hxxps://drive[.]google[.]com/drive/folders/11ZDtz3Y4--CnL_-qsJg1fIt4LuF_AEcY?usp=drive_link

Analysis

max time kernel
19s
max time network
22s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/11ZDtz3Y4--CnL_-qsJg1fIt4LuF_AEcY?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
2	drive.google.com
5	drive.google.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701239060982605"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{2CE94901-26B4-4863-B86E-E7C8E24EF800}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	chrome.exe
1824	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe
Token: SeShutdownPrivilege	1824	chrome.exe
Token: SeCreatePagefilePrivilege	1824	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe
1824	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2336	1824	chrome.exe	78
PID 1824 wrote to memory of 2336	1824	chrome.exe	78
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 2992	1824	chrome.exe	79
PID 1824 wrote to memory of 4544	1824	chrome.exe	80
PID 1824 wrote to memory of 4544	1824	chrome.exe	80
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81
PID 1824 wrote to memory of 2380	1824	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/11ZDtz3Y4--CnL_-qsJg1fIt4LuF_AEcY?usp=drive_link
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99713cc40,0x7ff99713cc4c,0x7ff99713cc58
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1984,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1944 /prefetch:3
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4772,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4944,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5248,i,9310607995226642788,13557242570949240735,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:424

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e7787f74119943083bdb20e74f345d18

SHA1
2acfdf52460c9b48df1cd028f86ae9bb1136b700

SHA256
9b9744b2441e11505b933e38c2270614620d581259c3beb8da2518b9434fafeb

SHA512
1aa8528dc1307b46f8bcc4ebed8bce24010a2bdb8c67d11f9ad7a9adccaefdd8c67dd6e279dad1a5c773e84a2fa80ad757547ccde28bb2531e312d54488a9ed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
7e7daa973e75a0a5d6f9a3b461537807

SHA1
ce9873cfedee6ab7395013a9f56ec95d8fd5cd13

SHA256
8874fd7f3064fd20dd9a9e79ad1d60b1ff3c399ba78ec11c64af013644520344

SHA512
127dcdbdb353a9f8633486b9740961d5f0774a756e221bfc195cb8bf9bc283da0aa31c630ea3fcb2bffa07f0856a604e9d7b0983af0d1432cee2253427d2339b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d02b226c9de9331b87395eb4567081e5

SHA1
0066f45986afe81c1a9e5aea5e361d920a4346c0

SHA256
788955607446b2bb278f05368217a87d373181936f58eb91a1cd795e7db97e52

SHA512
754a3dfc6f91b280901170868ca1cdd7443bc93ef8d90387c4f10be3f16f21c02cfd8e60aeaaf0a7c2eea7448be46e679d768c4fb9c20f2916e981b6c6021bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
d81aebc5abad61e75d71cafbd9a714e2

SHA1
4d1ef5d4ccf7ec0bd2503d19a16f0f2c1e5a2483

SHA256
7bc150b575aa9445599724760882aba36fc29d679037057f78e9caadeff7d978

SHA512
4518d3e3cf6aae99f907b7b94dc68cf24cb1dd27afe34888ceac1c7ed5e7815e5f51d1ce500a8e9b1e955b9929be5cf9a6d9287702c497c60bbde45d073666df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
3a658adc24bfa3e1e83e73e790a228ce

SHA1
f9db3cea7839a5a3e43777c1d499c2d06af73662

SHA256
14d7b91451a63660741772c1ca7de4f9af400d6d934a14f71c5f2a6c3642f9a8

SHA512
69a3f8b55e135873dd397012037c454ad6f77f6e1842400953ab1540ede17aee0004cbf7042e12aa1a05d78a90771a2179bc030827c31efa68d6629ab921454a

Download Submit