Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-09-2021 08:35
Static task
static1
Behavioral task
behavioral1
Sample
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe
Resource
win10-en-20210920
General
-
Target
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe
-
Size
135KB
-
MD5
c19deb53070413c02b1cd03ae424bb1c
-
SHA1
b87d4f4fffb60627ec9c7ced3dbdfc945e7a0089
-
SHA256
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde
-
SHA512
28192ecaee6278eb9e2998ab829131b8324c863c576c39876950fb62e631613a55b51a17a5f91f0a4d2af4c3bdbc62a146cfa6d08c61a338ec74714865fa3014
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome.exepid process 4172 Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
Chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24aa9ba336dbf78879634935e115dcd0.exe Chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24aa9ba336dbf78879634935e115dcd0.exe Chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\24aa9ba336dbf78879634935e115dcd0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\" .." Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24aa9ba336dbf78879634935e115dcd0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe\" .." Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Chrome.exedescription pid process Token: SeDebugPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe Token: 33 4172 Chrome.exe Token: SeIncBasePriorityPrivilege 4172 Chrome.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exeChrome.exedescription pid process target process PID 3580 wrote to memory of 4172 3580 89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe Chrome.exe PID 3580 wrote to memory of 4172 3580 89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe Chrome.exe PID 4172 wrote to memory of 3864 4172 Chrome.exe netsh.exe PID 4172 wrote to memory of 3864 4172 Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe"C:\Users\Admin\AppData\Local\Temp\89c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Chrome.exe"C:\Users\Admin\AppData\Roaming\Chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Chrome.exe" "Chrome.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chrome.exeMD5
c19deb53070413c02b1cd03ae424bb1c
SHA1b87d4f4fffb60627ec9c7ced3dbdfc945e7a0089
SHA25689c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde
SHA51228192ecaee6278eb9e2998ab829131b8324c863c576c39876950fb62e631613a55b51a17a5f91f0a4d2af4c3bdbc62a146cfa6d08c61a338ec74714865fa3014
-
C:\Users\Admin\AppData\Roaming\Chrome.exeMD5
c19deb53070413c02b1cd03ae424bb1c
SHA1b87d4f4fffb60627ec9c7ced3dbdfc945e7a0089
SHA25689c72522693c171fc9db2f0ef8412fe6881ec0103ffd8edb0e0427fd68fc7fde
SHA51228192ecaee6278eb9e2998ab829131b8324c863c576c39876950fb62e631613a55b51a17a5f91f0a4d2af4c3bdbc62a146cfa6d08c61a338ec74714865fa3014
-
memory/3580-115-0x00000000022F0000-0x00000000022F2000-memory.dmpFilesize
8KB
-
memory/3580-116-0x00000000022F2000-0x00000000022F4000-memory.dmpFilesize
8KB
-
memory/3864-122-0x0000000000000000-mapping.dmp
-
memory/4172-117-0x0000000000000000-mapping.dmp
-
memory/4172-120-0x0000000002710000-0x0000000002712000-memory.dmpFilesize
8KB
-
memory/4172-121-0x0000000002712000-0x0000000002714000-memory.dmpFilesize
8KB
-
memory/4172-123-0x0000000002714000-0x0000000002715000-memory.dmpFilesize
4KB