a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4

Analysis

max time kernel
157s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
Size

691KB
MD5

f58b3419bf43dc82c56f1fda0358c645
SHA1

63c6acc7b3a0582cb5075d8bb8346e41d711710b
SHA256

a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4
SHA512

652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32
SSDEEP

12288:rNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTZ5qvD4yvtSgRxFn8EWb/l9TXQCM:MPGSY91VwNJcFMqTZeNDRWbdVXlM

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Chromium.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe
Executes dropped EXE 1 IoCs

Processes:

Chromium.exe

pid process

1956 Chromium.exe

pid	process
1956	Chromium.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Chromium.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	Chromium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromium.exe\""	Chromium.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Chromium.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exeChromium.exe

pid	process
4232	a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
4232	a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
1956	Chromium.exe
1956	Chromium.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe

description	pid	process	target process
PID 4232 wrote to memory of 1956	4232	a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe	Chromium.exe
PID 4232 wrote to memory of 1956	4232	a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe	Chromium.exe
PID 4232 wrote to memory of 1956	4232	a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe	Chromium.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Chromium.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Chromium.exe

C:\Users\Admin\AppData\Local\Temp\a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe
"C:\Users\Admin\AppData\Local\Temp\a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Roaming\Chromium.exe
C:\Users\Admin\AppData\Roaming\Chromium.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
691KB

MD5
f58b3419bf43dc82c56f1fda0358c645

SHA1
63c6acc7b3a0582cb5075d8bb8346e41d711710b

SHA256
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4

SHA512
652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32

Download Submit
C:\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
691KB

MD5
f58b3419bf43dc82c56f1fda0358c645

SHA1
63c6acc7b3a0582cb5075d8bb8346e41d711710b

SHA256
a6fd01152a9b80b3ca40e50571d790aff2d49cf9ea00f9f7a995de9b7d57a7a4

SHA512
652b2b84c7ae1838fd42ab2e7ae9dd75c8a6bfedafef9b70a0d9d0cb1465c294dcf4b8ef0813e39edd7b1cd562b4a51172e788747720bad5fc4a6779f4c5bc32

Download Submit
memory/1956-132-0x0000000000000000-mapping.dmp

Download