Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 09:29
Static task
static1
Behavioral task
behavioral1
Sample
AutoClicker (1).exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AutoClicker (1).exe
Resource
win10v2004-20241007-en
General
-
Target
AutoClicker (1).exe
-
Size
854KB
-
MD5
c500a7318204cc39a9e4b544fbf4f4ff
-
SHA1
f35013967cb5ff638491edb409eee863c5f8ada0
-
SHA256
45bd2a14ac56f7a71d9c8b358cc0769972b5477edd1744e1f2085961558040a8
-
SHA512
f57d2c6ad185bff1824ddfcdd1f8fea9da6a832c6ef421cbd8645b7ac78a9d5b4d0d321ebbf6559729d470c05ef579020bb2411fa361e9b0acf51e640e4e1580
-
SSDEEP
12288:maWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlvh:haHMv6CGrjBnybQg+mmhJh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoClicker (1).exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133794199568810168" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4500 chrome.exe 4500 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 AutoClicker (1).exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe Token: SeShutdownPrivilege 4500 chrome.exe Token: SeCreatePagefilePrivilege 4500 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe 4500 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4500 wrote to memory of 3108 4500 chrome.exe 96 PID 4500 wrote to memory of 3108 4500 chrome.exe 96 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 2476 4500 chrome.exe 97 PID 4500 wrote to memory of 1288 4500 chrome.exe 98 PID 4500 wrote to memory of 1288 4500 chrome.exe 98 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99 PID 4500 wrote to memory of 2868 4500 chrome.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoClicker (1).exe"C:\Users\Admin\AppData\Local\Temp\AutoClicker (1).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3028
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbbc96cc40,0x7ffbbc96cc4c,0x7ffbbc96cc582⤵PID:3108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:32⤵PID:1288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:82⤵PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:3384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3416,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:12⤵PID:1188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4468,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:82⤵PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:82⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:5000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:64
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:82⤵PID:1784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5068,i,799981402227731211,9556093340651552450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:22⤵PID:4600
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5a13756daef59e0df2efe31fa38359b17
SHA178b11a5f15dcb1af37ca2f278507cc139f477439
SHA2567180564215ba358d628862a9e2c71476a1691bc2926e2bf5f3f6ab93a278e845
SHA51268a1d61855820cb5d5e504e88feb4fdad829d2489886e45aad50f584ddc44d10dabc60c9ae4b81dd5b20590acc4f0c7eb0f109ff9d53a8c573960c352377675f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5eb1ddb47780ed995cb9544731d3e8294
SHA1b0f0e86f55579a3ca3b9a4e862c9bd6fabd570ff
SHA2561af86f5dae2a89d71b86daa09a886e0ca72939f93204c0c300ead42f0644944c
SHA512577228fa7b5d0a06751bd5084e227d32db3468d28761cf420b20c978ba866bf07ad0f010bb8a7a529711d4357b26076c7156fa102d3d0ed6b68154aa0081c063
-
Filesize
9KB
MD525dfa08b95b5f844fe185e9b40908cad
SHA103cddecc0ee25db2e5b75ff403a4df4efecc9a5f
SHA256aac307d0079c996aa715d0046ae9cad5857e61806227b5f406a2ca6f6860cee7
SHA5124cd59b653a217347a7fb0144198bc7e471898166e50cd8f36d8fec154cf55ba85450beb1ea8b1b438c81d416631fc8218dc8dc17c888fb4746b007ff28367817
-
Filesize
231KB
MD5245a6f401d14cd27c1cef7af4767b6c4
SHA14b1112d8b9a0907fed85cc0a31419c22a5d5f534
SHA256ec6c987b2de6968de585f7d121fda6aa4d107ef24922007bf35b57c7a6ef6dfd
SHA5127babbea9fa9488fee585a430000e063203c0d70035ab46ac2d3959c71f138a746921437ad52e3ff7eff849cfa76503df342a121df697cbe660afab4be74ed3e3
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727