e3eaff77005772603d85eb955c338eb29ed0d86f0aa5472f293a613121badb3a

Resubmissions

01/10/2024, 23:53

241001-3xnemswhrn 8

01/10/2024, 23:51

241001-3v5adawhlp 8

Analysis

max time kernel
112s
max time network
114s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/10/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

image_2024-10-01_165056187.png
Size

60KB
MD5

622a08136cf22380c2502478ecf36447
SHA1

671a0433a39bdf95605d946f1c6c4c2e2ed56380
SHA256

e3eaff77005772603d85eb955c338eb29ed0d86f0aa5472f293a613121badb3a
SHA512

03b48c0ce5b2951b020fd7b842f649779f7221c566c77e6c2a974e8d0b487bc1a767c67f5cccc78642e031b2a43807e87906ea62e9593220c8d66edff5cffc7c
SSDEEP

1536:T5uNItk5QFQmw42Q5mIb5/gRZ4hWbDi92FuQJQCAw8hTmALZ:cNItk5AQV42vw/gRu0XGQlz8nZ

Score

8^/10

bootkit defense_evasion discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2984	LivingDeath.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
46	camo.githubusercontent.com
3	camo.githubusercontent.com
41	camo.githubusercontent.com
42	camo.githubusercontent.com
43	camo.githubusercontent.com
44	camo.githubusercontent.com
16	raw.githubusercontent.com
45	camo.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
59	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	LivingDeath.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000300000002ab83-534.dat	upx
behavioral1/memory/2984-567-0x00000000007D0000-0x00000000007F2000-memory.dmp	upx
behavioral1/memory/2984-570-0x00000000007D0000-0x00000000007F2000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LivingDeath.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LivingDeath.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723002957554911"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LivingDeath.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 5056	2868	chrome.exe	82
PID 2868 wrote to memory of 5056	2868	chrome.exe	82
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 5060	2868	chrome.exe	83
PID 2868 wrote to memory of 1384	2868	chrome.exe	84
PID 2868 wrote to memory of 1384	2868	chrome.exe	84
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85
PID 2868 wrote to memory of 4732	2868	chrome.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\image_2024-10-01_165056187.png
1⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffab2cc40,0x7ffffab2cc4c,0x7ffffab2cc58
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4392,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4508,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5432,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5484,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5196,i,4573369595259267606,7330598385202118192,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2092

C:\Users\Admin\Downloads\LivingDeath.exe
"C:\Users\Admin\Downloads\LivingDeath.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
832df47a96195dc6240d4c5dd5cdb400

SHA1
4e6223c4d241407c6d1c5cbb0d663caf76ab7112

SHA256
92784638235c53899563744a45788358284e52c5217d715518fa5503de530e51

SHA512
23cf6b84d1a280bcfa8b861f3c3fa9cf15f891e2ba2a1a0802211c9d2c1ce6044e5db1ef3d4b8476438a1d31708a3085398fbb1b356d8f49d131fe0a8f871773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2e41fe7720eb1a89c70f60b834a1aac8

SHA1
42e6361ad88c06f5386852a4f19345577357a9d6

SHA256
6425c20d622131a938c31a690a34ef0a78acf58004a97feeae50da9277ffccfc

SHA512
2d9e26d39bfb8029efa7e860971ac643d91d0c606bc2f03e22acf32e6d475979cf02ce8b7e3f517538ddc6f9051a57488915a0b89243089128ba9f15bb06d07e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
175789e6d64eae740ffa43f60c93c860

SHA1
8d01703358bb296ae3064dc087736d13f43e9e3c

SHA256
2b19b1f89be1739477c279f8fe367a4c4598dfa5a93c891af940095e4e3abd8e

SHA512
6350e31303895a78cb304fac8722e77d41b75c587c5611087167394ea633d7c9e693a2d5491dd2e3bcd486b2623a4b851edfcd79e1d4dd68da8aeb67ba5a31a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4cbc923e74dec6486d6277d08333d0c0

SHA1
7df90f1b6ce56df0adfc2fa5702ca6a5e46de964

SHA256
8dc95e2d62650de5100dc8e5be35ed9a1a8b7a8db948177bb1b3d3dad62dff42

SHA512
29b527398f9032ebc4b86b1162a6235bb273354efd85214b0ce2cfef0d08fab8979df48e0bb701021f39bf65f2fbe419396a7479fc1df0429e5ff7471c3a6512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
928f1a186fbe514193e034049ad547e0

SHA1
64b3c5966795520c7426688da9a6c4e624f1f1ee

SHA256
d60fba9178c704b56de2ad2cc2cb848eebd8ce2d68386b66e52553a9727163b9

SHA512
226a1bd2ba329b2506efa7dab949e42b25c507aa8c65d0ff6268a5ff978f43a463163f8cc4fac1e0457e012d1e99bd0f2efd36789ba71e28f2d3d942c48afc55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1885543a55d7d26703675da01cc7c6d9

