Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe
Resource
win10v2004-20220812-en
General
-
Target
6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe
-
Size
59KB
-
MD5
d2dff3b78b10e57635b077a4493381e0
-
SHA1
f7a40815fc6510532b28d6831ca71aeaf37bbd21
-
SHA256
6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261
-
SHA512
35b9ac3b5f047d3a07fb121af856222238f8e96c30797bc48d8c5a1aa242e136132410cce789ed468fe6fc199d104aace6d291b845f3a576bfb705bf1e5ac3bd
-
SSDEEP
768:OvVuwN4RSiKxVFZ8hk6GPXYrCNU+NUU3wbTXtP/9U4WI0:2VuwN4NKxVFNAmNbLgnXtXxW5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Chrome Update.exepid process 940 Chrome Update.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Chrome Update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6683cf2ad17e5b3bc7764889546baaf.exe Chrome Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6683cf2ad17e5b3bc7764889546baaf.exe Chrome Update.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6683cf2ad17e5b3bc7764889546baaf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe\" .." Chrome Update.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e6683cf2ad17e5b3bc7764889546baaf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe\" .." Chrome Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Chrome Update.exedescription pid process Token: SeDebugPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe Token: 33 940 Chrome Update.exe Token: SeIncBasePriorityPrivilege 940 Chrome Update.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exeChrome Update.exedescription pid process target process PID 1620 wrote to memory of 940 1620 6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe Chrome Update.exe PID 1620 wrote to memory of 940 1620 6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe Chrome Update.exe PID 1620 wrote to memory of 940 1620 6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe Chrome Update.exe PID 940 wrote to memory of 1924 940 Chrome Update.exe netsh.exe PID 940 wrote to memory of 1924 940 Chrome Update.exe netsh.exe PID 940 wrote to memory of 1924 940 Chrome Update.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe"C:\Users\Admin\AppData\Local\Temp\6126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\Chrome Update.exe"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Chrome Update.exe" "Chrome Update.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chrome Update.exeFilesize
59KB
MD5d2dff3b78b10e57635b077a4493381e0
SHA1f7a40815fc6510532b28d6831ca71aeaf37bbd21
SHA2566126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261
SHA51235b9ac3b5f047d3a07fb121af856222238f8e96c30797bc48d8c5a1aa242e136132410cce789ed468fe6fc199d104aace6d291b845f3a576bfb705bf1e5ac3bd
-
C:\Users\Admin\AppData\Roaming\Chrome Update.exeFilesize
59KB
MD5d2dff3b78b10e57635b077a4493381e0
SHA1f7a40815fc6510532b28d6831ca71aeaf37bbd21
SHA2566126a6b258c310c99c68f19b325042fbe462619b3b0ddf25498b04f172fbc261
SHA51235b9ac3b5f047d3a07fb121af856222238f8e96c30797bc48d8c5a1aa242e136132410cce789ed468fe6fc199d104aace6d291b845f3a576bfb705bf1e5ac3bd
-
memory/940-60-0x000007FEF4710000-0x000007FEF5133000-memory.dmpFilesize
10.1MB
-
memory/940-57-0x0000000000000000-mapping.dmp
-
memory/940-61-0x000007FEF3670000-0x000007FEF4706000-memory.dmpFilesize
16.6MB
-
memory/940-62-0x0000000000A96000-0x0000000000AB5000-memory.dmpFilesize
124KB
-
memory/940-65-0x0000000000A96000-0x0000000000AB5000-memory.dmpFilesize
124KB
-
memory/1620-56-0x0000000000B96000-0x0000000000BB5000-memory.dmpFilesize
124KB
-
memory/1620-55-0x000007FEF3670000-0x000007FEF4706000-memory.dmpFilesize
16.6MB
-
memory/1620-54-0x000007FEF4710000-0x000007FEF5133000-memory.dmpFilesize
10.1MB
-
memory/1620-63-0x0000000000B96000-0x0000000000BB5000-memory.dmpFilesize
124KB
-
memory/1620-64-0x0000000000B96000-0x0000000000BB5000-memory.dmpFilesize
124KB
-
memory/1924-66-0x0000000000000000-mapping.dmp
-
memory/1924-67-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB