Analysis
-
max time kernel
204s -
max time network
204s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:39
Static task
static1
Behavioral task
behavioral1
Sample
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe
Resource
win7-20221111-en
General
-
Target
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe
-
Size
670KB
-
MD5
5f0f3b5dcbd27b8f3934f384450086bb
-
SHA1
ba87d32df44d97bd231f568369bac31d891b9159
-
SHA256
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410
-
SHA512
35f79bc5556c0ec7750971a067115568e22847a3ee40e4a79cdd664056e782743a33359f8ae21e78568fe8f22c7f66d9be6ad56c4cd45fd5d868e38901a605f1
-
SSDEEP
12288:X3nZMhJ+ubNUpl9J86HqNUJ5YBoHZ2U24wW3vcGbjfBWq/Y6LFnXdgInFBSS5cqT:X3nZqfbGT9J5bCBo5x2/W30GvJWxqQmd
Malware Config
Signatures
-
Processes:
chromenet.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chromenet.exe -
Executes dropped EXE 2 IoCs
Processes:
chromenet.exewget.exepid process 1056 chromenet.exe 1792 wget.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\wget.exe upx \Users\Admin\AppData\Roaming\wget.exe upx C:\Users\Admin\AppData\Roaming\wget.exe upx behavioral1/memory/1792-68-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Loads dropped DLL 6 IoCs
Processes:
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exechromenet.exepid process 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe 1056 chromenet.exe 1056 chromenet.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chromenet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\chromenet = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromenet.exe\" +e" chromenet.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run chromenet.exe -
Processes:
chromenet.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chromenet.exe -
Drops file in Program Files directory 4 IoCs
Processes:
chromenet.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe chromenet.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe chromenet.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe chromenet.exe File created C:\Program Files (x86)\Mozilla Firefox\firefox.exe chromenet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chromenet.exepid process 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe 1056 chromenet.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exechromenet.exedescription pid process target process PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1776 wrote to memory of 1056 1776 16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe chromenet.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe PID 1056 wrote to memory of 1792 1056 chromenet.exe wget.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
chromenet.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System chromenet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chromenet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe"C:\Users\Admin\AppData\Local\Temp\16c2eca9f2f50fe31c8c8ff9eb1cff719aa8fff9e77b37f22a6829c62c769410.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Roaming\chromenet.exe"C:\Users\Admin\AppData\Roaming\chromenet.exe" +e2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056 -
C:\Users\Admin\AppData\Roaming\wget.exewget.exe -O "C:\Users\Admin\AppData\Roaming\arsiv.exe" ""3⤵
- Executes dropped EXE
PID:1792
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
71KB
MD5f98d5a7924143f6e687dd92d9af8f3a9
SHA1330482f12ddf5b3b1934cfec485be52a0009a241
SHA256d9db6823fe6daa9747c54b468b030f934120552edaa11b383c87fed1dacc7754
SHA51208bfa84b7645ef10ff4b968c6cfe66c6689445e182ea23c12b6a64431735fc00bf4984e0a9f5f381e9d463cdcce2c9d860124aeae3fa404cd93c25f23b5caf23
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
765KB
MD56dbcb3103f2d5dfb21352fdfa23b2a1e
SHA140ea01327ac749cb4f524873613f21a5f0e078fc
SHA256509ca6b1ef90d93d31a33823716b3664167c1feb3eaaee8e8e3de238b72ddea5
SHA5129867e2657b4a17214dc28d9449e15be74e8086fd2966ce268f2725b9f60efc4ff164d34af3abbab4b67cd43e5168b8b2c7ea8ce3fd20d56deecfc382b1c5debc
-
Filesize
71KB
MD5f98d5a7924143f6e687dd92d9af8f3a9
SHA1330482f12ddf5b3b1934cfec485be52a0009a241
SHA256d9db6823fe6daa9747c54b468b030f934120552edaa11b383c87fed1dacc7754
SHA51208bfa84b7645ef10ff4b968c6cfe66c6689445e182ea23c12b6a64431735fc00bf4984e0a9f5f381e9d463cdcce2c9d860124aeae3fa404cd93c25f23b5caf23
-
Filesize
71KB
MD5f98d5a7924143f6e687dd92d9af8f3a9
SHA1330482f12ddf5b3b1934cfec485be52a0009a241
SHA256d9db6823fe6daa9747c54b468b030f934120552edaa11b383c87fed1dacc7754
SHA51208bfa84b7645ef10ff4b968c6cfe66c6689445e182ea23c12b6a64431735fc00bf4984e0a9f5f381e9d463cdcce2c9d860124aeae3fa404cd93c25f23b5caf23