Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe
Resource
win10-en-20210920
General
-
Target
864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe
-
Size
92KB
-
MD5
d136709b5b24d88ea5e2f42821a5a996
-
SHA1
ce1371e3e78173266a95370856ad24412aaa9b23
-
SHA256
864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a
-
SHA512
5642bef456efcb67dc7788a7af5296e5c856d66a10e31a0ff140641226f176d6c573e848bc3ad1680b8279f9a92bef6c7683f1a62b92df6f4883299df2c0bc6a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome.exepid process 3020 Chrome.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\9174f01a6e44cbc9af1239d5bb1d7327 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9174f01a6e44cbc9af1239d5bb1d7327 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .." Chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
Chrome.exedescription pid process Token: SeDebugPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe Token: 33 3020 Chrome.exe Token: SeIncBasePriorityPrivilege 3020 Chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exeChrome.exedescription pid process target process PID 3732 wrote to memory of 3020 3732 864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe Chrome.exe PID 3732 wrote to memory of 3020 3732 864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe Chrome.exe PID 3732 wrote to memory of 3020 3732 864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe Chrome.exe PID 3020 wrote to memory of 3988 3020 Chrome.exe netsh.exe PID 3020 wrote to memory of 3988 3020 Chrome.exe netsh.exe PID 3020 wrote to memory of 3988 3020 Chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe"C:\Users\Admin\AppData\Local\Temp\864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Chrome.exe" "Chrome.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeMD5
d136709b5b24d88ea5e2f42821a5a996
SHA1ce1371e3e78173266a95370856ad24412aaa9b23
SHA256864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a
SHA5125642bef456efcb67dc7788a7af5296e5c856d66a10e31a0ff140641226f176d6c573e848bc3ad1680b8279f9a92bef6c7683f1a62b92df6f4883299df2c0bc6a
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeMD5
d136709b5b24d88ea5e2f42821a5a996
SHA1ce1371e3e78173266a95370856ad24412aaa9b23
SHA256864259b607ed3dd2fc8873cd2e0fcbbb1b156bbf67afb55cbc41b8a83ae81b9a
SHA5125642bef456efcb67dc7788a7af5296e5c856d66a10e31a0ff140641226f176d6c573e848bc3ad1680b8279f9a92bef6c7683f1a62b92df6f4883299df2c0bc6a
-
memory/3020-136-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/3020-135-0x0000000006DC0000-0x0000000006DC1000-memory.dmpFilesize
4KB
-
memory/3020-131-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3020-123-0x0000000000000000-mapping.dmp
-
memory/3732-119-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/3732-122-0x000000002C370000-0x000000002C371000-memory.dmpFilesize
4KB
-
memory/3732-121-0x0000000002EA0000-0x0000000002EA9000-memory.dmpFilesize
36KB
-
memory/3732-120-0x0000000001690000-0x0000000001691000-memory.dmpFilesize
4KB
-
memory/3732-115-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/3732-118-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/3732-117-0x0000000003050000-0x0000000003070000-memory.dmpFilesize
128KB
-
memory/3988-134-0x0000000000000000-mapping.dmp