08c8d6dd56ff63d35929a9c166363515c8df91e8ad8a9cc7a4b14843b64771ef

Analysis

max time kernel
71s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/10/2024, 10:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

caption.gif
Size

738KB
MD5

70067fdfe9cd8acb1d14d8d352346bb5
SHA1

c842dd2872528d2aee3d894c5ac13a9eb92ead63
SHA256

08c8d6dd56ff63d35929a9c166363515c8df91e8ad8a9cc7a4b14843b64771ef
SHA512

a81da1ccb539d5a01adc2b7469156eb71b948e804a4544dfb0fd2aa698342b40a32df5333ce16322ab7fd27bf5f15c09effd1d22614fcbbbefc6ad62ff741cfc
SSDEEP

12288:6rXJOS0e9Joee8aA7EXFwRv+COhLbxb/aQraOZaeGEbLyVqQcXEXLCQERjed:61TleXA7fRKLxFZaxkLyVncX+Wjed

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133726827211750281"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe
Token: SeShutdownPrivilege	3644	chrome.exe
Token: SeCreatePagefilePrivilege	3644	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 1944	3644	chrome.exe	80
PID 3644 wrote to memory of 1944	3644	chrome.exe	80
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4128	3644	chrome.exe	81
PID 3644 wrote to memory of 4892	3644	chrome.exe	82
PID 3644 wrote to memory of 4892	3644	chrome.exe	82
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83
PID 3644 wrote to memory of 5016	3644	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\caption.gif
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecd55cc40,0x7ffecd55cc4c,0x7ffecd55cc58
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,8387469248872633899,17982042088859297081,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,8387469248872633899,17982042088859297081,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,8387469248872633899,17982042088859297081,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2380 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,8387469248872633899,17982042088859297081,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,8387469248872633899,17982042088859297081,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,8387469248872633899,17982042088859297081,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4152 /prefetch:8
  2⤵
  PID:4876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5bfdd858f09de0ba774b5005b936a20f

SHA1
5433fbff32fdf47ceb911fcda0da533a4928a667

SHA256
af015f3605d1acf04d2aeecd8da3bf1137fa5e76732e24b2513af9d42d42f96e

SHA512
61f9929831c0861ae620e92a8687887d8caaa059c5fdb3927443dd890ed10e30d5495e9c8d0af80cf3589b8e10479c401ca6bc50114658f778261b6670984306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
962B

MD5
8a2186fee11b0427afac5212a111ec57

SHA1
8b572663ee4784a6b733cfe977e3b306128767e0

SHA256
802356b9ea1ceeb2e0944d3b06ebf2d807325e08aa6635c4c803432dc291444f

SHA512
07f7b4d5c26aedef0eade2748f95fc8bebf559d3a3c8177f2c37f4e948eab515fc648bde532c9688fb92485372c4b9d32e631b2921030cf08d53fa8a8a181aee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8cdf0633b38fc863d2340b5f0c9d38f

SHA1
547a6f14687acf3ac8c84e72cb5d46a30eabeec2

SHA256
a6dd095b5e192ffea7917fb4519225f2bd045c45035b88a2d6b938e7ea68cfeb

SHA512
5b63ea1185643db9c455c2e73880140c60aecbc6694de2d5c811182b94fedd2c2c3d5c74f2224214480ea78afe818edd4ccc679a6af0ea8323925b7c0982224b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e04ff4b90783e86fd6b1de1060113f99

SHA1
f259450e9eb82253fb3df4ded1d1705c5a3ea6e5

SHA256
b6f446af921086128b3656d2f9eb80fe074dd55ed4d6833380c4dcf2b01c5524

SHA512
b3e75204fa05c275dbc5a7715ec60a55d610ceb8d199451a33df5f0b27596583c2f99f4be93629ca1208e7acd0f3096f43a42898d1cda55fbaa1def3c4a7a5a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4411b7ad1766c8b7f72e76574e425d8

SHA1
5ea79c33f109c572cada6138587fb5c1fee58d09

SHA256
7bac04d4052f4bf7d4693658be3ef159ae0b2c6b491956f929bbd61d1b660ef0

SHA512
8fa2eb3487084f0460c0c6ae474d7aa98ccd5ea50451c72013abd4f6a8eb35a8060431795d44b3aa50f7807b79cfcde52909873430bf7d2f446495dbd7cc384b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0b5cbf5a3f21719bd990b10c93af792

SHA1
512ed994ac56856774a2d02155e05fabbe2e08b8

SHA256
69f0421ee246ce8995ec246fdb018900ae669053f7f3dad77a5e7d6ded9c9f12

SHA512
32e0c9eccd71eedb52154f6bafd49068f7574d77070c40c15bc9156e74891107e65108f45bdc21e75f6c1da3326feb0c48e4f5f14dcedf3c4f26cb59618dba3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f147af19010f8a0d8ac2bf9c9f8f28b9

SHA1
15f0f23090420a93c448f247f4a78a485a5de132

SHA256
d8534223d16db31932ea5dd0f36576ffa9ea88db8a08a7d61100d0085533d269

SHA512
6eb76371ac9702d9e9983b400e7c1bbb7f9950028cac92bda730c7594b8c21df9127cc8b1e96e16e239c4c503c30f030c641a577bab012d9f98e8501e57f0ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
dd4737dbf2a2758a96ad07c1b7cc7646

SHA1
18b985002185441e30fa0a2956753322f3dc9c82

SHA256
b944352af539fd13ec65e09c7142d7dfa5e90a0c9d5fafacb1b98faaa9d7cdfc

SHA512
08ae86865b3ca1e98c900d90e38546c726dd902d2323a28a2b3bf7182db7687afd05a88835ecf3057b681c49ccd9a597fdd1e74e352fee0e24b67ac0575b8ac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a9991a0319960baec5216057eb727a55

SHA1
284d45e6227ece16f1befb446da1de575d9bacb0

SHA256
b3f12963a6edbabea6c74ca24456e1712532c32847017c8102196cb3c2ab1630

SHA512
99f88efa562324d17699dbc85787b7d3c9661b43d468c8dbe45df9c2c610eb453ece09fc0c89eff9954cbedd1113c93546dadb6a4b9ab7e6f4a58a1eb73805a0

Download Submit