hxxps://drive[.]google[.]com/uc?id=10671gN1hB5VXdnU_T7VlJKnucxdB7GSS&export=download

Analysis

max time kernel
22s
max time network
12s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-10-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=10671gN1hB5VXdnU_T7VlJKnucxdB7GSS&export=download

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
1	drive.google.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133746054221657115"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Shared Im.jpg:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2160	2676	chrome.exe	79
PID 2676 wrote to memory of 2160	2676	chrome.exe	79
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 900	2676	chrome.exe	80
PID 2676 wrote to memory of 3040	2676	chrome.exe	81
PID 2676 wrote to memory of 3040	2676	chrome.exe	81
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82
PID 2676 wrote to memory of 3416	2676	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?id=10671gN1hB5VXdnU_T7VlJKnucxdB7GSS&export=download
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0444cc40,0x7ffa0444cc4c,0x7ffa0444cc58
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1728,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1716 /prefetch:2
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4496,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,12326760436928569003,10673908755132631056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:1976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5b290af1f0d736051ebb5a39d614a982

SHA1
29733e9225722c46a4dfdbba54c8fd978633b25b

SHA256
198461105044e52d85bbb7974958097bb3fff157cb3eecd8e87245874ce09463

SHA512
a54fb06d168413a22afc3c7a79b943059f7126a56a0754d4c46fd8ca46d021d956db323dfc944920b64a4f7a25b6908de19c7f0cd04e61a9c4c7aff68976d99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
7bad633a6968598a49bb81988ee6d322

SHA1
89a7e90945c93fd5a5554bdc891e5a5b4fb5a30d

SHA256
0b9f41fbde82fbbc6e72c4d91f119963befbc097b7583c656bca5d1a1c447f71

SHA512
1bc06305a71df37aabe3c4797b9c5ba835b4fac33bc16017345c10ea35f23636ce7a7ab6b81bc5ae81bf5b61ed89b4000e0c17a112fc7c7778941bfd245d3c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ea95d0e915eb52f670dbe2a479973d3

SHA1
4819e4e3ee9de374ee85484c2b2ca2d5638f1fb1

SHA256
364ae87fb2773c72d0795e3f404feaa809a3c6244ba8e00133d06590ac0acccd

SHA512
2038997d45ea01350a978339faafaab00d0c2bc7b281625bca714c36591f276f0361b88602f05ba417f6342055136bb41c8cefb2c4e63a83cce09a51d09c38a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c13af37fe3078acdc6d86106a6c4204d

SHA1
539b653a8a13152811ff01e29e3aaf0354c34d11

SHA256
6e106da78befca6299d65bf82f67c6393b1d9a2578d8770f68c23bdd5c3d951a

SHA512
190f15f6d48a0ba5cc9d49dc5e9d112a641bb36b38b1df8e487dae83650e5b27c913fde7982c1daf28233e3e8d20516fbf53e57bdbf0215b6d8607b8eda2ce4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
d3699218cb41402b61b6e9f3713f674f

SHA1
f0942c5e78ab210beec2f841e88e30aa8182e2dc

SHA256
f0d99f96a4f1e508f3305e533d05e9b45db6d5f5d2e61b582b711da06f6c839f

SHA512
f4749f3bad60b50d979d7f31885873eb6de3df415cedfbddb9d932937c42f6e60b11a3a77922452d4aaf5727e7a146fd96d7348cb51e30a8a2060bb3dabfe98a

Download Submit
C:\Users\Admin\Downloads\Shared Im.jpg.crdownload

Filesize
34KB

MD5
b2be8d8335822865aa78cda42d8dc9dd

SHA1
b38e6b086fcbbc68226581f31117c7210102bcff

SHA256
affdd3d14fadcbce38099648826add6a0c0a139d708550c5a82a5600fe3edeb1

SHA512
597165b8bb58d4ff4fd143e7e7ecc0e2d98d204c8fa3bc90fdf1347b663e0f263d0e0aa5282881bdcc477910d7dc77774c9256a114cdaa1e68d6bb268a2a6756

Download Submit
C:\Users\Admin\Downloads\Shared Im.jpg:Zone.Identifier

Filesize
134B

MD5
e8aacebdda2e1f9ae7c2d9ab0e3a6da1

SHA1
c32856473df0d3ec4784d137a7b43c5c74693bd7

SHA256
b9ca9c6bec558c9167140b148f0b9f46adeeacb4b9efc5dbd8419ce841695229

SHA512
24c6b7f3327a2cd7e89b9deac4c992c683eedf3efb9b2ee319f145bb0f5f70040b6f360edbee6749658c39f99a57850abda1dc806ee011b7e6cf77e9c6b18f19

Download Submit