Analysis

  • max time kernel
    99s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-07-2021 02:30

General

  • Target

    7ff772000000.chrome.exe

  • Size

    2.2MB

  • MD5

    6387220994ea844be6f9a7b0ed8b4d4e

  • SHA1

    d29cf6195bdcdbe6844f6b0ccfa15d6f1f5b62df

  • SHA256

    4f5b98fd7e3f21c333152170d08d7ffe17f2c9e69862512bd6726c8030c966d1

  • SHA512

    bf3fbf9d14d56d8555fc3f6f0f02e197ed1987a17a9b6d1ab33bd7821045507a56a351df6cfd6dc6eb2d309f06ee973ce6811b8ecaafd7188f388b526df79ee7

Score
6/10

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Discovers systems in the same network 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ff772000000.chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\7ff772000000.chrome.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\system32\net.exe
      net view /all
      2⤵
      • Discovers systems in the same network
      PID:1660
    • C:\Windows\system32\net.exe
      net view /all /domain
      2⤵
      • Discovers systems in the same network
      PID:748
    • C:\Windows\system32\nltest.exe
      nltest /domain_trusts /all_trusts
      2⤵
        PID:1052
      • C:\Windows\system32\net.exe
        net localgroup administrator
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 localgroup administrator
          3⤵
            PID:896
        • C:\Windows\system32\net.exe
          net group /domain admins
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 group /domain admins
            3⤵
              PID:1832
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s "C:\Users\PeterGriffin\Desktop\girlGirlBoys.jpg"
          1⤵
            PID:376

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \??\PIPE\samr

            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • memory/376-60-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

            Filesize

            8KB

          • memory/748-63-0x0000000000000000-mapping.dmp

          • memory/896-66-0x0000000000000000-mapping.dmp

          • memory/1004-68-0x0000000000000000-mapping.dmp

          • memory/1052-64-0x0000000000000000-mapping.dmp

          • memory/1660-62-0x0000000000000000-mapping.dmp

          • memory/1724-65-0x0000000000000000-mapping.dmp

          • memory/1832-69-0x0000000000000000-mapping.dmp

          • memory/1992-59-0x0000000000010000-0x0000000000255000-memory.dmp

            Filesize

            2.3MB