95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f

General

Target

95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe
Size

663KB
MD5

bcb844e1cb9f61ffdb26c3776c4627c6
SHA1

979aaea528ca96e71edcfde5a1172156ba401a2d
SHA256

95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f
SHA512

38e36d7062e6e4480c0380dd5f39045091b860b24c2d4b32fa3c2ac5d3b8c024eb4f0109cd0daf4631d46ddb9073faa8eee2af161bbfaf0ff0ff7431d4c5d4d9
SSDEEP

12288:qNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTHb/l9TXQCb:XPGSY91VwNJcFMqTHbdVXlb

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Chromium.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe
Executes dropped EXE 1 IoCs

Processes:

Chromium.exe

pid process

1004 Chromium.exe
Loads dropped DLL 1 IoCs

Processes:

95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe

pid process

1152 95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Chromium.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Chromium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chromium = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chromium.exe\""	Chromium.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Chromium.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chromium.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

Chromium.exe

pid	process
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe
1004	Chromium.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exeChromium.exe

pid	process
1152	95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe
1152	95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe
1004	Chromium.exe
1004	Chromium.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe

description	pid	process	target process
PID 1152 wrote to memory of 1004	1152	95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe	Chromium.exe
PID 1152 wrote to memory of 1004	1152	95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe	Chromium.exe
PID 1152 wrote to memory of 1004	1152	95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe	Chromium.exe
PID 1152 wrote to memory of 1004	1152	95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe	Chromium.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Chromium.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Chromium.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Chromium.exe

C:\Users\Admin\AppData\Local\Temp\95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe
"C:\Users\Admin\AppData\Local\Temp\95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Chromium.exe
C:\Users\Admin\AppData\Roaming\Chromium.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
663KB

MD5
bcb844e1cb9f61ffdb26c3776c4627c6

SHA1
979aaea528ca96e71edcfde5a1172156ba401a2d

SHA256
95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f

SHA512
38e36d7062e6e4480c0380dd5f39045091b860b24c2d4b32fa3c2ac5d3b8c024eb4f0109cd0daf4631d46ddb9073faa8eee2af161bbfaf0ff0ff7431d4c5d4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
663KB

MD5
bcb844e1cb9f61ffdb26c3776c4627c6

SHA1
979aaea528ca96e71edcfde5a1172156ba401a2d

SHA256
95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f

SHA512
38e36d7062e6e4480c0380dd5f39045091b860b24c2d4b32fa3c2ac5d3b8c024eb4f0109cd0daf4631d46ddb9073faa8eee2af161bbfaf0ff0ff7431d4c5d4d9

Download Submit
\Users\Admin\AppData\Roaming\Chromium.exe
Filesize
663KB

MD5
bcb844e1cb9f61ffdb26c3776c4627c6

SHA1
979aaea528ca96e71edcfde5a1172156ba401a2d

SHA256
95a7ad84f7123ae9763fab872bedfe3664fdf55c8b394a09605ee08a4e32f25f

SHA512
38e36d7062e6e4480c0380dd5f39045091b860b24c2d4b32fa3c2ac5d3b8c024eb4f0109cd0daf4631d46ddb9073faa8eee2af161bbfaf0ff0ff7431d4c5d4d9

Download Submit
memory/1004-56-0x0000000000000000-mapping.dmp

Download
memory/1152-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads