Analysis
-
max time kernel
91s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
07/02/2023, 16:48
General
-
Target
Google Chrome.exe
-
Size
172KB
-
MD5
5ee4572308895a3322f74160399e0e63
-
SHA1
0e511a972055cc02c278b30b874a0dbb032f0cb1
-
SHA256
0a1fe129f4d95b580c7533d0d7b0b787174b41d6dacf222956aba9586232445e
-
SHA512
0b5f4d8d5a8504b3080e0204577faa3c6ae042677718d1bc05edac62702f1380025a2a11f884554d78224b0e8ef6028deac3c1a37998c17cff1184254354a002
-
SSDEEP
3072:eXhaoP7Ddc4kJ5sXegDChJo8p8+EOjBPD3hSEE9TCcGZflRJueUhVQqWKBGoutb1:pf5gtCh2dLOjBT8E2fG1l3jcwKMoSJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\n274\ins274.exe"C:\Users\Admin\AppData\Local\Temp\n274\ins274.exe" ins.exe /e11736156 /u5193805b-c284-4f85-b972-26465bc06f2f2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12643⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3960 -s 13123⤵
- Program crash
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 3960 -ip 39601⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD5c7ac2771873ecbb415cc2d1610df8b41
SHA19e35633a4e838f4211e0c808ea6b8085fe3af840
SHA25645d1ae15bd9f17bbd4d9708b3a57daa312685db614679270226393a20af0699a
SHA5124dbd528a4b4d6403fffd90fc5a0c3ee20a009ac9d68a11e4b526399f1e8f75d7508bb30ac7be71ac09f1fb3e3f2fbefacf608278dd676934b833a60a983b413e
-
Filesize
201KB
MD5c7ac2771873ecbb415cc2d1610df8b41
SHA19e35633a4e838f4211e0c808ea6b8085fe3af840
SHA25645d1ae15bd9f17bbd4d9708b3a57daa312685db614679270226393a20af0699a
SHA5124dbd528a4b4d6403fffd90fc5a0c3ee20a009ac9d68a11e4b526399f1e8f75d7508bb30ac7be71ac09f1fb3e3f2fbefacf608278dd676934b833a60a983b413e
-
Filesize
420KB
-
Filesize
420KB
-
Filesize
10.2MB