1f1b43c640d0c2160eb52dd353eb9d30944faae2e134098deb49c60e0ee2fd3d

Resubmissions

30/09/2024, 20:44

240930-zjct7svamj 4

30/09/2024, 20:35

240930-zdfnxaxhpb 3

Analysis

max time kernel
35s
max time network
26s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/09/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.jpg
Size

14KB
MD5

0d25798545799fcb4e4ef5739a6c983a
SHA1

95f6b19d32e971816f7d3804eb886aaa0ac1c844
SHA256

1f1b43c640d0c2160eb52dd353eb9d30944faae2e134098deb49c60e0ee2fd3d
SHA512

d983db614ef3d3771589cab8e1d2fe1ec1b74b13ce87fe724f75732bfda05d64aedabcaef82cb08985eb16c50cf7884d32a317f0190fcb96c6092509a2216297
SSDEEP

384:/eOWXy1Qm+YWYG49FRMUOpLOHeCSkViwCi:JWXSzG4twBMrSHi

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722026473094428"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
196	chrome.exe
196	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
196	chrome.exe
196	chrome.exe
196	chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe
Token: SeShutdownPrivilege	196	chrome.exe
Token: SeCreatePagefilePrivilege	196	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe
196	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 196 wrote to memory of 4404	196	chrome.exe	77
PID 196 wrote to memory of 4404	196	chrome.exe	77
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 4732	196	chrome.exe	79
PID 196 wrote to memory of 3848	196	chrome.exe	80
PID 196 wrote to memory of 3848	196	chrome.exe	80
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81
PID 196 wrote to memory of 1912	196	chrome.exe	81

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\download.jpg
1⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8cbe39758,0x7ff8cbe39768,0x7ff8cbe39778
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:2
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3568 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5024 --field-trial-handle=1836,i,10953081776121926958,11070926116835044985,131072 /prefetch:8
  2⤵
  PID:3168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a70a095004b2c22c4c62d40730325ce3

SHA1
16bc936a9f3cc4d09484f605dcaf042a9f01121a

SHA256
ecbfc346b03d1b519d8b802c35e6793b519ab82877b83dfb9252877b94c688c9

SHA512
205ecdeec16019f8040f1181a597ffdc42015ca073daeb94f849609ceebcfea2b00b8987d294198daa226cd245712aabe70b7ca64e6a7a17e374aec9b3a56936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
48741b9348935e2a541679d085403b86

SHA1
f4e6f2ff809813573fb09fe4a3c12413412c375c

SHA256
dc00c1ed8d48d467b36e76a098fa0a95586c2d1e600fcd88984f1764ff9ca210

SHA512
ca72a1c68f211f09f1fff59a81d20ff523b82c8486100669882551e924fd12c3db10093b52a191f3d1741c062588ce233130301a12390463b74fe43dde549a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5c078b425e6242a60f50b98ad0beee1f

SHA1
a00bafdecdb2193adb5423c8c02fe6198a1521ef

SHA256
4a31aa1d59232b83111e650beae77cbc4fc056f6746d089d1c44f6a6e1210278

SHA512
e9f4d60b2d1d0c38679e11378c0f56eed10918bcfcc44b2e53ccc366b008d184caf3fcdf7c4af73a4bd444bff040aada8fcc74b0aa647f4e66a326dd793a343c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
311KB

MD5
c482a5df8a553bee58a6fcadd18b238d

SHA1
c666bfa3f8dd8451bbbd39f522b7e7b5d234a0ca

SHA256
47f7832f4135759dda0dc796ce18a7fe6ea9823e929b666ab5fbc9c41a8157fa

SHA512
70751bad0b26dc576e0f63be11e79b16f5c54588346fc05e390b1131b05b4fb4ea55e9938f59236758503d7d425a04fa068602f79a8d2a18aec3dad290e18848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
b898adbc9e535b9cda77206424844e2d

SHA1
e6af23399072e55cadfce29d67726edd6f647c5f

SHA256
61fa0fb74b46afbc22dd8fe583a8452e954f50cbf4d9626ba29b42cba308487f

SHA512
c7202e5bd4b17b817068dd5cf324062412033cfb7496b54fb368d610dc1ac27cbba87e2e6150169e38ddd8ab5844cffb3463bb679cc34ff19f0a34b23a77af7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit