Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-08-2021 17:11
Static task
static1
Behavioral task
behavioral1
Sample
ChromeRecovery.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ChromeRecovery.exe
Resource
win10v20210408
General
-
Target
ChromeRecovery.exe
-
Size
67KB
-
MD5
b3d0b8c065ad75dfd646829bc7c87735
-
SHA1
629655f03b356ad46ae106855eb004c7be7098c0
-
SHA256
61560f470822a249950e3d35574aae0ee9c93da31c1fd6f001c0cec97069a4fb
-
SHA512
81539089391fb7aad33450a37ab57ec4a13c544a70ead868bc89f4e5d3d81dd948b4ea82c9ba1a780e03dfee608839b6acf2868f0ff6c0fc0fd2ef2fd6cf766e
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
A310logger Executable 2 IoCs
resource yara_rule behavioral1/files/0x00040000000130e4-62.dat a310logger behavioral1/files/0x00040000000130e4-63.dat a310logger -
Executes dropped EXE 1 IoCs
pid Process 1716 MZ.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ChromeRecovery.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ChromeRecovery.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1716 MZ.exe 1716 MZ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1716 MZ.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 296 wrote to memory of 1716 296 ChromeRecovery.exe 30 PID 296 wrote to memory of 1716 296 ChromeRecovery.exe 30 PID 296 wrote to memory of 1716 296 ChromeRecovery.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeRecovery.exe"C:\Users\Admin\AppData\Local\Temp\ChromeRecovery.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-