Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2023 02:16
General
-
Target
d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe
-
Size
1.4MB
-
MD5
18669b21194b03105d0a9145635a1ce6
-
SHA1
59d361b172cfb610aeef1e0ab6e2546b40aaf1f4
-
SHA256
d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a
-
SHA512
0dff9b45ddbd0a80e05d3194f645a5f38c165ab904e01eb566a1406823c80c78ba0e39e7e81975299951d482ec31cf7514a3c2afd997b2bc656f6cd846be69d8
-
SSDEEP
24576:PGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRfj5h6SY:OpEUIvU0N9jkpjweXt77L5MF
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 10 IoCs
Processes:
d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exedescription ioc Process File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2200 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133222870172843735" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid Process 2112 chrome.exe 2112 chrome.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exetaskkill.exedescription pid Process Token: SeCreateTokenPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeAssignPrimaryTokenPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeLockMemoryPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeIncreaseQuotaPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeMachineAccountPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeTcbPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeSecurityPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeTakeOwnershipPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeLoadDriverPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeSystemProfilePrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeSystemtimePrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeProfSingleProcessPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeIncBasePriorityPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeCreatePagefilePrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeCreatePermanentPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeBackupPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeRestorePrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeShutdownPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeDebugPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeAuditPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeSystemEnvironmentPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeChangeNotifyPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeRemoteShutdownPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeUndockPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeSyncAgentPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeEnableDelegationPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeManageVolumePrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeImpersonatePrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeCreateGlobalPrivilege 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: 31 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: 32 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: 33 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: 34 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: 35 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe Token: SeDebugPrivilege 2200 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.execmd.exedescription pid Process procid_target PID 4880 wrote to memory of 4584 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe 86 PID 4880 wrote to memory of 4584 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe 86 PID 4880 wrote to memory of 4584 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe 86 PID 4584 wrote to memory of 2200 4584 cmd.exe 88 PID 4584 wrote to memory of 2200 4584 cmd.exe 88 PID 4584 wrote to memory of 2200 4584 cmd.exe 88 PID 4880 wrote to memory of 460 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe 97 PID 4880 wrote to memory of 460 4880 d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe"C:\Users\Admin\AppData\Local\Temp\d9d2ad004f71ee5e3dc5f0170b74a961fc5df4e187ea03a11788ed30a1a8230a.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:460 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9ead9758,0x7ffd9ead9768,0x7ffd9ead97783⤵PID:4080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:23⤵PID:2660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:3908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3172 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:13⤵PID:3604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3308 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:13⤵PID:4200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3808 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:13⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=4052 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:13⤵PID:1396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2688 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:2656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:83⤵PID:4364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 --field-trial-handle=1808,i,7789950243510223131,17070923793304521214,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57fa0ae905beb66e0935c027a0fec94f6
SHA165fef2340f888a04006054b7acef850a9be85fbb
SHA256135c55e0e0f8d88a0fe91b3e99b5f3092bf6ef3cf37b0baff3a8f4b4fc6a59db
SHA51224a74882ac6a0d4d8b50cd95f969b29eb7ace10c8d01e864c382e034a746b54c4a58a4d9b83c934b6758078f347de39245dbcbf1c668ef7a3ac47e4c35f7caab
-
Filesize
874B
MD587b1a62d98e5c83196f1d6c659abc96b
SHA1788b8013a84f606a446f88a72e4dc7ed612124a9
SHA256ed5e35777b756b4685286aca6982c7d01543568cc37a474fd325a2b03aeacb17
SHA512c57e86dd97250f3ba2df52c185ed0bdc5a0808ae0e240c5d452408b4f6a9a5100ac10c05a212655ae74f665d14daf362fc3964d33bd673bb1da524463e6b250d
-
Filesize
874B
MD53eff222776febff41d25f8f772146bf2
SHA1897a80e47a2ed502813db91eabc402997f28bc25
SHA2567ff79460a7337621b7f84c9df02ad39ae30dea97c793e44614f7bbc15438d9ab
SHA512536c39a46b5dccac31a3439dd00f3f40750bf7a111bee08e61ef6b49fa0f7496b4c852f1e5ae1bc24dbfaeed665afa05b9dce430d82c00c454a5504a709ac927
-
Filesize
874B
MD5ba636d36e94f4fcd6e7ae816f62e023a
SHA1a3ac257bc21486f3619d9afb98f4543fa1bce758
SHA2567e4ecd59670c219ccc196a1973f27ed4cc3195bccc1ff84c966ebc41751eff12
SHA512ffe81d4dd198d3397e8b4e3750fa4f102daa59b7e20959f550ed110d0ad75d44a214ed4d7e440d02a95a157b37f873cc9c0eecf371c4d57e2fb33b48030d9081
-
Filesize
874B
MD553f7579a4c66c19144725ca2d08c6cf2
SHA1b066a0894ddf917eea8570fa879165388e2a711b
SHA2561892af33eacfc9deb7c3df3114c70656ba2d1a23f4d3309cf15ae7d50de9d2e6
SHA51260e99a686617e4c6425de41f1543574ea5ed38b29610b9762c438e9b32ed254c8aa61fcff624f2f219df8583ccf035e966e679a4d9993e5e7e1c7e1910f75aa8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e