SHA1
956937d59fcd0102dd466e18f9a3d4fe7d5b8113

SHA256
5d9e55cdef9b73eabfc806b18267e4df2a555d04b2ddf05658b26d31b31b3260

SHA512
77afe6206a3b30d28aaa5ae578a30bbd8834df3fb8af58b4090a2aeedf57aa6328b46a766b11b81aaafee8be3eb8e141d89ee051f4d6c4ccc9fccf746f6d0ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a30cb142ad6146227441ccda0ef9f821

SHA1
4bc5d68c266e393b192dad47a0cdb20c8eff1508

SHA256
90a94e260b7ac6ffb06f579b4e02d8b3526fbcad0fe9609057937eee5ab2e60c

SHA512
68c437bbe0616cd82c4f1445b747b7b8255e90301e9f1086041a8dfe0c43a1b2372776bd9bfc2537707cdd899991e3435dfaec1ee7b4963cefc156f8ef9ab92e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
59ca3f62c77959980634df896965847d

SHA1
f391f752addaad5a8d820b23b066868c1f0e67c6

SHA256
9131edb206304f2cb9a09d58b22bcf6c6199d5b3f0fe4019b490b5c6fc459aad

SHA512
d9f813655e0e9c49fdc9d2ba5dfc66f90e95c16fe896e281b18a550b28321ee7ac9c16c1a278400636f9c338d8a411368cbe8eee0603c684e8b7f2b1bddbcb97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
72dd6fb017014cae8e63214c252ec704

SHA1
78a22fe9428c3f78cf9fe7c9f0aef15d445d66e2

SHA256
6d2624b841344c59e1ab462705c561bbbf2bbba9208e61dec80b01f5e32e9133

SHA512
6206c037df31743355ab73b812c154fbb4ee65842e8327b9b5b8674e84b54863bca9a49bb5e6affdbd5ae15b5ef102d6199c0a2db9535e7e345563efb0b8080f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d4f5d7d2b3c42bad4ebaa8de48480253

SHA1
f4c4bbb907122dfe9914950d1a752b9ee3ad731c

SHA256
0f64af42280ab53bc8cadb7d0979797c8656b4bde9533638f9bf7d8cac232b56

SHA512
087dceda694eb41df527825fc532d4b80e9c370744046e13d151a3aca09cafda539e25498e6dfefb4d111b4fd5659a7a64dcc850aa96d6e9bdbd9249c72301d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d28ae64c4578e269c8af41c19dbd668d

SHA1
bcbf2df309d5a54e7771239d40f79e7bf4724d23

SHA256
ebe7d88bde4e9d4d242950655539a3a344498e26f48e032959d29f157a86cff5

SHA512
c751affb80eff670fed823d92656596f0c921a4fdbc3ef384ed03c65340eaa1f707ee2dbac22c8d80e07bcc216492e18b96735b9effc973ac1da92e535bad963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7c62dc61a5441c62c6d4efb3c4d2095d

SHA1
5ff6e0a12fd82a29f51548d02318da7d4f898bb8

SHA256
7fa8731ec96ad3d4b074bd0fcd1e19dd4be45be0e3fb45d715ebe0df14dd157c

SHA512
c5a9c2027ace0c7d0db1a5f1fb45a6dac0f489201c92eb17b6fb865e1203061beba5f439a658de222210a1975d1a0baf4113bd6fbcf7db4343b30c3a5cdb88fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ea54504dcee6e58cdd5f7adc3caa298c

SHA1
5a95f6d32ba8cc59ce853ec2a79e233c2a63995b

SHA256
46a6aba806a3c63f2d1851a4ef4b4f5d106ac5904017cac408f56f00d9a1af4e

SHA512
feb130f2004a87aaca4147c5923e487dd44f4aa7688c4b6836967739369755e2f59ad9208c98074a16ba968f447abfc94a7d4952dc0f97081944c3c52528fcff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ed025cf9d22abaf712c1a08bfd0833af

SHA1
9c35c20b5c555f7536b12b420cefb8ce6537bc81

SHA256
50cf92584d5afe40fff9f5ed2f57f6c01c318679db4619a7188f33c4cf0aeefb

SHA512
52a4054f55c943519317ea2ed4f516cf27975881e1de017e2065847a4adf316f454981849e22366be5bbfa8345c4bec2a4bfacbeca7abdba7a0f6edb48b44d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
09bdc928fc58f852905bfce7755e447e

SHA1
13017a4dbd03c4f875523436390c8b92f326097b

SHA256
f77821441531ae04d8bcc6fb8b68663eb44ba026a28c2141d58d36b47c69fd60

SHA512
4b2037da0f52da661a6823a62a6318f0f93d28a8afb2db09275b69ba35a2016b43c2ea600ebca7035452ada115a4cce64a6b587b8a43f894b3db8645ecd1fe0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2dabb55a864f77d1d2743750c935c7b

