3eeb973ad48e95c714bd0078741d74cfc8f9688ac4c3390703ac063839cc85a5

Resubmissions

05/10/2024, 10:24

241005-mfczkszcpm 8

05/10/2024, 10:22

241005-mea4latglg 4

Analysis

max time kernel
30s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/10/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ekran görüntüsü 2024-10-05 084948.png
Size

6KB
MD5

3c14b122926a99e02f90c74fe7d543a1
SHA1

c352578250a8de9d7a2ce47b1f5ce94126b23fa9
SHA256

3eeb973ad48e95c714bd0078741d74cfc8f9688ac4c3390703ac063839cc85a5
SHA512

b476cd2af30474b6307cb420f1f35be1339ad04d495e4153c82849464a721a037269669d5c9b61ad642ab13da4ac4f4e70abf1acf8db8b80c57adc6fcddca545
SSDEEP

192:StSriy+r8MoF3qkD74l5dnFdewFO/196qwfQ:StYv+ip54l5dnFcwFOX3

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725974185183220"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2628	5036	chrome.exe	82
PID 5036 wrote to memory of 2628	5036	chrome.exe	82
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 4176	5036	chrome.exe	83
PID 5036 wrote to memory of 456	5036	chrome.exe	84
PID 5036 wrote to memory of 456	5036	chrome.exe	84
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85
PID 5036 wrote to memory of 640	5036	chrome.exe	85

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Ekran görüntüsü 2024-10-05 084948.png"
1⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadee9cc40,0x7ffadee9cc4c,0x7ffadee9cc58
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2180 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3372,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4404,i,12251798792322332299,20536878340092689,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:3596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2b96ecef8f7e945a018e7737ffcdb391

SHA1
c8e69f515d67bc3f66603bb3938792264049c103

SHA256
3cbc73af1b5ec56f080ce8f1d8ea1ed2cf15fe42bbc1547db985e57ad05c1a73

SHA512
1999c3e0ff2d4567157d166db9673a252b76d6f97a9d8a211bcd8fb72f2571d3d97554f80b1a56726ccd6ade3e1d059acddbcf37888b4085ca0ebe45ce5ef070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4d3b80aef3707b6a008724b5a7c9a4d6

SHA1
2ec0dadd8ddfe0c744f79806a2addb89a657ffd5

SHA256
1dc19d28b92f319c70277e406e0b2b2ad86758fb45f7028d8df9e4f29422fb80

SHA512
01ea2f6e09ab2c9197aa6e6565b72b073bcf2b03387ae9029aedebdb30c0d41994b6ee9d092f1af54842734430d0e4629198f6bdefafbb155c64cf030c18ef9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07b6d8e952c90eb2f4812232563fd658

SHA1
cb8552b8094f7b8134ff59840dde58778278a53b

SHA256
3986319f9a1fdab5316cddf57cb0d76b95f453b501113b737750dddb79a6ae9e

SHA512
6aaba59024b669a966df414785594deda9efca4136e90accec098ce5224d5a42704e77fd6b31234bf80f6501a9dac96bdad6d9d1b1ae0fb0475174a407a81d55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
13acf01e116a5d952dc8d13827e11520

SHA1
003e08b79dca9da4ae423f2d5a7b615aa8e776a9

SHA256
d70a10190e20aa15402dadf85bade8ce1c679e0e084736c47e6c50d51f06e0ec

SHA512
aa3f6a3e02feb7cbacff79a4a9e1b8c816a0de2f256a27bb46de34a811ebfe97801cd0207bf7e3b6d84438326520fc7f70f197d2fcfcd7165dceca7c8b214f03

Download Submit