4f5b98fd7e3f21c333152170d08d7ffe17f2c9e69862512bd6726c8030c966d1

General

Target

7ff772000000.chrome.exe
Size

2.2MB
MD5

6387220994ea844be6f9a7b0ed8b4d4e
SHA1

d29cf6195bdcdbe6844f6b0ccfa15d6f1f5b62df
SHA256

4f5b98fd7e3f21c333152170d08d7ffe17f2c9e69862512bd6726c8030c966d1
SHA512

bf3fbf9d14d56d8555fc3f6f0f02e197ed1987a17a9b6d1ab33bd7821045507a56a351df6cfd6dc6eb2d309f06ee973ce6811b8ecaafd7188f388b526df79ee7

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 myexternalip.com
15 myexternalip.com
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1660 net.exe
748 net.exe

flow	ioc
14	myexternalip.com
15	myexternalip.com

pid	process
1660	net.exe
748	net.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7ff772000000.chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	7ff772000000.chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	7ff772000000.chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	7ff772000000.chrome.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7ff772000000.chrome.exe

pid process

1992 7ff772000000.chrome.exe

pid	process
1992	7ff772000000.chrome.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7ff772000000.chrome.exenet.exenet.exe

description	pid	process	target process
PID 1992 wrote to memory of 1660	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1660	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1660	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 748	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 748	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 748	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1052	1992	7ff772000000.chrome.exe	nltest.exe
PID 1992 wrote to memory of 1052	1992	7ff772000000.chrome.exe	nltest.exe
PID 1992 wrote to memory of 1052	1992	7ff772000000.chrome.exe	nltest.exe
PID 1992 wrote to memory of 1724	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1724	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1724	1992	7ff772000000.chrome.exe	net.exe
PID 1724 wrote to memory of 896	1724	net.exe	net1.exe
PID 1724 wrote to memory of 896	1724	net.exe	net1.exe
PID 1724 wrote to memory of 896	1724	net.exe	net1.exe
PID 1992 wrote to memory of 1004	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1004	1992	7ff772000000.chrome.exe	net.exe
PID 1992 wrote to memory of 1004	1992	7ff772000000.chrome.exe	net.exe
PID 1004 wrote to memory of 1832	1004	net.exe	net1.exe
PID 1004 wrote to memory of 1832	1004	net.exe	net1.exe
PID 1004 wrote to memory of 1832	1004	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\7ff772000000.chrome.exe
"C:\Users\Admin\AppData\Local\Temp\7ff772000000.chrome.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\net.exe
net view /all
2⤵
- Discovers systems in the same network
PID:1660

C:\Windows\system32\net.exe
net view /all /domain
2⤵
- Discovers systems in the same network
PID:748

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
2⤵
PID:1052

C:\Windows\system32\net.exe
net localgroup administrator
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrator
3⤵
PID:896

C:\Windows\system32\net.exe
net group /domain admins
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group /domain admins
3⤵
PID:1832

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\PeterGriffin\Desktop\girlGirlBoys.jpg"
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-60-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

Filesize
8KB

Download
memory/748-63-0x0000000000000000-mapping.dmp

Download
memory/896-66-0x0000000000000000-mapping.dmp

Download
memory/1004-68-0x0000000000000000-mapping.dmp

Download
memory/1052-64-0x0000000000000000-mapping.dmp

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1724-65-0x0000000000000000-mapping.dmp

Download
memory/1832-69-0x0000000000000000-mapping.dmp

Download
memory/1992-59-0x0000000000010000-0x0000000000255000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing