hxxps://drive[.]google[.]com/file/d/13sgLRTMqb3bIBlhyCiXAPHhN2Smr1McA/edit

Analysis

max time kernel
11s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/13sgLRTMqb3bIBlhyCiXAPHhN2Smr1McA/edit

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133815233819557804"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe
Token: SeShutdownPrivilege	3736	chrome.exe
Token: SeCreatePagefilePrivilege	3736	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 976	3736	chrome.exe	83
PID 3736 wrote to memory of 976	3736	chrome.exe	83
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 4528	3736	chrome.exe	85
PID 3736 wrote to memory of 3500	3736	chrome.exe	86
PID 3736 wrote to memory of 3500	3736	chrome.exe	86
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87
PID 3736 wrote to memory of 4260	3736	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/13sgLRTMqb3bIBlhyCiXAPHhN2Smr1McA/edit
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc2d3cc40,0x7ffcc2d3cc4c,0x7ffcc2d3cc58
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4372,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4844,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4792,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4836,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4492,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4340,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4652,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5092,i,15187877094600913999,16549338751123154996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1076

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
dd75c6d1f6be65fa7c6de514cf7ced29

SHA1
fdfb9945eebba2aa1920ff9e676667ad84954aff

SHA256
4053ab8e36a36afd9308c1a77190166cd8567e93def0c91f8304603dd3998fe3

SHA512
8556859904d1935d8a6fd2d31381df5d4c563a136b208d328a2ca9a8f5aebbd64e86f0e7244c4ca24377f621530579fc1954bd4071736c3ed35ff00118ad1d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e81d88165c004949099fd3f62f83d777

SHA1
6c7145da3d6fb5ff7a56179c808701f74120f139

SHA256
947de01a159a85cc11ea028579839b263e824f88da1f7b5ee430d25573eb281f

SHA512
3ea7469a856db839e6c8cf2c936e4d7fb141d9c44a95c695ac748fe2e74c4e61e62a3d0b34b2e7f8d3323e9cd90018ea7eecf2d61ee4aee391ba684a20f08fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1dbe646c5364b409680e0ee3e7d59935

SHA1
26c3d0fd7731fc619806368ed3753089cb34a6ba

SHA256
c7fc1e82b0b130428b5c4b4b149643c55b62f5b298c28028f18e72b1ec9fcb04

SHA512
bf6d77c03cf0afc443271b3fd8fabfe7bf55abcf9f897e05b1b02e96c2476f04eeeb8bfc006b13c4118f3dd046a9648ec0e957bc798d19ba9fe10db3ed3aaf9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
28e99a981808b45f3f302eb29948e379

SHA1
0f3b636205ea0a86c745b82cdd19af7033aa3c4c

SHA256
ab011cc8dfef69c7db6782cb4d76261dc7a6d6be1a24a7b201d4c5d9fc98586f

SHA512
c317d56b1b821867a3bf8a9701a58ab2e2b7f4065d430042017203fd30586279c34c12fa8665807e414318c3d82903ca3b0bb6564a672af5e293ab0d87613271

Download Submit