Analysis
-
max time kernel
357s -
max time network
361s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14/07/2023, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
Chrome_update.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Chrome_update.js
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Chrome_update.js
Resource
win10v2004-20230703-en
General
-
Target
Chrome_update.js
-
Size
557KB
-
MD5
1e589efc405c7b9af2cf0204527c8dc0
-
SHA1
5adf3277054b7698f6f6ca184905cb07ef806362
-
SHA256
46a4c3da6ce3e37e603aa50253cec14a2b70874495c0c9b54130a7083619ecac
-
SHA512
eb081b232c4e6c5a7a31ff5df065d536c55976c2e0763c04add765700e31dc8324f1709f41cbcab996c1d855356f895be16e318a12f5041ec65181557b7b9ee9
-
SSDEEP
12288:SG0crv/Vrv/krv/PYXljLBYUfmTfmc4E7+TFnb:t5lGIPO32b
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 5 2624 wscript.exe 7 2624 wscript.exe 9 2624 wscript.exe 11 2624 wscript.exe 13 2624 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 wscript.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2716 2624 wscript.exe 29 PID 2624 wrote to memory of 2716 2624 wscript.exe 29 PID 2624 wrote to memory of 2716 2624 wscript.exe 29 PID 2716 wrote to memory of 752 2716 cmd.exe 31 PID 2716 wrote to memory of 752 2716 cmd.exe 31 PID 2716 wrote to memory of 752 2716 cmd.exe 31 PID 2716 wrote to memory of 2372 2716 cmd.exe 32 PID 2716 wrote to memory of 2372 2716 cmd.exe 32 PID 2716 wrote to memory of 2372 2716 cmd.exe 32 PID 2716 wrote to memory of 2340 2716 cmd.exe 33 PID 2716 wrote to memory of 2340 2716 cmd.exe 33 PID 2716 wrote to memory of 2340 2716 cmd.exe 33 PID 2716 wrote to memory of 2508 2716 cmd.exe 34 PID 2716 wrote to memory of 2508 2716 cmd.exe 34 PID 2716 wrote to memory of 2508 2716 cmd.exe 34
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Chrome_update.js1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C://ProgramData//SNAhVIwVqdiU.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\sett.bat"3⤵PID:752
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\7z.bat"3⤵PID:2372
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:2340
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:2508
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232B
MD56011bc3aa00cc9eefa63bd07c9676678
SHA19c8fb9c006ab9787254bd6ade3194a90c24d66c9
SHA2565a8a48a2be136200954f5f81de68363d5dd8c82489dacae5d6b717b598634079
SHA51293869d542de437ce4514c745153284163305256f4673139a91ce9253ea329941b1fc273ccb3c0a2710e761ad41698a3f96ea0a5516ab3f436a5ead82572d36ba
-
Filesize
239B
MD567404b0103100e3452532b69a46aa33f
SHA14bc62bfaecc1a4c5c95d906e2b64e161933f9965
SHA2566f1624a63e0713b8c0f86a461e9ce955f0d7eef8d4d3cdacf0b79e3ae843f19c
SHA5124c7f3e63746179413915f308dea04cf668f909a4111caa479b633587137483ff7af548e2aab7180617cc5a6363884151f546a58b0b40a7bdb7edc3024bb26989
-
Filesize
9KB
MD54b2794840b114be5011da81ad4c462d8
SHA166cf9461efa6fb1e55af037515121d2a856670ac
SHA25660dbaed2358a02ed2102cc2158c05fce9bba87674d68f1114198423bd8460a93
SHA51228d60ca188d99af1e6338d97cbcde497f5325c1a7da132b7d8f9c29a630d93570b488db40bc3ded89fa96c04153298b6a15128f641fcb1134cfa8d933d9e8b2c
-
Filesize
248B
MD57d1c3743cb7af1f479ef8a94c1dc44da
SHA1228abfe62f4f166bb0881e273c2bd6bffb3167d4
SHA256434d977609d8c580895a2b3b74f0948e2670bdeef5d06a1325c4940264b95f6c
SHA512e00f310e0c09b0e78ee98e8c1efdbb2caf6cac0e5fde51536123443f54f271c0232b4521c02de5083eb18cc03d350d37a0cb1ed2da58c6a0830b5462def34276
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d2906181003d4f831b35caacfe06df30
SHA1c424f02871319159141267fec5654714dea164c2
SHA2568060a25a453297eb1b5305d583c6c0361f5904c8e0d48267af0f6308b7984e61
SHA512d65be167ec7febdeadc6b3bd1e59bbc76103145686d1e61155685ceeff43394690f19f9941db56544acb7ff83f75d09d78204c866f972b7f0ae0e7fd8c2434ec
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27