e7d16815ce3d770f141aee8385aa40f06182decc9cc4f586996f26c71c394b96

Analysis

max time kernel
38s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2023, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Chrome.exe
Size

4.3MB
MD5

40e913e960fab34fd7532d583dcce3b4
SHA1

c86950a5190c9576754734945f64d61724ad3e8b
SHA256

e7d16815ce3d770f141aee8385aa40f06182decc9cc4f586996f26c71c394b96
SHA512

17c49bfa33522c3475fb74f4bb0be9906d35ae55dd4b35d98ddcb876a1be09f7fd48a57de1beee6805e4b0f8b18db59ab421a132b6cbc830c5be8bdb75153d0d
SSDEEP

98304:Z3UnKnPlyiowsuJhVclogf4qtHbxWKmEQ0BWHeSf1D:ZEnwPlBopuJh21JmdQ09D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4568	Google Chrome.exe
3652	Google Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
3652	Google Chrome.exe
3652	Google Chrome.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RPCRT4.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\win32u.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\combase.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\PROPSYS.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\MSCTF.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\KERNEL32.DLL	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\USER32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\SHLWAPI.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\kernel.appcore.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\gdi32full.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\KERNELBASE.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\GDI32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\shcore.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\Wldp.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\psapi.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\SHELL32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\ole32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\bcryptPrimitives.dll	Google Chrome.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	Google Chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll	Google Chrome.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe
3652	Google Chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4128	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	Google Chrome.exe
Token: SeLoadDriverPrivilege	3652	Google Chrome.exe
Token: SeCreateGlobalPrivilege	3652	Google Chrome.exe
Token: 33	3652	Google Chrome.exe
Token: SeSecurityPrivilege	3652	Google Chrome.exe
Token: SeTakeOwnershipPrivilege	3652	Google Chrome.exe
Token: SeManageVolumePrivilege	3652	Google Chrome.exe
Token: SeBackupPrivilege	3652	Google Chrome.exe
Token: SeCreatePagefilePrivilege	3652	Google Chrome.exe
Token: SeShutdownPrivilege	3652	Google Chrome.exe
Token: SeRestorePrivilege	3652	Google Chrome.exe
Token: 33	3652	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	3652	Google Chrome.exe
Token: SeDebugPrivilege	4128	taskmgr.exe
Token: SeSystemProfilePrivilege	4128	taskmgr.exe
Token: SeCreateGlobalPrivilege	4128	taskmgr.exe
Token: 33	4128	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4128	taskmgr.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3652	Google Chrome.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe
4128	taskmgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4568	4300	Google Chrome.exe	86
PID 4300 wrote to memory of 4568	4300	Google Chrome.exe	86
PID 4300 wrote to memory of 4568	4300	Google Chrome.exe	86
PID 4568 wrote to memory of 3652	4568	Google Chrome.exe	87
PID 4568 wrote to memory of 3652	4568	Google Chrome.exe	87
PID 4568 wrote to memory of 3652	4568	Google Chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\Google Chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\Google Chrome.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\Google Chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\Google Chrome.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3652

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\CET_Archive.dat

Filesize
4.0MB

MD5
fd0b128791ae1feeeed465e9b22702b6

SHA1
57664986fe0dc316481d0e0a98ca2c1e1afa6f19

SHA256
ef894ae5060c4206b017e688bb0f83580d2ff1d5c254207736cfbf939aec935c

SHA512
8178e20977f77010fc68eb5be9288a262bc5034335b15bc3cb8a5cc9a683a292bbd13a541c4e06f61cb5a14c8a7302b28dfe25b0cf6928839c84fda87bc18451

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\Google Chrome.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\Google Chrome.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
443KB

MD5
a3a94bc1008c5d194dd72b4ea8792a4f

SHA1
1ce3be16c30de9c0275da6a8b7a07e5ed8fa52e1

SHA256
769eb7b11c02611d545b5a4ec09f50f4a6eb00e42bb818672a13a2c9c7634c98

SHA512
315f93356c990df4eb1d3dc455e09f1aeecec9823b3c80b4b5617275c510f5372d98291f4bba973c4e5ada98bd3761656bb06a9a182f5ea91ff52026775c2bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\Google Chrome.exe

Filesize
7.4MB

MD5
052f561d15254e91bc505d5066f4f16c

SHA1
4166aebecfcf1f20922ae2b7dd45bebfd145d6d2

SHA256
98269f89557e11c629155a2e29235fce7d1b25baa78a2a475ad1a27e626e75a6

SHA512
63a5b30d3a6f817083ebfb49245502954679688552d531cdd65b21ed02e10edc38e59b5f01c0fc30340e5527a1f5918c20994eceac1a1d3bb86cc5c07aa16d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\Google Chrome.exe

Filesize
7.4MB

MD5
052f561d15254e91bc505d5066f4f16c

SHA1
4166aebecfcf1f20922ae2b7dd45bebfd145d6d2

SHA256
98269f89557e11c629155a2e29235fce7d1b25baa78a2a475ad1a27e626e75a6

SHA512
63a5b30d3a6f817083ebfb49245502954679688552d531cdd65b21ed02e10edc38e59b5f01c0fc30340e5527a1f5918c20994eceac1a1d3bb86cc5c07aa16d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\defines.lua

Filesize
5KB

MD5
d8f9b4a10a48ebd8936255f6215c8a43

SHA1
7d8ff0012fa9d9dcf189c6df963f1c627f2ccb76

SHA256
d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2

SHA512
67db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
2730ff589ae86ef10d94952769f9404f

SHA1
8010834297a6aa488e6bf90eceaaf9e60bb60c6e

SHA256
faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b

SHA512
5fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
2730ff589ae86ef10d94952769f9404f

SHA1
8010834297a6aa488e6bf90eceaaf9e60bb60c6e

SHA256
faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b

SHA512
5fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6806.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
memory/4128-160-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-154-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-155-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-153-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-159-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-161-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-162-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-163-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-164-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download
memory/4128-165-0x000002DD2A6E0000-0x000002DD2A6E1000-memory.dmp

Filesize
4KB

Download