c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e

Analysis

max time kernel
150s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe
Size

564KB
MD5

0da3d0cac4222f2f3a0466ca64585f45
SHA1

1a85755a9c22a9c2478c6468ff1038c840d58a2f
SHA256

c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e
SHA512

2418b2b556f1fe16c02c46649a403379d98c5f38c714b5795d3c322cdbc842560d1f8b998b08f83db40b4981756f8479fb3f069d5af026bbb5edbe78f597309c
SSDEEP

12288:VNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTGt6tmb/l9TXQAG:SPGSY91VwNJcFMqTXmbdVXbG

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Chromium.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe
Executes dropped EXE 1 IoCs

Processes:

Chromium.exe

pid process

3604 Chromium.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe

pid	process
3604	Chromium.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Chromium.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	Chromium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromium.exe\""	Chromium.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Chromium.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exeChromium.exe

pid	process
4912	c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe
4912	c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe
3604	Chromium.exe
3604	Chromium.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe

description	pid	process	target process
PID 4912 wrote to memory of 3604	4912	c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe	Chromium.exe
PID 4912 wrote to memory of 3604	4912	c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe	Chromium.exe
PID 4912 wrote to memory of 3604	4912	c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe	Chromium.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Chromium.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Chromium.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe

C:\Users\Admin\AppData\Local\Temp\c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe
"C:\Users\Admin\AppData\Local\Temp\c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Roaming\Chromium.exe
C:\Users\Admin\AppData\Roaming\Chromium.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
564KB

MD5
0da3d0cac4222f2f3a0466ca64585f45

SHA1
1a85755a9c22a9c2478c6468ff1038c840d58a2f

SHA256
c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e

SHA512
2418b2b556f1fe16c02c46649a403379d98c5f38c714b5795d3c322cdbc842560d1f8b998b08f83db40b4981756f8479fb3f069d5af026bbb5edbe78f597309c

Download Submit
C:\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
564KB

MD5
0da3d0cac4222f2f3a0466ca64585f45

SHA1
1a85755a9c22a9c2478c6468ff1038c840d58a2f

SHA256
c744ae35396ad2508891af93325e347ffb1d11537127986faa4f8e995c2a9e7e

SHA512
2418b2b556f1fe16c02c46649a403379d98c5f38c714b5795d3c322cdbc842560d1f8b998b08f83db40b4981756f8479fb3f069d5af026bbb5edbe78f597309c

Download Submit
memory/3604-132-0x0000000000000000-mapping.dmp

Download