hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

24/08/2024, 01:43

240824-b5r91sygrh 8

24/08/2024, 01:41

240824-b4d11aygmd 10

24/08/2024, 01:34

240824-bzmgks1anr 6

Analysis

max time kernel
100s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
81	raw.githubusercontent.com
82	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689373291846956"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe
Token: SeShutdownPrivilege	3660	chrome.exe
Token: SeCreatePagefilePrivilege	3660	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe
3660	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3604	3660	chrome.exe	85
PID 3660 wrote to memory of 3604	3660	chrome.exe	85
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4492	3660	chrome.exe	86
PID 3660 wrote to memory of 4776	3660	chrome.exe	87
PID 3660 wrote to memory of 4776	3660	chrome.exe	87
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88
PID 3660 wrote to memory of 5052	3660	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffafd94cc40,0x7ffafd94cc4c,0x7ffafd94cc58
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3404,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3676,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,1743459768278508609,105574484480325319,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:8
  2⤵
  PID:3784

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\Temp1_7ev3n.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_7ev3n.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:592
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4100
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2712
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:4856
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5116
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2404
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1332
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\033f6fea-35ec-4912-9450-5723e020d4c8.tmp

Filesize
10KB

MD5
8ec783f85020e490492d4984a2ec5f1f

SHA1
0df6a52521b032fd5fbea6db5e0e3e46e5a07d10

SHA256
9dd6c19c6f0b4dc017b1987181f8cf4025bfa26f4927212ee89cb7f1a229de24

SHA512
c68ba933b9010eac94ea0163d4cfcb328a9ddabfe69317a40d27ad4625c44bc7577caf0bfb4e0c5ed9e5f16b709c8290b17710523121d40fa3d077d26c74c36b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
190cecbe61a5b2aa377e5f587af830db

SHA1
f57dff15f879d4e6da12a24574cf587e3cdf4e95

SHA256
bbaf6eeb6c62a2a3143781a46046452d2cb0702fb6a303bc31593094e4d8a9e7

SHA512
a5af46957b51bc9cb1adfa4154456786cf91c83dfe51fd822e7abfe08f7db1ec4f04404587c9d7fe16e15bc4f8816efd0c6664d0b9d5aff91c8792c99fe515d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
217f496337a8b75bb88fa5c1a9c9e240

SHA1
2d47ffc5312684026101f827baa4976a97e47608

SHA256
28af8424a33f489494f5a12d3a02d090c5ebf85febf80490aba20158707b266c

SHA512
8a7678b65cbdd8b8d2789db0eca847a84bfb9967934ea90164f7041a23a8f2adee9ad4dedb831399f97a56fd43e09128f85180467938a7cab87789d4927c9742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
51790785fb3d731995cb835162089be5

SHA1
a5f458a2d1ae0b9f8e9353daa28c7c0d0865bb55

SHA256
57515ff09f3cd45de8f5c6e29267a8b2dbbd01ff4b4aae0ee3fbce95da5b31ae

SHA512
32458a6e334a6c7148cf47e254f97681b86a2fe0433f7cec09767355fcb0b5c917af497dd211e35ebe85cc8145a1bd9d9923e1abce65a9dcb7d7889bed11f7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f96cabd9c7fd41cd415502beb275907a

SHA1
d4a8504a2720ecff26186dd01b23a12dff690213

SHA256
f15cea36a02413565d4e4c4c1c805b3b25b0ae08ba658083812d96f010408e76

SHA512
68e61ef965c6c098800de9ee3b049093460d42277baf57e3ced5b342bb1ff2ba5201a963aec4194f9b1707711ced8da0736d579e036c9a7d4536452e3099e14e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f4b206cc0e346804f6edcf9fbf7e9be9

SHA1
bb43cf92854e84f264047c48608324052a8195b7

SHA256
12821bae83e2fb5ee4d0d463ae2df52400c1e8bfe45007a61fe6f7dc770c0569

SHA512
9e48604cb61f1aad5073f5c8bbc454a84b75ac3f9439219745a77a4a9b5b14d049bfa600e43d95fbbdeb4d68c26cf1258b93e119bc7bded57dd198d006587d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
df69e2c7be31f6dd7c6a72dafca8f39b

SHA1
0dff6de2726b8841ddeba1029182fdcdbf6c68fd

SHA256
1f470e6587e732fec449d14621d7dea1b18ee509d625a738ae4693adab40619b

SHA512
35975977a7208948b0c1bc54f2c417040d192c4b39e82cb827a7ba47665e739bdb1a41b25f65bb03335bf364edd9e5a5ff978a0f7f05e7a4373b287a0ebf745c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fe58525fc3fdaa9ec1ae9e56cec7aa83

SHA1
99dc32823c69f36cffaa1eea17879f007a486b09

SHA256
8f3f37a175a2fc1fd37836270dfcc3f7bd5d80ade00ce0f987097c558c34057d

SHA512
f01fc87f639d88ae8059f02147bec0622d04226d5b8642ae949da5e91d18034f9bd091d2f5f4ed3f5a532156294cb77a8e55da47607f865953fe8380f9679d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f5fa64754ffbedca4a282084b3eec223

SHA1
eb538e4cef320d8a95b1b8fb6df894c3be543354

SHA256
c7099087fd44587aeaaae7b5a6feed6923cd290d1872538a05a94d82b01247d1

SHA512
f02aa7bdb24137b171c0244d059428035b43c739db74b7c10a2eabb1f8524460fd9173663872631f4d87c89be3310395c6d5f0f9569276d2d672aa6b9a7690fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c94fdf8b90070026d9d1981ee80a4e88

