hxxps://drive[.]google[.]com/file/d/1zYEWqniDcqNX3AMqU9RO1iPk4X3vXmZR/view?usp=drive_link

Analysis

max time kernel
43s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1zYEWqniDcqNX3AMqU9RO1iPk4X3vXmZR/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
9	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735528267881078"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
768	chrome.exe
768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
768	chrome.exe
768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2448	768	chrome.exe	84
PID 768 wrote to memory of 2448	768	chrome.exe	84
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2012	768	chrome.exe	85
PID 768 wrote to memory of 2500	768	chrome.exe	86
PID 768 wrote to memory of 2500	768	chrome.exe	86
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87
PID 768 wrote to memory of 1728	768	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1zYEWqniDcqNX3AMqU9RO1iPk4X3vXmZR/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd7c11cc40,0x7ffd7c11cc4c,0x7ffd7c11cc58
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,9835158358348358383,9832215344566591713,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,9835158358348358383,9832215344566591713,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2564 /prefetch:3
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2104,i,9835158358348358383,9832215344566591713,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,9835158358348358383,9832215344566591713,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,9835158358348358383,9832215344566591713,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,9835158358348358383,9832215344566591713,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:1780

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
33863b1c9b49ecf6c1a47181ba9b3243

SHA1
3949f5b03b7ca62a3771c17f444e8150a594fd07

SHA256
41b5e8fea886a0c681205412398260f12ab73875b238760dbf23dac722efffa6

SHA512
8b0381427a8e21a0d2563597d72bf3097ef6a5913a459fb7a87e8d0832a093d052707be57e20ea9f3b0f9476a3fea565bf1c94bb86a0599b4d1f8ef480fec964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
895c3dcc2ecd04f7622470856c20e296

SHA1
cc530eea5bb19feabbddf483e8eaec18d6b602ed

SHA256
922d36cf9a90196f898038e0b3b74676424cef4d87d12a0a7bcb17897ba497bb

SHA512
ff307a4a85206531904fad4adb41d23e4f71da20f855280245ddf42d7136680bef9c585eb06c1850d5feedf1cb83224ffb6b8064bf703a76df1db11441b08add

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
491c9de6413ab1310fcdd7863ff53fd9

SHA1
b2386f63adaa63243664530bccfaadf79f31e7f0

SHA256
79d69bac675a85d636aa23793b3f91dafc6323756d8ebf5cb88d8c5bcea588bf

SHA512
824f202adc1229d0007f92729ca06432efb6adbd694efcedc2eb6f1adfa3212f5f1ba8fa73dd83aa21a49d45ac8715aca5df4a35b3894c98976e7708987e449a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae08872f4d3ab861d99126c9a411f055

SHA1
f1aa08722bdadabf42e7df259ac65f32aded86f4

SHA256
9ffcda097f34e557481fdfa94909729ac36f73b1328841f5326df00f0ff9c301

SHA512
8a0acda59ddf0801919c83603c516d5051787ff3c5cc564eea3612f038f1e248793016b9250ad0334aeaaf92b585fe62ff3545343aca957c8486cdc25a23ac5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
39f503525a87d737778f3a827c13cbf6

SHA1
dbc3a79526313daadd88a3b5fb8d6d984fa77606

SHA256
11dbc01503e51f3dda7b410f03fe46eb6d52b12bbbd910afb19ee8991ee29e5f

SHA512
1ca22f8cef22a00c0f5f75c7eb424aac6a2fffcd23bba79b5631ac5662182a7943cbd104469df8ee3e65bab498d083d4451ed9a7802c51b43f1e2734209112ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
32e5cd761e11d9a20a760c6100a6359a

SHA1
1ac6945dc72eb0d41cc9e5716c448cc5e3f1f2d7

SHA256
fbbd1bb39af4606cb69ea10bcca0808a6b786bc7d289741aebd007de76bb095e

SHA512
b457894318f206f84ae88ee221da14c7f8364108d3bb3218127fc9c9b2da0a2c47e216e9729a50469593e30581fade0deef500e39a3671ce588ed9e0de77ea2b

Download Submit