6d9ebda4e8582f09af264ac995b132f2d1bb9379ed58f125226495e63718354c

Analysis

max time kernel
41s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dr.sys
Size

8KB
MD5

bafcac47203b27468dfb1caaee7ccbf5
SHA1

2d9c823fbe2ce50528849c56fe9c66058e112f27
SHA256

6d9ebda4e8582f09af264ac995b132f2d1bb9379ed58f125226495e63718354c
SHA512

86baeedf3a6ddef5141bb8cf810ca244021f766281d66ba20db160a6905f6059abdf50e2a7b98434c555db1f9ab3560767b04356cbb759fd4895f2bbdb107772
SSDEEP

192:btXEzjFZGbfs3o2szqueiCYcHpnCcznn2u/A:ZXEzhsmszRxC5JbA

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703941914270837"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
736	chrome.exe
736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe
Token: SeShutdownPrivilege	736	chrome.exe
Token: SeCreatePagefilePrivilege	736	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe
736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1056	736	chrome.exe	98
PID 736 wrote to memory of 1056	736	chrome.exe	98
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 4964	736	chrome.exe	99
PID 736 wrote to memory of 3380	736	chrome.exe	100
PID 736 wrote to memory of 3380	736	chrome.exe	100
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101
PID 736 wrote to memory of 2652	736	chrome.exe	101

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\dr.sys
1⤵
PID:2688
- C:\Users\Admin\AppData\Local\Temp\dr.sys
  C:\Users\Admin\AppData\Local\Temp\dr.sys
  2⤵
  PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd05e7cc40,0x7ffd05e7cc4c,0x7ffd05e7cc58
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1600,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4512,i,5383306750476503122,17584400718378106985,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\33e93282-e8cc-4b24-975e-de67732d36ed.tmp

Filesize
205KB

MD5
1dedf28c89fef04318c9a36c48f3d78c

SHA1
1cd64afb018a87e79e6a7b27c33cf33d3ab7753a

SHA256
e465dbf388165eb956fbbd396ed95f5d5ff70b56009c90b2990a41017db4ffc8

SHA512
2f62d84cdffbaaa0e386aefb4e54348a4485103866bc0338ae64a1d9d3e90f10bdd5d79de1b2dfa003fe33815eaad2424cdc11139e50d22191a475265a3da3ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cd1189627b6786772806724dd1a87af8

SHA1
5b0f9e93067969211388068f9287b547d0a534d4

SHA256
947bbf6a9142887043674d985a588e0edc46c57cdc18fe86784363b6a8d30152

SHA512
05e6983926bcf106041ab71892f8520461d5530f811478e3589c8dee409b5ffe2526df60fa39a34a23c868b86a20abcd1432cda0cc6565aa750220e84ff510b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a8d3a2affff0ba06c63be01da80f1a15

SHA1
2db48344d40f5a28d723de0eb37e7219f85416f9

SHA256
85eb7767e39c724ae521cd9dd513e5ee5c607b8ec574dab132f89f8aa6360d72

SHA512
e3f85f5c7abf0b017739cf350a22f9bf3ab95f7cce3af6dfc0aff9dcd534280d4b884d0285d91bca74ce336177176af72b907bd5b2ff63ae83583190d980d219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65384a3ae7aba5e36118fad4f99fd596

SHA1
c3074ec10f5a34f35aab35f65ff855242c541aec

SHA256
5eb71375a2ad0bd74235f147ddcbb71f0df26b692e0b032513f7d12a2dffee04

SHA512
aa564f281a48527b500272b4581fe4ee03cea107b0648bd948bb556dd2fff13e01e388d5116c4c78b759e361985197f04460156d3df51f436c444cc706b8b171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7ae453e2913eefdd6d2ce0c70833bdc

SHA1
22f648f5c671b65c3ad00b2a9eb26b82db9ae64c

SHA256
831b2e7a63c8aaf5c5b896bce06a0bd6524b592622578714a0aec045d0dd1666

SHA512
9224c5611377996f00a444a17d6681c1baa8b3e969597dd7e7fd269ed8b63a924ded5381d7934a324736960447d3f5cb34d3a7188f6c77dcfe5dee8b888a8e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
05b332cb9fedef29b59e7510dfd01f65

SHA1
aeea046aa46c13c16f2e76c941b094c9e993002a

SHA256
60bf1404882acd9a4006e3c2ccc3f162a6ec7931009b067c854766a3dd4c3ddd

SHA512
aa71186a12d264e0c873ba20cbda1351f8c3ea987f8a9decb943fdc1994b167696cc00ee5ee3b0081bddcd568910d8fb175ad65f32e385347e7b410f5ae8e352

Download Submit