Analysis
-
max time kernel
20s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-08-2021 17:11
Static task
static1
Behavioral task
behavioral1
Sample
ChromeRecovery.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ChromeRecovery.exe
Resource
win10v20210408
General
-
Target
ChromeRecovery.exe
-
Size
67KB
-
MD5
b3d0b8c065ad75dfd646829bc7c87735
-
SHA1
629655f03b356ad46ae106855eb004c7be7098c0
-
SHA256
61560f470822a249950e3d35574aae0ee9c93da31c1fd6f001c0cec97069a4fb
-
SHA512
81539089391fb7aad33450a37ab57ec4a13c544a70ead868bc89f4e5d3d81dd948b4ea82c9ba1a780e03dfee608839b6acf2868f0ff6c0fc0fd2ef2fd6cf766e
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
A310logger Executable 2 IoCs
resource yara_rule behavioral2/files/0x000200000001a4f4-116.dat a310logger behavioral2/files/0x000200000001a4f4-117.dat a310logger -
Executes dropped EXE 1 IoCs
pid Process 3736 MZ.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ChromeRecovery.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ChromeRecovery.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3736 MZ.exe 3736 MZ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3716 ChromeRecovery.exe Token: SeDebugPrivilege 3736 MZ.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3716 wrote to memory of 3736 3716 ChromeRecovery.exe 75 PID 3716 wrote to memory of 3736 3716 ChromeRecovery.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeRecovery.exe"C:\Users\Admin\AppData\Local\Temp\ChromeRecovery.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736
-