SHA1
38ebd1b8d4f31c7645792a9ed79ec3ce9c059423

SHA256
69b017c51527493c60d510b3edc29134e85b747e27c377947b7ac605f889b318

SHA512
61661e5020778481b25370ecf81e4d8853317b2b82813d7e559d0b44b829429bbf23d3be4e418714b3a917679d2910490a690041db735f5e30f60151baa5e6b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
81484c49ebb350cd7adeb23ad5f532eb

SHA1
daa9714d1ec8b5cff949c21e5aabf6951f598627

SHA256
7fd0b9bdd8432f149bdbe8a176275a7829eb6eb46f3b8ddaf20b9aa1cf248224

SHA512
90d0b24d1d8f52d476df020591320af327fbfd7c35feef8fe962fda799d076018bcd36dfe5dadeb5f92a66545962faa519b2acdec335219c3436c4a2ef29ffde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0c876ec395c79a65abc5700e76bd560c

SHA1
d9029ef784771f593729915cc663ce27a6cadae5

SHA256
ad7179b4ee972b91086e4074153a2d237cacfd07cd55c1320021f0d74e76c0e6

SHA512
ab1a3e409f918937800e3054748d49a74076ec420e95ceac867dab4ff511e33db1840df14a011ca54c3af44ec098c1518508ac9e74f929baa6bd4f908dd3be96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fb6f6776564e4bf99c551e580dfca68b

SHA1
5cc6f55f7d1dca308be9970431104a9574e87f85

SHA256
8e861af2de298a2027c5aaa0b24f698b5eade64a97d724a4a85f345b63ddfe6b

SHA512
eae9afd1e955e13594ae0f9368797abdfef0bb25d96b115e46b46112d3d640c9eb73f387f2b3a91a1836bcbb2112f9928fc3bacc5e1871e90b469bd937c61650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
38aa262c55f544703ff86038b87453f1

SHA1
fff44d501d48a802e5df774423350dce9ec95f8c

SHA256
05152c37653ffc2d0fb403b9330f9676e7d7c4d3cd35f768588a43d5467e3ebe

SHA512
415b4e1b97277acdbb7aaf00b5d4e3dade8aa3f2209f2166f47d874f72d892ebe13936611cd8c5beecaaaf659f623d96259581a872d88c4c27b07e00f740e117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
b538c4d3de7e7dfbd5638d217d99d12b

SHA1
0e60ae8004a4a97809be81299f75cf895ac3b9c0

SHA256
d5692b83206cdfad02f51789108fd3c6a3d8c9d1719679a377646d6c62cb50e9

SHA512
54ef0cfcbdb7ce353e34f4cb238beb437112e8c5846feef071860b63087e8eae1a96f7834fa8a5f3e027dd4f7fb227481adfc83ffc694b62462a1f8e62325647

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
fae48362d4b1ef5d525f663cbba75781

SHA1
f2aaec85de94420e291895734c7272504c9c72ab

SHA256
47c920f413b0c2fc579033fc099cd991de7f654fe2915903ae2d0fcb81e479dc

SHA512
fb600ee0d36295d188f1d2062a82d9b02e761a5a554e997c581eb6ec7ea41ed4240ecc4c9db7784f3e7b16c7b40d67cb4bde58d63b922862c4f0d51a5e676002

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
213KB

MD5
8723d99e07204d064c3639332c9c4ca4

SHA1
c3c5805cde1ec84f778ab43ff45c98981d59c7a7

SHA256
b2ca1e497ccdaeb10013a05c2bcdfe2bc9cc1d4681a97ada1ae8027433102a4f

SHA512
62a8d58e9c3f4b7200f480103639542c1fa1edd9aa8fa0a0b2aa5bf8a7096d1e4298a121b8f262e987a8ac8624aa66cd5f95d79bd7cd5f15191e6342894e9e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
2aaa6ecc5ff57bfce6a5ae2bbe5bb10f

SHA1
fd72d8265ebeee7c884f02598f1e5d59d17d776f

SHA256
cbda5bfcca03143b43c44fdfa41ea89d24fc7c55c052dcf0e111666df0020460

SHA512
c0787ef8ec13a7a3054e9c5f4e2f791d0a4a0a97a3694aa2659ddfb5cbbc98872effa4efc5a46aaa7c9fa4d5c3bd80d12b6a9ae2821637b1c907b80bbcaacc1e

Download Submit
C:\Users\Admin\Downloads\LivingDeath.exe

Filesize
47KB

MD5
cdfdb046ce89e2b4667ec83a4b569f05

SHA1
54f192c3dafe359707c01926aa0e5ef6228fa2b5

SHA256
b105701d8452833153625e1c159c9a3787b9d5c99e5cfb24f19522d0ece66820

SHA512
7b3003b9b174adde0f75c53c0c83c9448093de6cf5972f54ded7481292b95021ccb7eb3c5ac66a3fb2f4b6ae96126b132fdf6586b09ea57ca86edf23f1471bf5

Download Submit
C:\Users\Admin\Downloads\LivingDeath.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/2984-567-0x00000000007D0000-0x00000000007F2000-memory.dmp

Filesize
136KB

Download
memory/2984-570-0x00000000007D0000-0x00000000007F2000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads