Analysis
-
max time kernel
157s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
Resource
win10v2004-20221111-en
General
-
Target
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
-
Size
691KB
-
MD5
f58b3419bf43dc82c56f1fda0358c645
-
SHA1
63c6acc7b3a0582cb5075d8bb8346e41d711710b
-
SHA256
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
-
SHA512
652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
SSDEEP
12288:rNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTZ5qvD4yvtSgRxFn8EWb/l9TXQCM:MPGSY91VwNJcFMqTZeNDRWbdVXlM
Malware Config
Signatures
-
Processes:
Chromium.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe -
Executes dropped EXE 1 IoCs
Processes:
Chromium.exepid process 1956 Chromium.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chromium.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run Chromium.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromium.exe\"" Chromium.exe -
Processes:
Chromium.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exeChromium.exepid process 4232 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe 4232 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe 1956 Chromium.exe 1956 Chromium.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exedescription pid process target process PID 4232 wrote to memory of 1956 4232 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe PID 4232 wrote to memory of 1956 4232 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe PID 4232 wrote to memory of 1956 4232 a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe Chromium.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
Chromium.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Chromium.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe"C:\Users\Admin\AppData\Local\Temp\a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Roaming\Chromium.exeC:\Users\Admin\AppData\Roaming\Chromium.exe2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Chromium.exeFilesize
691KB
MD5f58b3419bf43dc82c56f1fda0358c645
SHA163c6acc7b3a0582cb5075d8bb8346e41d711710b
SHA256a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
SHA512652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
C:\Users\Admin\AppData\Roaming\Chromium.exeFilesize
691KB
MD5f58b3419bf43dc82c56f1fda0358c645
SHA163c6acc7b3a0582cb5075d8bb8346e41d711710b
SHA256a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
SHA512652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
-
memory/1956-132-0x0000000000000000-mapping.dmp