Analysis
-
max time kernel
152s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 16:10
Static task
static1
Behavioral task
behavioral1
Sample
487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe
Resource
win10v2004-20221111-en
General
-
Target
487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe
-
Size
522KB
-
MD5
5dfd38c632d2e2adae21a4db480d91d3
-
SHA1
11f1a242b76372d98d89b43ff83ae7ad8590b07b
-
SHA256
487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e
-
SHA512
1a6085f1a6d532dbfa64469a07793d1d917132d2bbd1f832edd90284c8b2aa03ca66d79cfb07307c1b6bc7d281ecd5ab618474b9e9502118245e4efdf9c9ceac
-
SSDEEP
6144:UiIj/ao9DJKDkLOeO9fvsg0Fw1xf80lBHjkmbATwJzIZ7UdJNU1+jPqA/W9OjVb:Ku6DI8gtBHj9byA87U1K++sm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
chrome.exepid process 936 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90480ec0be14f6221b63d9107a2dd7d8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\90480ec0be14f6221b63d9107a2dd7d8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
chrome.exepid process 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe 936 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 936 chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exechrome.exedescription pid process target process PID 2412 wrote to memory of 936 2412 487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe chrome.exe PID 2412 wrote to memory of 936 2412 487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe chrome.exe PID 2412 wrote to memory of 936 2412 487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe chrome.exe PID 936 wrote to memory of 4188 936 chrome.exe netsh.exe PID 936 wrote to memory of 4188 936 chrome.exe netsh.exe PID 936 wrote to memory of 4188 936 chrome.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe"C:\Users\Admin\AppData\Local\Temp\487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\chrome.exe" "chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\chrome.exeFilesize
522KB
MD55dfd38c632d2e2adae21a4db480d91d3
SHA111f1a242b76372d98d89b43ff83ae7ad8590b07b
SHA256487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e
SHA5121a6085f1a6d532dbfa64469a07793d1d917132d2bbd1f832edd90284c8b2aa03ca66d79cfb07307c1b6bc7d281ecd5ab618474b9e9502118245e4efdf9c9ceac
-
C:\Users\Admin\AppData\Roaming\chrome.exeFilesize
522KB
MD55dfd38c632d2e2adae21a4db480d91d3
SHA111f1a242b76372d98d89b43ff83ae7ad8590b07b
SHA256487ee6031e9b7503864be4ee90142c0fa5eca96ce618176462bc704f9a959f4e
SHA5121a6085f1a6d532dbfa64469a07793d1d917132d2bbd1f832edd90284c8b2aa03ca66d79cfb07307c1b6bc7d281ecd5ab618474b9e9502118245e4efdf9c9ceac
-
memory/936-134-0x0000000000000000-mapping.dmp
-
memory/936-139-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/936-140-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/2412-132-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/2412-133-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/2412-137-0x0000000074A80000-0x0000000075031000-memory.dmpFilesize
5.7MB
-
memory/4188-138-0x0000000000000000-mapping.dmp