a403f4a17b59ffe0cfabf4e72b629c50d |
| SHA512 | 15266f29b85911aef204afb0dac0344c2989d8640ae20eb98618d44743de40a301e287f0ce97c042fa062e236b9d5f710df0fc69a0a19e1e7b8f22c11a5f2181 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2f3071e3bf64bd7006fe510c12c094c1 |
| SHA1 | 1b9188bf4892553228f6e5ab48a698b8d3a50d65 |
| SHA256 | c4b7b66590108c6df12073b16b28e14d5c14ca00d1f547953c6f66d13ed9a30b |
| SHA512 | 8dc6a0da51a3aab0504cd160688e0f91dec488a932feef754a35eacc5c7efd7d312e984dfc63084544e976a085663f3362f67f9a5955ab3276b34869e8ec2d19 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 50174c23b0086b1a401ae4df5b85eff1 |
| SHA1 | 3e0ce7bfba6566d9664e0bf1400dfc36aa568a46 |
| SHA256 | ab7f08c6294e8d5a4c05cdbbe7ecbc1a38357a19da213641f055a22981dd802f |
| SHA512 | b3994beb82dffa5cd8f8fed4f21a0805e5a43199ef6ae24e84cf7ed09afe4d919f842be4657820fb9665912b01314ae42b0d4465162f4958a4e369c3ea49e7ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 41dfbb9c3a6f02746b3dc0d571e6fff8 |
| SHA1 | 38f81f514db0ac8c8dcae737d0a9d2ed3520c681 |
| SHA256 | 0bd4d2b289fe1dd615f4008afc89c960df653ea3dc367ee9d2e7833e1fad261b |
| SHA512 | c1bc8d60a09c625ecca78d3bb8dee0c51c046edd8fcf3c22ab345d8683a73e240942ce094425646a836069c62ad0e36b5f27778257e34988e152371b9fb84b80 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2699fa35af638db069aef8ca2110eeb4 |
| SHA1 | 85fdb9823d670aac17ffbbe75bcc5548df6da3c7 |
| SHA256 | 3570d9360d0acc3578f0620e16224faf07dd28ea9d556539a3e48d2a438bbea7 |
| SHA512 | 3c32d7d8ea5a7bda9abe10d18f028f399461c1b143a5cb883a6bdb902404ae5c697720a8acc551666ee7fed9b7fde9399345ec0c687a56873d43a7f2bf0db47e |