Analysis

  • max time kernel
    275s
  • max time network
    276s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 14:48

Errors

Reason
Machine shutdown

General

  • Target

    https://cdn.discordapp.com/attachments/1268991976993456222/1291407962199560255/Cokertme_kebab.exe?ex=66fffce3&is=66feab63&hm=fa286f13e09428c9c7e93891509c129e04d5c7218f20974e196cbfa818503041&

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Possible privilege escalation attempt 2 IoCs
  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

  • Modifies file permissions 1 TTPs 2 IoCs
  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1268991976993456222/1291407962199560255/Cokertme_kebab.exe?ex=66fffce3&is=66feab63&hm=fa286f13e09428c9c7e93891509c129e04d5c7218f20974e196cbfa818503041&
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe7a28cc40,0x7ffe7a28cc4c,0x7ffe7a28cc58
      2⤵
        PID:2640
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
        2⤵
          PID:2440
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1588,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
          2⤵
            PID:2864
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
            2⤵
              PID:5080
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
              2⤵
                PID:2972
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
                2⤵
                  PID:2184
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4776 /prefetch:8
                  2⤵
                    PID:3904
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4956,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4196 /prefetch:8
                    2⤵
                      PID:4224
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5084,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:8
                      2⤵
                        PID:3176
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5096,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5136 /prefetch:8
                        2⤵
                          PID:4712
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5128,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:8
                          2⤵
                            PID:4376
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4980,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5468 /prefetch:8
                            2⤵
                              PID:1504
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5732,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5104 /prefetch:8
                              2⤵
                                PID:4380
                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                              1⤵
                                PID:2344
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                1⤵
                                  PID:4160
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3804,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:8
                                  1⤵
                                    PID:4884
                                  • C:\Windows\system32\taskmgr.exe
                                    "C:\Windows\system32\taskmgr.exe" /4
                                    1⤵
                                    • Checks SCSI registry key(s)
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:4104
                                  • C:\Users\Admin\Desktop\Çökertme kebabı.exe
                                    "C:\Users\Admin\Desktop\Çökertme kebabı.exe"
                                    1⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1564
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3445.tmp\3446.tmp\3447.bat "C:\Users\Admin\Desktop\Çökertme kebabı.exe""
                                      2⤵
                                      • Drops file in Drivers directory
                                      • Manipulates Digital Signatures
                                      • Boot or Logon Autostart Execution: Print Processors
                                      • Drops file in System32 directory
                                      • Modifies termsrv.dll
                                      PID:4652
                                      • C:\Windows\system32\takeown.exe
                                        takeown /f C:\Windows\System32 /r /d y
                                        3⤵
                                        • Possible privilege escalation attempt
                                        • Modifies file permissions
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3700
                                      • C:\Windows\system32\icacls.exe
                                        icacls C:\Windows\System32 /grant YourUsername:F /t
                                        3⤵
                                        • Possible privilege escalation attempt
                                        • Modifies file permissions
                                        PID:2472
                                      • C:\Windows\system32\shutdown.exe
                                        shutdown /r /t 0
                                        3⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4784
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:4504
                                    • C:\Windows\system32\LogonUI.exe
                                      "LogonUI.exe" /flags:0x4 /state0:0xa3939855 /state1:0x41c64e6d
                                      1⤵
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3624

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                      Filesize

                                      649B

                                      MD5

                                      ce4d01558612fe30b572f18c558902da

                                      SHA1

                                      5aa7f118d027db5a4d519b9d744e430986a2129a

                                      SHA256

                                      a1fb1460097b79d44f2d34be1d77275d71d1634a1a89614d20bba2ab75b974f1

                                      SHA512

                                      bd35f17dd7e190a93c361da8437dbef1fd729dd2fc1eb284890c85d46ec6f6cd5fbc864f14a9d0037848ec6b6704169a9cb1b185bdc9572f089db7101a757125

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                      Filesize

