dd7e2fc0e741939eda7f92c201d02a289fdadb18b42f7d0e6a55ec77d46a4cf6

Analysis

max time kernel
161s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 23:18

Target

chrome.exe
Size

120KB
MD5

978d9c2bef2e61503734411dff1b6d57
SHA1

a35e43c01957fcc989707dc059433d0c3774f5f1
SHA256

9b07816bdd653b96cc345dc013db13b16707a64fd68a78ef43e1db78f25480b0
SHA512

1e8819a4696825a680991b53460bdfc1c5c9ce969bc6828123fa1baa22c34ecbdf57fdc24d0e9573ba7f8fddef8d58fa358d40eee7c99271c5d22531dc2bb797
SSDEEP

1536:b7j6kJFKhG29jZ97jr+64JF91AcN4cMgGylloMbj82dNJytxvfiWHtaEvRwW:T6MMA29LS64L91dLytdfZHtaEvd

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

pid	Process
4240	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	chrome.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 4240	1432	chrome.exe	83
PID 1432 wrote to memory of 4240	1432	chrome.exe	83
PID 1432 wrote to memory of 4240	1432	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4240

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1432-133-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1432-134-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download