hxxps://drive[.]google[.]com/file/d/1_jED8s5xilfBEwq4mdId6pHDPfx76aTe/preview

Analysis

max time kernel
46s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20241007-es
resource tags

arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
submitted
27-12-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1_jED8s5xilfBEwq4mdId6pHDPfx76aTe/preview

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com
5	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133797928318952130"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
340	chrome.exe
340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
340	chrome.exe
340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe
Token: SeShutdownPrivilege	340	chrome.exe
Token: SeCreatePagefilePrivilege	340	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe
340	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 4808	340	chrome.exe	77
PID 340 wrote to memory of 4808	340	chrome.exe	77
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 3952	340	chrome.exe	78
PID 340 wrote to memory of 456	340	chrome.exe	79
PID 340 wrote to memory of 456	340	chrome.exe	79
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80
PID 340 wrote to memory of 3056	340	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1_jED8s5xilfBEwq4mdId6pHDPfx76aTe/preview
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6223cc40,0x7ffa6223cc4c,0x7ffa6223cc58
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,4529441316749961720,3470005589922127839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,4529441316749961720,3470005589922127839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,4529441316749961720,3470005589922127839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,4529441316749961720,3470005589922127839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,4529441316749961720,3470005589922127839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4468,i,4529441316749961720,3470005589922127839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:1744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9ed1c51067377e4afc362f2813ce184b

SHA1
d76a63a68984688c639da5a8fb13ba9c56bd9814

SHA256
4a386fa422b27ace46dbe8e46864a2b96e0310b660b6fc2c139583fe236c0cd7

SHA512
ce209ac4508744dc98cf6762d3f4aae4b803f5625e52c432fdb36b84ca1f62fa70c7bdf908f903561b070245ca4b6e91daec4e7acabeeda292350932f991a7ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
cacafbded8725d700e1445aa3503e24c

SHA1
5352cee626d0f792e1e34221330b9fda5bf30143

SHA256
691098eed1671846e6ef11495801c663f0b4dcca0af0ecdcf6df99d1d5f3d64c

SHA512
a62f2bf1eb9283128b0512bf3976986ea0981041a9caf1e3376d837c24efcc67343a4e3cbd138edf4998f2def41fcb50a8dab8442cdf69013f7806e89aee4b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17fa6045be676b541155925178d6ce74

SHA1
7ca9c562d180a0b857848d7818312bd8f04ccd24

SHA256
d4edf6ab3c7ae1b7064ef23317f69d64153b254eb20fcc267a0dd04a01397d72

SHA512
e4a0b9ec55da5af11fda2bd33fd502df171a09290b0b9e61c6c809a28dfc9b2e8a12ef709670ec54295269408ac2248ad6c4aecfefabea98521857a39749efa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66b191ff7d6d5a682f0e19996335b67b

SHA1
3ff9118f28a5a35a6fd7786b845d8e2110fdf1b7

SHA256
e082d73b0a286ecc873a50803158f770c66ea47badda6e6d8c859c2097115e96

SHA512
8d012c35a85dc6ead7a43c9fe22006adc2c47e42d211f3f22bee9ecf1fb94eed2a34c777ae445bcc227b3b94ac32e3caa30658b06e01cd306e07c33d4168f75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
764f7903fcb55cf6961c2f112d7411d1

SHA1
04a822cd52adadd7cc5fbb5be947dee97868a322

SHA256
0d61ef2a5626811730f4903484303380e0ec9117f15f4267d182722cc7a70071

SHA512
56a9f5130deab883295ce6c7a9ce3fea0faee08f02aad9801489fa1025bd678a4dfcf9e7055897efb9d76b5e0c47dfaa6885e7f34087363a857841f81d0671c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
241918643d95e725fd254329a4caacdf

SHA1
072040e4703c8439f6681fe2448055e96e4372a9

SHA256
b082f2c702a89af2d70e79d4aed817a6ea417586319e6822396dc8f1b1c29109

SHA512
3ffa1536940657e004338f3666721c3bd46db159375b424be8353d3c4f77e93a37c03708e875cf68c11134139d5ca6c40b4c5f8694fed4342db1eef68bc3d954

Download Submit