hxxps://drive[.]google[.]com/file/d/1iJlXW-WnUJLHCRSeZVSNcOi9_ikgISch/view?usp=drivesdk

Analysis

max time kernel
21s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1iJlXW-WnUJLHCRSeZVSNcOi9_ikgISch/view?usp=drivesdk

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
2	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729664499220273"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{7ED72FC9-EE05-42FA-9573-AA3AF071AB30}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2892	chrome.exe
2892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe
Token: SeShutdownPrivilege	2892	chrome.exe
Token: SeCreatePagefilePrivilege	2892	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe
2892	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2696	2892	chrome.exe	85
PID 2892 wrote to memory of 2696	2892	chrome.exe	85
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2844	2892	chrome.exe	86
PID 2892 wrote to memory of 2256	2892	chrome.exe	87
PID 2892 wrote to memory of 2256	2892	chrome.exe	87
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88
PID 2892 wrote to memory of 4268	2892	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1iJlXW-WnUJLHCRSeZVSNcOi9_ikgISch/view?usp=drivesdk
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe069fcc40,0x7ffe069fcc4c,0x7ffe069fcc58
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4380,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5256,i,2632551089623172041,11456270329994046522,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:2648

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
045ec2483bb9e92229259a1758639b6e

SHA1
5a375e9e7d79f9cd43385e91ae483e069c596abc

SHA256
0a8620bbb9c18fa5277febb3a6cad44653b77019b97a82f6a28a481ff65be1e8

SHA512
0bc2b4302918ff302cdc30b20540a29a6e20b5e169c5232753a4df44b1c8ed37980a98698c95bc6da157366cbfe895bf00691edea33a208c91b2b412eaa71235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
69895409b4eb443b496cde5daba9e3e2

SHA1
d7b68943cd9833fda4aff806d35ab95e35aefd2f

SHA256
e4bb5f9da9d4565222f54b45cd1e45385f52ae0078f30661f7c05683b7e33e18

SHA512
ecc79574ebb4a9d41f7253c315397255f77c2a5c16bd9d5e665e19eec524d4c5aa4af821bcab1c5edd4342df5792da3c11a3e01c8bca0d17fc359228ed8177df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2ba67c4bb16bdacee1d97c9cf1c337f0

SHA1
ac04e8890018a4a9039859079d19ba6da0916e10

SHA256
8d72f98f546240e8e4193fee75f26414bb1f31f81dd547108e2e907e1cebb937

SHA512
a3fa73db393b6b9c63e33e66613acf76fd0a4dc20b93af5300e5a69633c8662baff28f0bc641114a2b1ec1ce6b51b158110d40780fb9c70130230fc4cded9fdf

Download Submit