                                      1KB

                                      MD5

                                      87eaa76d3232f96de99a96baccd7b3b6

                                      SHA1

                                      d52b50f07fc55c97b1973b5a1573bfd61e8b434b

                                      SHA256

                                      c73752c323f53e405b50745fc777c61dd219252df813409adbbd99815c45c040

                                      SHA512

                                      19b987479eb6821c3a593f69a69994187515a789676df55d10dc8a8f2bb8d056ff4ab1eb84cddd0317517d3b426a4b8a7460f290cb1d00930002a6bad4e201ea

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                      Filesize

                                      2B

                                      MD5

                                      d751713988987e9331980363e24189ce

                                      SHA1

                                      97d170e1550eee4afc0af065b78cda302a97674c

                                      SHA256

                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                      SHA512

                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      9KB

                                      MD5

                                      1171b767059473f6647564f6e12a22d4

                                      SHA1

                                      bf8582c2836452f1b014a30e74da58bf4453977a

                                      SHA256

                                      2488b6dc31a1be7934823f31923c17b393ad9e244aa8c3d8b88a8a69ffc8de84

                                      SHA512

                                      2faf02360738df3c72098d6dfb71638e775383de7a1a5d2017c8b141b6b107a91d12a1c467bef2e9f0f1e85b52d99b449611421c93ce691037a99806622c0b1e

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

                                      Filesize

                                      264KB

                                      MD5

                                      f50f89a0a91564d0b8a211f8921aa7de

                                      SHA1

                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                      SHA256

                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                      SHA512

                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                      Filesize

                                      195KB

                                      MD5

                                      6a0f9c36d589523a3b6428f536f439d1

                                      SHA1

                                      17d61ff87b374b32d8b01dc754a44ef3a84cade4

                                      SHA256

                                      9d939188ca206c19c80c4bf581dd980ce3250bc57bb89420f40ab578d9fd5a93

                                      SHA512

                                      2a50dc306287d4bb258ed32561df579e7ba28c3008fa1dd9f1731e4592be5f3bbe824c870394f710d61ad267434b14e3326e09be01eae03dad3b1adda62d19a5

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                      Filesize

                                      195KB

                                      MD5

                                      593325f42da1d9071a28b3e4b6caea76

                                      SHA1

                                      b17664ff5dbc41ac22d07a494617c3feae2d1000

                                      SHA256

                                      b43915571442905d36dc67e0e7024f3cae503e197e8dff14a070c9fcd7d89b84

                                      SHA512

                                      b807002f62b907b4e174ff680481900103f49b7f9f59f0f944cd75a7589070258188927bd2427b5359f07dab72ac4ef6acad8f9ab96ba7a322d3a87e4269c0e0

                                    • C:\Users\Admin\AppData\Local\Temp\3445.tmp\3446.tmp\3447.bat

                                      Filesize

                                      208B

                                      MD5

                                      838355a330a59290ca362cf938e0378c

                                      SHA1

                                      1dcda840f5e8b96e80f3852550cafdd2748eed8e

                                      SHA256

                                      73db043c6fa8db55302890ce97738e8ef1dbe4bf9bccb0603e5a5e4f97d2cdd1

                                      SHA512

                                      622e9959dbf1e865926def6cbabf2b9a0d875227f87cf90e618f1ca5294763856f9214c288cc6d9360b44026bd981e765284680737489203fc1eb1dd00abbd09

                                    • C:\Users\Admin\Downloads\Unconfirmed 382237.crdownload

                                      Filesize

                                      89KB

                                      MD5

                                      4996febaf9e813a08f1313dc10fa119f

                                      SHA1

                                      bb20492b02354aeaec3593709fa10a0f7078e37d

                                      SHA256

                                      17f4cce1ad4d64836096add8b88621db4d717c8b6f1db86245a7cc434da558ce

                                      SHA512

                                      78a2ec11579fced740bf79c1985a7ea5b55a0a444918ad68db8d55e0ed759cdc3d89caf1b4ccbbb6f26b5d0b0c7fee20514602f2feeba4522d574dbe7f90db65

                                    • \??\pipe\crashpad_4308_TBBPOGJHRLKHQESI

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • memory/4104-141-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-140-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-146-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-151-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-150-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-149-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-148-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-147-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-145-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4104-139-0x00000203AA850000-0x00000203AA851000-memory.dmp

                                      Filesize

                                      4KB