Analysis
-
max time kernel
44s -
max time network
42s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
07-01-2025 22:33
General
-
Target
https://drive.google.com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
cURL User-Agent 1 IoCs
Uses User-Agent string associated with cURL utility.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/1ypIR9V2IgH0E4bxaoJe2w7YX8nUS1deM1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa32d4cc40,0x7ffa32d4cc4c,0x7ffa32d4cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1772 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2088 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3148 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3196 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4448 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4480,i,3402389454621050430,9432398545265914639,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3696 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4028,i,13034162257960464555,14563862583435181672,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:81⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7b9d4299-639c-411c-aa47-c382a4b73483_EXM Free Tweaking Utility V7.1.zip.483\EXM Free Tweaking Utility V7.1.cmd" "1⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_UserAccount where name="Admin" get sid3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\findstr.exefindstr "S-"3⤵
-
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading resources (power plan, Nvidia profile inspector & more, Press "OK" To continue)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\curl.execurl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://exmapi.onrender.com/static/free/v5.0/v5.0_free_resources.zip"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded resources successfully, Press "OK" To continue to the menu:Information);}"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD50c127f69ac8c15b6f3e98b100e6bd482
SHA1d02f008cbecd555e377bc78cb387de6874a0d6cd
SHA25673083bc603dc266b7e6fd49fded798307ac3c467348424217f92acc172cfb2c9
SHA512769d371518f20d2a81840c26592cd101b8889a4106a5655a434488e2fb791764e2de7fb24cdae326bbf21b96bce18f10bc71d8649cc4fce785290d60e69a07d6
-
Filesize
1KB
MD526ba3fc3ea16de222ba654f9560dc812
SHA1aaaafe886eb3ec95c3ce41b29e08b8b97d018fc1
SHA2565af753d15debeb1ff6fe33dec8b58ed8a99edb4f3c8c23596b36cee02f0ef7c0
SHA512fae7d2a6238823da9306e6afb18e27f4de5c4242156bde3ccd9f87ca0ebe04a79794deff26869d8efffe126d798888ae4bd00ae09ecb648e5d03fca161c9bb5f
-
Filesize
1KB
MD5074d60b35a57b292158880ed1e58db80
SHA17855c209676ea191a1d1d3f73fda83ce4cb1ea3e
SHA2562ebe6b1ad854612d3e5d1a76095983b0b268f707e0d84e30081c8b4c133666a2
SHA5126bb6b8b75d0926a0f23b9a322c7d73f315f88eb25d6a555dcdd3c67c5fa79c374e1a4691b810a5e9d92087fc3c433639808c27ab309a5c9bd1ddb0df4f584830
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD54d41702287d45ccc44edadd270c9abf5
SHA1c1102d2e7ae345bd98a165f5ae9d3486d9dba6ed
SHA256d82c92947e42719353385165b1032b4b64dc0450e55476a57bbc578430894294
SHA512ab351453184338335dd9f635579948ec50bd5b512f2bc390d752a5f9e28b36c729dd4b0bcd498cb6017452f3fcac22570ccc510ac4aa87566b18fc4a5016260d
-
Filesize
9KB
