edaaa26f500024b459673c81b7d37b8e8281ef5f08de04291662021c3d44673a

General

Target

RecoverKeysInstaller.exe
Size

8.9MB
MD5

14d68897c90cc7a664444ab814514e9f
SHA1

2f295f5dc8d6b5c515fdeb45645c5a380dcf899d
SHA256

9ec7ff8bff95cb87561940849e877cb12f3e07d50762f2dc1c474b39d7c74b6a
SHA512

2c0ca9d49f5be5cbf3a1f3d629bccf0d0fdd4d0bf3f2b4222d9c763ac4df3b5924b37b97ea86aa95112a4cf1c9bb7509c97b02b91260b566143e117b4475ce91
SSDEEP

196608:StJMM796FzCSsOhQPsaOlzwSN+nGDuLbbGB6srwkv6y/2AQ:6JMM7yzQOuPxyj9aLbQ6sd7/2n

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RecoverKeysInstaller.tmp

pid process

2624 RecoverKeysInstaller.tmp

pid	process
2624	RecoverKeysInstaller.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1324 chrome.exe
1324 chrome.exe
2696 chrome.exe
2696 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2696 chrome.exe
2696 chrome.exe

pid	process
1324	chrome.exe
1324	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RecoverKeysInstaller.exechrome.exe

description	pid	process	target process
PID 4540 wrote to memory of 2624	4540	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 4540 wrote to memory of 2624	4540	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 4540 wrote to memory of 2624	4540	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 2696 wrote to memory of 1452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3684	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1324	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1324	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 4960	2696	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\RecoverKeysInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RecoverKeysInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Local\Temp\is-TSK2P.tmp\RecoverKeysInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TSK2P.tmp\RecoverKeysInstaller.tmp" /SL5="$80042,8764450,404480,C:\Users\Admin\AppData\Local\Temp\RecoverKeysInstaller.exe"
2⤵
- Executes dropped EXE
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffaa1c84f50,0x7ffaa1c84f60,0x7ffaa1c84f70
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,4894990129069037595,9483183768007355995,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,4894990129069037595,9483183768007355995,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,4894990129069037595,9483183768007355995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,4894990129069037595,9483183768007355995,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,4894990129069037595,9483183768007355995,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
2⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-TSK2P.tmp\RecoverKeysInstaller.tmp

Filesize
1.4MB

MD5
2cd98880a00b07767aba76e78a28e92a

SHA1
7a659d5eb6f465a238550914c92a3f45b4de4b94

SHA256
7afc059d3953168ba0ae1e1b2bfb307f26f2f6d86b752e22c38d31ff18ec8918

SHA512
106eb0da5bc5165378ee11421658d3478b59618a150a85068e7a968739a276ae70d5af3aba96c65965fd0f6b1cfb7d2714f4442f4dfb5e9d0e097dad6801a883

Download Submit
\??\pipe\crashpad_2696_HPEQSAMCVHETDGYU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2624-135-0x0000000000000000-mapping.dmp

Download
memory/4540-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4540-134-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4540-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4540-138-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads