hxxps://drive[.]google[.]com/uc?export=download&id=1wCGz5rgLapHLOLP77XdwR60EHdxbAzf4

Analysis

max time kernel
26s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1wCGz5rgLapHLOLP77XdwR60EHdxbAzf4

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740046718253695"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2848	2076	chrome.exe	84
PID 2076 wrote to memory of 2848	2076	chrome.exe	84
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 3008	2076	chrome.exe	85
PID 2076 wrote to memory of 1972	2076	chrome.exe	86
PID 2076 wrote to memory of 1972	2076	chrome.exe	86
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87
PID 2076 wrote to memory of 4796	2076	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?export=download&id=1wCGz5rgLapHLOLP77XdwR60EHdxbAzf4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8cc21cc40,0x7ff8cc21cc4c,0x7ff8cc21cc58
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,15221685333705322206,9274093042695634380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1688,i,15221685333705322206,9274093042695634380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,15221685333705322206,9274093042695634380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,15221685333705322206,9274093042695634380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,15221685333705322206,9274093042695634380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,15221685333705322206,9274093042695634380,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:1740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
55f8ed01ba3ac971bb29440fe12d429e

SHA1
2ec09e7ef0378f7b42685b73584d90111ca7fc08

SHA256
6f346d71babd76f9e70fbf9543726b9811f598148ad0a3a0fe636a94211b836d

SHA512
ac4fb3f0ecee31601205766cd351422fb7cd93bf1c9f810a713a21cbda3575a6a32da6dfa4c0553c54f9f9da2a2858d2db47a22dfecde2c447fc489eac6b8aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
4c48e8bbbd51f0e3886b115812abbe8e

SHA1
d63ce4d382c747bb87aa35d3f7efb9b95254731c

SHA256
00bfb9eb47d7f35eb35de6f354d0e3aa147812b9d694bcf00a3d17fabee2bb5e

SHA512
77b3f80f28a35467272aee4561d8a862ed04a8e0f17b31baf561d6eb20f309421737fc84cbaeb878614204c8257e46c218ef9f07346fa9425729403390e4fb84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
217459bf16395c1f69a3e81fa46a9c5f

SHA1
4bb27ed6e4e2af6ce61b7f1210a8931543ee70b9

SHA256
34997e4a6a67998332683860f9c4dd126c94d4ec6016b00db39070a1d2e882e0

SHA512
69c0784a2ff1f45a4a92dec3b773d0fa91a951dc8c0e052a82657cce57aa6947abba1d058f7c5bdee5e5ab800b9f58b8a8726f0e4b6d26aa7fdf8a2c98374ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f2da1dcc410b6e5b78d7bd9489d60d1c

SHA1
11a3a94fe6b2bfc28bec59ea4791f1eb03bb596f

SHA256
6c3a2ed98ce14f3d77f8a84a0ab27245cfe92c0a912418fa4f0ef7d37e6ea9ec

SHA512
7f85fea91cde0fcd071cf64846e00b5d7fa7365126a3c7f587c177b26f953309abac34dfd792aeb2d3ce9147cdd98bb77e578f6facb28a093989a0b2c96fcdab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3c30d4774e74e2afa9c17c4391c2c124

SHA1
bdcdf1d81ae47f52d84fcb30cf3640f79a6bb149

SHA256
65b9f7be4ddd385203549523f6d30f576db4c7e73e3323837c755c18fe6f8d00

SHA512
3d07093119944f602727cf937c82035581c26aa80d036eb755da58a82fdf629936a892e8a714d9a018def0fbcfd2524e5e021e275027b8c2290bfff61cc910a0

Download Submit