MD5081d12daf5b5e3b6f1d45f936101c339
SHA16fcaaf8678da3d7acfdb1db9089accfa5545e487
SHA256392144338fa3faf434a2a656c959f11018f1eae8e71a40a1a71fb8acea4a22c9
SHA51201a1c8c56a4a0c28d69dc5b9e7cb6f3afeb0aba7ed0d9ba9cea928fe7c315bd1877c3b7ab408f4d6803901d9c7ddaf6f6e9a187c5b052f61bd8219b95f57fa70
-
Filesize
9KB
MD52b8b4ed27e6aa72618ff37d988056a22
SHA1ea0c81a21617f37b575285ea26b5b4b5298cf688
SHA256e42dcf572c508936751c19d35401a3bbcec9a510def770583d0892839db89c95
SHA512b45df7c5d40addf7ccb90ae62b8946486c4ac8dbc53a0b5b12571209077ad387451c302c65bf47bf2ef90301e7e6560d2ad7e393c59969f354c1295aefcb7be4
-
Filesize
9KB
MD52d46dc4d4a384e4aa2fc264a5d45ffe4
SHA1046ed924c793c4f863ba9ad6c52930d383dda6f3
SHA25612166fd19c3ef8b1aa21513b5a0a394f76e12f130b841c6a53a6de2a9c14a279
SHA51254053e466293a7e4705cccd8821fe276252594006a7a99b480dfef42ab8a29dbb2b79e905f537f292e2ad9e39909ceb3d15390a67eb30cbc9b6819233e035046
-
Filesize
118KB
MD52e5d47d9598b324461bf469aca497a4d
SHA19f6abb9f717037122d5c5fe14129096d99327346
SHA256f753305aa331f26bca0b2d8ad739b353ca7c88e3279cb983472295fd4d4b7be4
SHA5125636ad1f375068491bb57d2db482b90b81893df75c0fd270cf846a13962ab38c17da0d26baf09e68dfbfe90bb86b7473a058dbfce06f2a165abe33869cf8bde7
-
Filesize
118KB
MD5e354b429ed3bd51a61533436bdd707a9
SHA19ec989c118d1eb71a53bbc4cbfb1a724e967715d
SHA2560f81b7c62ef65c211040eebd0ad339e37954eced6607c5120c14e5084a1b5a60
SHA512e8a940235134be9842553c1f8a275b6528155cd7c5c7fe76c93768fb920e58021fc698b26c7058f05e13ec15e0aab3998ee910b735d4b15d063260c706b7f00c
-
Filesize
2KB
MD5713ad359b75fe6d947468ec1825202b9
SHA119dcd19f18a2ad6deb581451aad724bd44a592a4
SHA25656572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4
SHA5124df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8
-
Filesize
64B
MD50ff7e1af4cc86e108eef582452b35523
SHA1c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA25662ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937
-
Filesize
1KB
MD555f5b4415d056cd9177df5288d1c99db
SHA17036f03ef0e0c0590906ed4acd74cd198db3126d
SHA2569db798502d2ff02f27439cd07aa0504fe63578b7d6a11293204e1a5913aae58b
SHA512001c61170f776377b65b44d90bfbe580aee20d103770191fab1c6afc9b769797ec9155fa50de47846affc4e5ecdffb9ffcffbebf8f11bb724c6470491ceeea16
-
Filesize
1KB
MD5ec8fe1a87995da892f279e134b15cc50
SHA1327a9fca0a8306c0abadac77cab6cc7c8b748d01
SHA256f3d035aafe2ce184d97aa55cdff86e5240225d52898f082502bd4f638d7097c8
SHA51232ca723082875b4ef9bb03f6b89bd514ed925a47e87e8af498306ae43d1616838b694a6f128a9df2dbd998fa4f07a7d02c1f1c72acc10e43b01f5711f1389f73
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD5db0e9e1953431cc977c3e95bd3d36ab6
SHA14f34027bfd24a54e269721e07f3fedceb7841e70
SHA256c4e798355111c34ae3424a1c102758335a5e24f714831b15a5bf2a1303df9097
SHA5120874095e38b8c5ab0e2f68fddb77ea2283ef6515349417446aef12e6b9e4456c429b156423858830264cbbe9cacc4a32d9cc2325135432bebc0c5b38720fff9a
-
Filesize
45KB
MD598cd3d6363cf97d5ba3bac68e578a02a
SHA107082270f40bdf9d6cbafdf219139bf1acc1c97a
SHA256f4948a32fe575320cbd82574f8ab9dae1a3bedb2fc5c0418173927e61fb9f66f
SHA512c2de27834b5c4a7e37b34852c792fab32bb4f2bcceb928b90a276e0d32c07780df4662b317f5bb93c973a91e6d9d720cf8ce85627ed6bb1653c5a725f6666879
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
136KB