SHA1
fb4c09325a18aaf3dd2ab0ac7a07cdf34e252ebf

SHA256
90ece3e332e1ccaa9ea9cae30fce30a7fafde6cc63028ff01081f9b921d256b8

SHA512
2c430e15e9f599cab6c60d2837a1a79de494bac6d43d1b044d18afec269831f040b5e44a7e71afbb0db3f0deb6b6d2cf3cf248776bb26d8923611b0c495298e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca811116746dcb6d509ffe1a96511e90

SHA1
4a17f0d0d60a010a75141f7bfdaf9393fcebab76

SHA256
42896538f262388bce2d383ee32ef2ddd4913cc82bbea3a94a41a1f7efc43eaf

SHA512
6a031dca3611b0048e7438b02ca65acfdfb52ee577aab40395fba501ebcd1ef83f1fff2ea45609359414bedf0004c47c974a314ab80cc4b236249807454a9f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b64275c338de4fb9686c6a0380b123f8

SHA1
7dac1937085aabfe6d4d194840423adcceb73419

SHA256
e9a9bdc91ec2f93565338f4e9a84c72adad473a1d33979f4e74a620a6c2465a6

SHA512
b487778d397c0d98e918c6ef6c4bfc66a79e5a93f5fe40339c69f15b30dafa8fc6ac94f8bb80ec0ed0fec47f64b8c3111986f4c4289c5ccc55f3b4f84947fca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5510a8a02d100f29e384f9c8ee38888f

SHA1
c2c4a78c5988b5f1905201a6c9fec1235bf80576

SHA256
02ccac11de0a0303535dba8208d5d0018be94f795d0da4ab40019d6a0bb118b8

SHA512
e2ca9679030a61d4b8e928bbf77431d4ce433695dc3fd836075b6046bf6896148de850b646c3dae73a3d619d8d23aed68abd66c904fb698b79bfbc5e80018546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79fc1c7096ea4e39718e1dcb7f41565e

SHA1
48568ef9fe7101667d67b02132d009f247e43b94

SHA256
7a9c61de69b97e39e9a22c61e082cab07f37a53d928b229298cce29c1d4706f1

SHA512
b2e1e52a0485193c9d04dbf1c368e80272bfa895094ef9d09032ec9964b407b8b205c9db8e80631bfd55445d69762b479d4974909f9313eb9e6f799ca4ffe1ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
453c39d0e1159806f7bf8231c65d6696

SHA1
2843b9e00acfc1e335996f6138c56f98268ffff2

SHA256
2a7ccae81926d623cf8e6875ff8b486acf5f159080eb38df5a962dd23185591f

SHA512
297d8143685405fc1312f7195cc9d4a19c9eeffce3177b4aa57f50d0669fe84bad104fbf5ce2dc05a1961c4d743bbcea77d4f4d5cecb2053691b687b2206a736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
474c0ed09f7c9413dfc93e5ac69fa3ff

SHA1
08c40f86d0c26a9f4e52a6e483dc9c133ee30f57

SHA256
3399a0594e55067bf2e5ebd8a348c0d1079cf0fde70db95a8459ff97f9fd7574

SHA512
b60c74eb8e6655d52a05a27f6812c15916d2d28c5b69b62d883a29a93593e8f66b170d4ae4b47bc64647ed6f01ff41b31398852200a7610f545880513ea28d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
82cfc89785882be59a43c4b52f952f20

SHA1
9c88fbd74a2ba8f8e1015a82eacb617f608454f1

SHA256
2088d8d63e89572f731095ad43c5e918f80ee44f76827edcaa5fa76411de09f6

SHA512
699ac85228d2d492abacd18635b1b3ca156f132b7a837da55969b5e1062f5b89fb7c5e281faed3eed8ea9f32c6ad58238fc6436df98636061f32ecbaf7269e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
df548e0ac5dbb712d2c6ab9e7beaebfd

SHA1
cb16f9e9ca3b42820e1729b8b9157d18d05ab3ad

SHA256
a1ebfbfcf91189bfb7db4d45c7e5e60a43c9826e8aed2fbcd1a2350dc8361c2b

SHA512
84fec18133d8920e7c104de0beb249e656640a92df864983302de477b73e8d5f9fe97972e521fb2a20179e23aa7842bb13d95471990f2bed95d1999b157d49e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a0fb3c53f4d3b56135d728b379b877e2

SHA1
f6f992b8fb47d5152d9848f39577f2b6a54861db

SHA256
db49e1d8a08c564bd555d2584da171232da8fdc20cb660dc9ab14e9d2cf9934c

SHA512
4ecd643a7304dea0967bf02465226c1f7037cae21baab7c58dbbed54daf05068c5b03fbf0e09d398c25e2cf9ef17edd9a7a309416b907900e63bbf9d1add69cc

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
92B

MD5
ec326bbb3bccbdc24ecbca52d7727227

SHA1
6d230c114148c2c62d1ee91fcf6b9575194ebea2

SHA256
e430f2a59f3cdd5474ecbe58a9d3a2414813e84f3124ecbd4d9180802e7cc57a

SHA512
59768d77a6360d2bb7f161ccc747635516ee374fd158ddd6163802559cf02bd6843087f04c26f3471ba8472f8b2219564b6e998f705770105672db86747e5525

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip.crdownload

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads