Analysis Overview
SHA256
99a5938fc480970658f6a7823d41da49a0bce42862d54de92d6003b16791e611
Threat Level: Shows suspicious behavior
The file Screenshot 2024-11-13 7.48.42 AM.png was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 16:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 16:54
Reported
2024-11-13 16:55
Platform
win10ltsc2021-20241023-en
Max time kernel
49s
Max time network
56s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759904834171992" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-11-13 7.48.42 AM.png"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-11-13 7.48.42 AM.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffbff5ccc40,0x7ffbff5ccc4c,0x7ffbff5ccc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1848 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2240 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3704 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3820,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4708 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3324,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3452 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4060,i,9405742493202830609,1272889370895819658,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.213.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 216.58.204.78:443 | clients2.google.com | udp |
| GB | 216.58.204.78:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
\??\pipe\crashpad_4248_LXIHDTZVLMMRUZLZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | e579aca9a74ae76669750d8879e16bf3 |
| SHA1 | 0b8f462b46ec2b2dbaa728bea79d611411bae752 |
| SHA256 | 6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf |
| SHA512 | df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 73bafaeacede2b7bff735b32f74b9acd |
| SHA1 | 997bbdaac8d15ff75447ce1c0f8723e5200237d4 |
| SHA256 | cb1fda49982b918eaa1388cbf92f0662f47e29bcfef07a9b87d5b1d5140afa2f |
| SHA512 | e440d985c6d37f1e8727a37a6e11c11cad958734ffbb866080abe260b38a78a6c0f993a47a04f2b7fc84aac07e8d237d9d45913415faa98c9ba251e3a10629cb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d5fbfe02720ad67aac18f264b1d25e91 |
| SHA1 | 00910016ac4c0ae55d845a0a4aca314a9858e08c |
| SHA256 | 3bf9415f088e7899c74df08f650941a5aec466f34a204eec222daa2bd307bdf3 |
| SHA512 | 678e4aa80d6da9c3ac518c8a1c2410b9c15eff137971ea652c56e74bf5029c59058017c528bbb6afb77a68c70249c3477e216b2367704e6b5923c5a6ad73fbb8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1a4781b559b18ed92cb782cee32ba93d |
| SHA1 | 154b3259ed9ed0aa6c9695d2f6075e07c434eddd |
| SHA256 | e8781311669165863f21cfd86bd45b197fd6ec1f686b0654cebab803bdb979c0 |
| SHA512 | 5c43358c8b322e42822175a5fd786857f8eca8af6a017033c6d338d7b34207910e2ffccb111af69191b02ec5d7057ea2d3ccfd3a828ad86d7f54633b31fe7dd3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 52c87add024afa7ab1cc941dbdf0f0b2 |
| SHA1 | 770cea26f829954499afa407059e52da5ce0270c |
| SHA256 | 3428046a4b1aaaf0c8da86493c85ca3b3390e09187bcb1b7af22d76d3a8200f5 |
| SHA512 | 5b1a02d1a6cca9cca41fb9a8c4812a0ebff610c3f794f49f6eeb882de9dd8b704d6c0c9621d15aeb36879706707737817d558f04f61f211e702f166ea7264d59 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 730211dd10a21fc4258b7e37ce58497b |
| SHA1 | 107d823ffebec1a2396bd4a09a216bf932c5f9c2 |
| SHA256 | 90d782cd868a4abe766e8146c9ea25197152c08367d8fff96c1f7d4f2759ef4f |
| SHA512 | 6ad5f31cad04db279e1ed29d8751560a37520d7df3c69ee2d730ea0bbae45f0caa77e67d8a734f2a29ea91be97d1c49ee46834b3cf7c9b0fcb1c4614781f187c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b729d3b84059c8f738057a301264fd19 |
| SHA1 | 7f38cbd05e1e8ae99bcb3a880f740eb08e3c067e |
| SHA256 | 876fc554a7707c76727b983f0bd3e5878ea851c9a6158ae75728c6dde9d13c7c |
| SHA512 | 87a4b5c7cee9af97e7fa4f2df8d5c05616d8b927a80258334ce1873c2cab9319295dafafe9b25d392d9d70bdeaddb092b108db974dad552e2e7cc70e31f6bb98 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 11d629e10926fe32ac2073ef1d74ab50 |
| SHA1 | 8e8ed7cc69039dd523d94b876fb366c562be5984 |
| SHA256 | 6971825f80c88ffe98d60f9a2ae0a1c76677f5c2ffc7c3b91e802acbe671a7d7 |
| SHA512 | 5b88d6b4af25b10b88534f70807485e82368b140b89a21a21eebfc8574005f59d6cc7490ef0b17cf460854dd85f7ece47bbae6938cc128e1ea0d0f5ebe78bb82 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d72ef03413c4b0f46e63dc83c2e92141 |
| SHA1 | 6664376250064a71168fde6124988f834c39f808 |
| SHA256 | a405f64733763704374393491fa2c8b2fe872c37b2190c6788e3f65cd3d4e630 |
| SHA512 | d421d21f13f1bf375a93e9e2a5b4795d607f0f22c014bc07744e3c50f477d84df2eb1ba985989d084037f3638089912ff369c58b43e922e02468844836ef5bef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1d5ee7b695cbe918c343ee9b578924ef |
| SHA1 | ab9f1fafdca633aaeeb57fe6de613867c54a45ba |
| SHA256 | a59bfa726fc4e893d170122b98729e3b5ad43474cb7343e18de57558f23a8f40 |
| SHA512 | 9dc553858be8ea58291d38a2f6f932be29cf0c8d96756851fee32c03f98f9773f57c0c56fc7cd34f9bf39a8a331dfc2a6859731b86cf8a9d872342e2f84685e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 63c8a1ee11085c0d6c9a1e13313e01f8 |
| SHA1 | 671e55cc4bdf5c25c27ae62944035635f37fea4b |
| SHA256 | 6b8716e90bdd916f7a8554463f7b91317bc1117a0d67aeb526a982c33d4a510e |
| SHA512 | cdc72239960e727926ae3d6d98ec4a521e9385cc3c4d6a35ae7ef2e26d1aceafd94f6660c90ae0746de9c37da1924ede148cf0f7c51a61601cf881a49842379c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 5ceb9d5b6360f600536486786d45ff52 |
| SHA1 | ae32e8b3baa329d68a17e9e220820e2873258ca3 |
| SHA256 | 47fb989a5b0939e975db121d0608fba9aa623d2400063b22d33bac309446aa34 |
| SHA512 | 4f58543bf0f218cc375067e984790e13ac683a72fc1be9d31078695add873a2e4eef8a08ced22d547f70201d745a27ad7700f8f96c2291b5a80e2a948a2c025e |