22677e1585f16a4257fe9a1059d3e552a34f7c065f0a42470f66386956548030

Analysis

max time kernel
199s
max time network
196s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R D X 5 5/Universal Loader_protected.exe
Size

1.5MB
MD5

5b9b3f936c6b37e35b948030a749edc6
SHA1

f835c488df4970b09def34b5780bc442b90e5f97
SHA256

818c21d63dd2e5c78cce31e13cf517e142d2cce36bc020bb2489272d851df4b9
SHA512

4e5eb21256f823e1a1bb1e001d49704af44c326c0b49b59e537da121555b43514dbfdc70bfa3a97bc41fd15b7269a2bc0e3ff11bd01cfae28ac61262260b726f
SSDEEP

24576:XwXkt8j+QMd6lK7u2wW1g76XDnVz+1UrmyWalINbQUv2gVbAdVADNA8f:gXS8CQJK7u2Bg76XDn1mj+e8PgUADNA6

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Universal Loader_protected.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696899129243371"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1388	Universal Loader_protected.exe
5116	chrome.exe
5116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	Universal Loader_protected.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
1388	Universal Loader_protected.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4504	5116	chrome.exe	75
PID 5116 wrote to memory of 4504	5116	chrome.exe	75
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 5056	5116	chrome.exe	77
PID 5116 wrote to memory of 1124	5116	chrome.exe	78
PID 5116 wrote to memory of 1124	5116	chrome.exe	78
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79
PID 5116 wrote to memory of 2808	5116	chrome.exe	79

C:\Users\Admin\AppData\Local\Temp\R D X 5 5\Universal Loader_protected.exe
"C:\Users\Admin\AppData\Local\Temp\R D X 5 5\Universal Loader_protected.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff19f09758,0x7fff19f09768,0x7fff19f09778
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:2
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4480 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:8
  2⤵
  PID:200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1736,i,3089951455443940357,3240969943296901567,131072 /prefetch:8
  2⤵
  PID:4476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
076a3eced448267fe3e1492f22914372

SHA1
ee40af2b2bbdc313471fe15283bde86320b0c433

SHA256
e55fa653cf20dccc53399483a57295f697f464a3f1245c19cc2d09b6fdab81c0

SHA512
abcd306c28d483e7a8689602d66cf3923cb12a01e52894809373339936a3c9e62b8eff91d2ec2ac84d9fd6cf7a4aea4bb0f92d14d59d86dab3461d720e7d4eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cbf3837e5006153562701d69265b9a80

SHA1
11331f877e65cc8cd890239652a2ae254dc772c6

SHA256
ae474eb0b4369331e490b8d711e3fc3a09100849693b37544b4861fdf79e8676

SHA512
fdb8f27e8b4224ea4f7c94383fefcc02acf28567d2d9297b0a752c1f5f97803b98525ed6cacb8e3cd53fda28a0e65821829aaab0f00d60146e7206a0d6d76f7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
201256e0908ec80221927aa00e0b4175

SHA1
f226856348e83e6b0d5d1be50a65f2ea159a4456

SHA256
5ae569ae629156611110893663ef7e478fda5a1f1f120ef2619d6ee605cdd049

SHA512
4e3d428012f81ae4c0b2aee1a68e4d0313b8fe782e5cfffaa75fdfe0e1f6fce7ca26390e5f958a5b210e817086aecb114290b92c7d30ed7c3f23ae95d5be4640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
93634736732045be8ffcb71c3d674ae5

SHA1
5ca1fe45e50d3fe4a1bdfb3cc03bab93a90b8501

SHA256
fa638e54ae54fd5de775e9259d2471475834bb603501b18078a93c628450bd07

SHA512
1790b6402e5bc3b597c1e151f61f0435ed80484df56bed948fde657ee64fdfa05fb9825b6630698fd3ed8b326cd1b408b15a91a80c6b8aa13386571a8c04d562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/1388-5-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/1388-13-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1388-8-0x0000000005E90000-0x0000000005F04000-memory.dmp

Filesize
464KB

Download
memory/1388-9-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1388-10-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1388-11-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/1388-12-0x00000000733CE000-0x00000000733CF000-memory.dmp

Filesize
4KB

Download
memory/1388-7-0x00000000056A0000-0x00000000056B4000-memory.dmp

Filesize
80KB

Download
memory/1388-6-0x0000000005820000-0x000000000596E000-memory.dmp

Filesize
1.3MB

Download
memory/1388-0-0x00000000733CE000-0x00000000733CF000-memory.dmp

Filesize
4KB

Download
memory/1388-4-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1388-3-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/1388-2-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/1388-1-0x0000000000A40000-0x0000000000BBC000-memory.dmp

Filesize
1.5MB

Download