Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe
Resource
win10v2004-20220812-en
General
-
Target
e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe
-
Size
361KB
-
MD5
77ba817e435a43e95e6bee1ceb20ba54
-
SHA1
5232a8a834127bb7cb3f19f6df59d16bb23d3b86
-
SHA256
e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa
-
SHA512
e6aaa6b5a9e894ba9c5a307107a642fc20f723c7aac2915fc756de302b843a93c600b8ff1f764c80d4ac3171c321c372539ea7d787840ea7ddf87601f78621b4
-
SSDEEP
6144:APbd9p/jmoIjSDa3Vky0rvvO65VJQYZNqo+crKKtucmi89tN:MmoIwa3e1OOJxZkcrKKtucmiW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Google Chromer.exepid process 1092 Google Chromer.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe -
Drops startup file 2 IoCs
Processes:
Google Chromer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41aff8b816af3bb23d293c9b2ea856bf.exe Google Chromer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\41aff8b816af3bb23d293c9b2ea856bf.exe Google Chromer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Chromer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\41aff8b816af3bb23d293c9b2ea856bf = "\"C:\\ProgramData\\Google Chromer.exe\" .." Google Chromer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\41aff8b816af3bb23d293c9b2ea856bf = "\"C:\\ProgramData\\Google Chromer.exe\" .." Google Chromer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Google Chromer.exepid process 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe 1092 Google Chromer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Chromer.exedescription pid process Token: SeDebugPrivilege 1092 Google Chromer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exeGoogle Chromer.exedescription pid process target process PID 3480 wrote to memory of 1092 3480 e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe Google Chromer.exe PID 3480 wrote to memory of 1092 3480 e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe Google Chromer.exe PID 3480 wrote to memory of 1092 3480 e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe Google Chromer.exe PID 1092 wrote to memory of 1972 1092 Google Chromer.exe netsh.exe PID 1092 wrote to memory of 1972 1092 Google Chromer.exe netsh.exe PID 1092 wrote to memory of 1972 1092 Google Chromer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe"C:\Users\Admin\AppData\Local\Temp\e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Google Chromer.exe"C:\ProgramData\Google Chromer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\Google Chromer.exe" "Google Chromer.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Google Chromer.exeFilesize
361KB
MD577ba817e435a43e95e6bee1ceb20ba54
SHA15232a8a834127bb7cb3f19f6df59d16bb23d3b86
SHA256e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa
SHA512e6aaa6b5a9e894ba9c5a307107a642fc20f723c7aac2915fc756de302b843a93c600b8ff1f764c80d4ac3171c321c372539ea7d787840ea7ddf87601f78621b4
-
C:\ProgramData\Google Chromer.exeFilesize
361KB
MD577ba817e435a43e95e6bee1ceb20ba54
SHA15232a8a834127bb7cb3f19f6df59d16bb23d3b86
SHA256e0e58ef2a96a7146ecf525f745b70fc025f6637548e9cfeec2676a95b66415aa
SHA512e6aaa6b5a9e894ba9c5a307107a642fc20f723c7aac2915fc756de302b843a93c600b8ff1f764c80d4ac3171c321c372539ea7d787840ea7ddf87601f78621b4
-
memory/1092-137-0x0000000000000000-mapping.dmp
-
memory/1972-140-0x0000000000000000-mapping.dmp
-
memory/3480-132-0x0000000000E90000-0x0000000000EF2000-memory.dmpFilesize
392KB
-
memory/3480-133-0x0000000005DA0000-0x0000000006344000-memory.dmpFilesize
5.6MB
-
memory/3480-134-0x00000000058A0000-0x0000000005932000-memory.dmpFilesize
584KB
-
memory/3480-135-0x00000000059E0000-0x0000000005A7C000-memory.dmpFilesize
624KB
-
memory/3480-136-0x0000000005940000-0x000000000594A000-memory.dmpFilesize
40KB