Analysis
-
max time kernel
171s -
max time network
229s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
Resource
win10v2004-20221111-en
General
-
Target
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
-
Size
691KB
-
MD5
f58b3419bf43dc82c56f1fda0358c645
-
SHA1
63c6acc7b3a0582cb5075d8bb8346e41d711710b
-
SHA256
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
-
SHA512
652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
SSDEEP
12288:rNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTZ5qvD4yvtSgRxFn8EWb/l9TXQCM:MPGSY91VwNJcFMqTZeNDRWbdVXlM
Malware Config
Signatures
-
Processes:
Chromium.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe -
Executes dropped EXE 1 IoCs
Processes:
Chromium.exepid process 1980 Chromium.exe -
Loads dropped DLL 1 IoCs
Processes:
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exepid process 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chromium.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run Chromium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromium.exe\"" Chromium.exe -
Processes:
Chromium.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Chromium.exepid process 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe 1980 Chromium.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exeChromium.exepid process 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe 1980 Chromium.exe 1980 Chromium.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exedescription pid process target process PID 1420 wrote to memory of 1980 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe PID 1420 wrote to memory of 1980 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe PID 1420 wrote to memory of 1980 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe PID 1420 wrote to memory of 1980 1420 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
Chromium.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Chromium.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe"C:\Users\Admin\AppData\Local\Temp\a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Roaming\Chromium.exeC:\Users\Admin\AppData\Roaming\Chromium.exe2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chromium.exeFilesize
691KB
MD5f58b3419bf43dc82c56f1fda0358c645
SHA163c6acc7b3a0582cb5075d8bb8346e41d711710b
SHA256a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
SHA512652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
C:\Users\Admin\AppData\Roaming\Chromium.exeFilesize
691KB
MD5f58b3419bf43dc82c56f1fda0358c645
SHA163c6acc7b3a0582cb5075d8bb8346e41d711710b
SHA256a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
SHA512652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
\Users\Admin\AppData\Roaming\Chromium.exeFilesize
691KB
MD5f58b3419bf43dc82c56f1fda0358c645
SHA163c6acc7b3a0582cb5075d8bb8346e41d711710b
SHA256a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
SHA512652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
memory/1420-54-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1980-56-0x0000000000000000-mapping.dmp