c3b72d0f35467544e2e69625c460e132685bea32039f3165705f299e989fe2fc

Analysis

max time kernel
1801s
max time network
1580s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chrome Setup.exe
Size

59.0MB
MD5

96a8f5ff9b9fb09a122288afc9d9d326
SHA1

75ed790c8727b88873ce6d6cd2d9367903590b24
SHA256

c3b72d0f35467544e2e69625c460e132685bea32039f3165705f299e989fe2fc
SHA512

47a25920ce015ff832c0ce71590bd0cd51dbf4f314df614518bfaf5938a1663bddb45ab670b364f10b15560b3858e2378a21e44a8cf777ee6a4c6434134c2c75
SSDEEP

1572864:apgH7Iptkksxz6fQONui1H2YGr5kBjYbw+eW1/Ijq+PaY:hbqtkBRbsR2YSwq1gjq+Pa

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Executes dropped EXE 2 IoCs

pid	Process
4840	setup.exe
552	setup.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
3360	PING.EXE
2964	PING.EXE
4976	PING.EXE
4112	PING.EXE
2792	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4496	Chrome Setup.exe
Token: SeIncBasePriorityPrivilege	4496	Chrome Setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4840	4496	Chrome Setup.exe	85
PID 4496 wrote to memory of 4840	4496	Chrome Setup.exe	85
PID 4840 wrote to memory of 552	4840	setup.exe	86
PID 4840 wrote to memory of 552	4840	setup.exe	86
PID 2776 wrote to memory of 3360	2776	cmd.exe	103
PID 2776 wrote to memory of 3360	2776	cmd.exe	103
PID 1160 wrote to memory of 2964	1160	cmd.exe	107
PID 1160 wrote to memory of 2964	1160	cmd.exe	107
PID 1160 wrote to memory of 4976	1160	cmd.exe	108
PID 1160 wrote to memory of 4976	1160	cmd.exe	108
PID 1160 wrote to memory of 4112	1160	cmd.exe	109
PID 1160 wrote to memory of 4112	1160	cmd.exe	109
PID 1160 wrote to memory of 2792	1160	cmd.exe	110
PID 1160 wrote to memory of 2792	1160	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Chrome Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome Setup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\CHROME.PACKED.7Z"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe
    C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=84.0.4147.89 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7d8d7b690,0x7ff7d8d7b6a0,0x7ff7d8d7b6b0
    3⤵
    - Executes dropped EXE
    PID:552

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\PING.EXE
  ping sede-sanborja.gotdns.ch -t -l 10000
  2⤵
  - Runs ping.exe
  PID:3360

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\system32\PING.EXE
  ping uceprotect.net -t -l 65000
  2⤵
  - Runs ping.exe
  PID:2964
- C:\Windows\system32\PING.EXE
  ping www.uceprotect -t -l 65000
  2⤵
  - Runs ping.exe
  PID:4976
- C:\Windows\system32\PING.EXE
  ping www.uceprotect.net
  2⤵
  - Runs ping.exe
  PID:4112
- C:\Windows\system32\PING.EXE
  ping 188.114.96.0 -t -l 40000
  2⤵
  - Runs ping.exe
  PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe

Filesize
2.2MB

MD5
a11b1fadb1bfc3b3d54308a09234801a

SHA1
d3b4cae1c3b7c8fab7ea84fd9df4978c269b7b99

SHA256
f09458e09dbb6128d2f115978b2565e5ec0511c0c1261a5798ada1ff052a6eee

SHA512
47278f585e57de965100ffff013cbe9edc5a1b3ad9be2dfa235be9af4c8d25cc2c2d620709151007a620665ea42f1c6540634964005cffb706ba3656e27a9c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe

Filesize
2.2MB

MD5
a11b1fadb1bfc3b3d54308a09234801a

SHA1
d3b4cae1c3b7c8fab7ea84fd9df4978c269b7b99

SHA256
f09458e09dbb6128d2f115978b2565e5ec0511c0c1261a5798ada1ff052a6eee

SHA512
47278f585e57de965100ffff013cbe9edc5a1b3ad9be2dfa235be9af4c8d25cc2c2d620709151007a620665ea42f1c6540634964005cffb706ba3656e27a9c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_F0D87.tmp\setup.exe

Filesize
2.2MB

MD5
a11b1fadb1bfc3b3d54308a09234801a

SHA1
d3b4cae1c3b7c8fab7ea84fd9df4978c269b7b99

SHA256
f09458e09dbb6128d2f115978b2565e5ec0511c0c1261a5798ada1ff052a6eee

SHA512
47278f585e57de965100ffff013cbe9edc5a1b3ad9be2dfa235be9af4c8d25cc2c2d620709151007a620665ea42f1c6540634964005cffb706ba3656e27a9c98

Download Submit