Analysis
-
max time kernel
150s -
max time network
202s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-09-2021 08:35
Static task
static1
Behavioral task
behavioral1
Sample
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe
Resource
win10-en-20210920
General
-
Target
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe
-
Size
135KB
-
MD5
c19deb53070413c02b1cd03ae424bb1c
-
SHA1
b87d4f4fffb60627ec9c7ced3dbdfc945e7a0089
-
SHA256
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde
-
SHA512
28192ecaee6278eb9e2998ab829131b8324c863c576c39876950fb62e631613a55b51a17a5f91f0a4d2af4c3bdbc62a146cfa6d08c61a338ec74714865fa3014
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome.exepid process 1788 Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24aa9ba336dbf78879634935e115dcd0.exe Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24aa9ba336dbf78879634935e115dcd0.exe Chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\24aa9ba336dbf78879634935e115dcd0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\" .." Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24aa9ba336dbf78879634935e115dcd0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\" .." Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Chrome.exedescription pid process Token: SeDebugPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe Token: 33 1788 Chrome.exe Token: SeIncBasePriorityPrivilege 1788 Chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exeChrome.exedescription pid process target process PID 1988 wrote to memory of 1788 1988 89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe Chrome.exe PID 1988 wrote to memory of 1788 1988 89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe Chrome.exe PID 1988 wrote to memory of 1788 1988 89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe Chrome.exe PID 1788 wrote to memory of 832 1788 Chrome.exe netsh.exe PID 1788 wrote to memory of 832 1788 Chrome.exe netsh.exe PID 1788 wrote to memory of 832 1788 Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe"C:\Users\Admin\AppData\Local\Temp\89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Chrome.exe"C:\Users\Admin\AppData\Roaming\Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Chrome.exe" "Chrome.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chrome.exeMD5
c19deb53070413c02b1cd03ae424bb1c
SHA1b87d4f4fffb60627ec9c7ced3dbdfc945e7a0089
SHA25689c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde
SHA51228192ecaee6278eb9e2998ab829131b8324c863c576c39876950fb62e631613a55b51a17a5f91f0a4d2af4c3bdbc62a146cfa6d08c61a338ec74714865fa3014
-
C:\Users\Admin\AppData\Roaming\Chrome.exeMD5
c19deb53070413c02b1cd03ae424bb1c
SHA1b87d4f4fffb60627ec9c7ced3dbdfc945e7a0089
SHA25689c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde
SHA51228192ecaee6278eb9e2998ab829131b8324c863c576c39876950fb62e631613a55b51a17a5f91f0a4d2af4c3bdbc62a146cfa6d08c61a338ec74714865fa3014
-
memory/832-68-0x0000000000000000-mapping.dmp
-
memory/832-69-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1788-62-0x0000000000000000-mapping.dmp
-
memory/1788-65-0x000007FEF20F0000-0x000007FEF3186000-memory.dmpFilesize
16.6MB
-
memory/1788-66-0x0000000000AE0000-0x0000000000AE2000-memory.dmpFilesize
8KB
-
memory/1788-67-0x0000000000AE6000-0x0000000000B05000-memory.dmpFilesize
124KB
-
memory/1988-59-0x0000000002220000-0x0000000002222000-memory.dmpFilesize
8KB
-
memory/1988-60-0x000007FEF20F0000-0x000007FEF3186000-memory.dmpFilesize
16.6MB
-
memory/1988-61-0x0000000002226000-0x0000000002245000-memory.dmpFilesize
124KB