Analysis
-
max time kernel
19s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 19:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1091y5SvsF7k-4FdH_gtlHwx60IF0twlN/view?invite=CM-2jKUD&ts=67511cd3
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com/file/d/1091y5SvsF7k-4FdH_gtlHwx60IF0twlN/view?invite=CM-2jKUD&ts=67511cd3
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 7 drive.google.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778991783668390" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe Token: SeShutdownPrivilege 2704 chrome.exe Token: SeCreatePagefilePrivilege 2704 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe 2704 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2804 2704 chrome.exe 85 PID 2704 wrote to memory of 2804 2704 chrome.exe 85 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 3376 2704 chrome.exe 86 PID 2704 wrote to memory of 4008 2704 chrome.exe 87 PID 2704 wrote to memory of 4008 2704 chrome.exe 87 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88 PID 2704 wrote to memory of 3836 2704 chrome.exe 88
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1091y5SvsF7k-4FdH_gtlHwx60IF0twlN/view?invite=CM-2jKUD&ts=67511cd31⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaf3dbcc40,0x7ffaf3dbcc4c,0x7ffaf3dbcc582⤵PID:2804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1736 /prefetch:22⤵PID:3376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:32⤵PID:4008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:82⤵PID:3836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:12⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:4252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:82⤵PID:1084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4860,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:1572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4796,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4352 /prefetch:12⤵PID:3908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5096,i,3957020520014543677,17664139071787098056,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:116
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD53386ea41427df9a0b09132ffb6397b78
SHA1f04bd110ee87fbd4117bef82f20b0414c5f31baa
SHA256886dd77efa4b0391bfbc322c609f84ea2fa660783a8d42a36e106112841049b9
SHA51227d0ceb505f03bf28bec57aa2f763d0de326d85216a6afbc3aa7faac3f983229a55186f714b44e0826e1a484d226554f3474fec2ae8a044b83b7bf350570d03e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
859B
MD55f8640c8bdb637177a51f6516ba0c8df
SHA1995cdba8b1e98071bd50c92e20f0a6a9f9d92a91
SHA2567a119eecc006864f795dfee2806d7edfb97e23889a92b182a62ee6c704c976e0
SHA5121f9dd6fd0ee13c6b60f31fdd78d15323e55446b0011f021286c605a62a4d507bad24a4531224e9d3e19fa16cdf68bd029d907e3c840dc5a7b4f26b749021d048
-
Filesize
9KB
MD56c9998f5059c6461d55e14710bbf0961
SHA12b2f7be1831fd88c35ebf94278cbfc6df66f91e1
SHA2562dd8e334a9297337a9b7e42ff5ec77d85e6dc40eb41d6f3ff052d35c23904cee
SHA512b2510b7eb6695ac191f3ccaf1a85034cf1ba1533597482fad725ec009e447d0b97cfaf0800db74c5df856f8354682ac677c18d80d9b2687ef25b8f27edc09d89
-
Filesize
116KB
MD5b0f03d3b73a65336164ed626bb25bf15
SHA104486d0ef18cbb617ccd3496e1cb2f27dbeb8ffc
SHA256914f61a86acd568136d8a200f3d22cab8629156963b006d776f028872eba7cfc
SHA512c88a6de5ce4b715fb05145fd64b9eb849c18343a5c2ca4545ebf8a94b0aa68086ae310242fb47ad8d0ddb6a328cdc7f87814dbab2c2bb6deff4fde6990ab1a66