Analysis
-
max time kernel
128s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
14/07/2023, 05:45
Static task
static1
Behavioral task
behavioral1
Sample
Chrome_update.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Chrome_update.js
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Chrome_update.js
Resource
win10v2004-20230703-en
General
-
Target
Chrome_update.js
-
Size
548KB
-
MD5
de577b14a91163a413aa0cff3b8bc805
-
SHA1
ff303a738937fbe068f11f592ebc9d8ba77d2c8c
-
SHA256
680135cc234cc387ff529ac500fe4eac5b648ed1c9e1c694b4d697106e79bdfe
-
SHA512
73fd0b87d8989a619357794a7274ce4a91274e8a3ac76b9b7e25dfcf7b3d480bae40dd77b088dbad2e39c87e801ebc1afd2ad5c8972a9c5cf82f16f76ad53940
-
SSDEEP
12288:Dy9iK9ic9i49i49ie9i1pYs1CB7uM6vJBtBaB3BhBGB3b:DyvJNNJGpYq9vJBV
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 4924 wscript.exe 4 4924 wscript.exe 6 4924 wscript.exe 8 4924 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4924 wrote to memory of 2832 4924 wscript.exe 69 PID 4924 wrote to memory of 2832 4924 wscript.exe 69 PID 2832 wrote to memory of 3920 2832 cmd.exe 71 PID 2832 wrote to memory of 3920 2832 cmd.exe 71 PID 2832 wrote to memory of 4528 2832 cmd.exe 72 PID 2832 wrote to memory of 4528 2832 cmd.exe 72 PID 2832 wrote to memory of 4504 2832 cmd.exe 73 PID 2832 wrote to memory of 4504 2832 cmd.exe 73 PID 2832 wrote to memory of 344 2832 cmd.exe 74 PID 2832 wrote to memory of 344 2832 cmd.exe 74
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Chrome_update.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C://ProgramData//pFSeiWofHgUbpCQepaDtC.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\sett.bat"3⤵PID:3920
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\7z.bat"3⤵PID:4528
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:4504
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:344
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232B
MD56011bc3aa00cc9eefa63bd07c9676678
SHA19c8fb9c006ab9787254bd6ade3194a90c24d66c9
SHA2565a8a48a2be136200954f5f81de68363d5dd8c82489dacae5d6b717b598634079
SHA51293869d542de437ce4514c745153284163305256f4673139a91ce9253ea329941b1fc273ccb3c0a2710e761ad41698a3f96ea0a5516ab3f436a5ead82572d36ba
-
Filesize
239B
MD567404b0103100e3452532b69a46aa33f
SHA14bc62bfaecc1a4c5c95d906e2b64e161933f9965
SHA2566f1624a63e0713b8c0f86a461e9ce955f0d7eef8d4d3cdacf0b79e3ae843f19c
SHA5124c7f3e63746179413915f308dea04cf668f909a4111caa479b633587137483ff7af548e2aab7180617cc5a6363884151f546a58b0b40a7bdb7edc3024bb26989
-
Filesize
9KB
MD54b2794840b114be5011da81ad4c462d8
SHA166cf9461efa6fb1e55af037515121d2a856670ac
SHA25660dbaed2358a02ed2102cc2158c05fce9bba87674d68f1114198423bd8460a93
SHA51228d60ca188d99af1e6338d97cbcde497f5325c1a7da132b7d8f9c29a630d93570b488db40bc3ded89fa96c04153298b6a15128f641fcb1134cfa8d933d9e8b2c
-
Filesize
248B
MD57d1c3743cb7af1f479ef8a94c1dc44da
SHA1228abfe62f4f166bb0881e273c2bd6bffb3167d4
SHA256434d977609d8c580895a2b3b74f0948e2670bdeef5d06a1325c4940264b95f6c
SHA512e00f310e0c09b0e78ee98e8c1efdbb2caf6cac0e5fde51536123443f54f271c0232b4521c02de5083eb18cc03d350d37a0cb1ed2da58c6a0830b5462def34276