Analysis
-
max time kernel
315s -
max time network
379s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
14/07/2023, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
Chrome_update.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Chrome_update.js
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
Chrome_update.js
Resource
win10v2004-20230703-en
General
-
Target
Chrome_update.js
-
Size
557KB
-
MD5
1e589efc405c7b9af2cf0204527c8dc0
-
SHA1
5adf3277054b7698f6f6ca184905cb07ef806362
-
SHA256
46a4c3da6ce3e37e603aa50253cec14a2b70874495c0c9b54130a7083619ecac
-
SHA512
eb081b232c4e6c5a7a31ff5df065d536c55976c2e0763c04add765700e31dc8324f1709f41cbcab996c1d855356f895be16e318a12f5041ec65181557b7b9ee9
-
SSDEEP
12288:SG0crv/Vrv/krv/PYXljLBYUfmTfmc4E7+TFnb:t5lGIPO32b
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 1864 wscript.exe 4 1864 wscript.exe 7 1864 wscript.exe 9 1864 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1864 wrote to memory of 3512 1864 wscript.exe 69 PID 1864 wrote to memory of 3512 1864 wscript.exe 69 PID 3512 wrote to memory of 1660 3512 cmd.exe 71 PID 3512 wrote to memory of 1660 3512 cmd.exe 71 PID 3512 wrote to memory of 3076 3512 cmd.exe 72 PID 3512 wrote to memory of 3076 3512 cmd.exe 72 PID 3512 wrote to memory of 2920 3512 cmd.exe 73 PID 3512 wrote to memory of 2920 3512 cmd.exe 73 PID 3512 wrote to memory of 3860 3512 cmd.exe 74 PID 3512 wrote to memory of 3860 3512 cmd.exe 74
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Chrome_update.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C://ProgramData//SNAhVIwVqdiU.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\sett.bat"3⤵PID:1660
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\7z.bat"3⤵PID:3076
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:2920
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\ProgramData\2.bat"3⤵PID:3860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232B
MD56011bc3aa00cc9eefa63bd07c9676678
SHA19c8fb9c006ab9787254bd6ade3194a90c24d66c9
SHA2565a8a48a2be136200954f5f81de68363d5dd8c82489dacae5d6b717b598634079
SHA51293869d542de437ce4514c745153284163305256f4673139a91ce9253ea329941b1fc273ccb3c0a2710e761ad41698a3f96ea0a5516ab3f436a5ead82572d36ba
-
Filesize
239B
MD567404b0103100e3452532b69a46aa33f
SHA14bc62bfaecc1a4c5c95d906e2b64e161933f9965
SHA2566f1624a63e0713b8c0f86a461e9ce955f0d7eef8d4d3cdacf0b79e3ae843f19c
SHA5124c7f3e63746179413915f308dea04cf668f909a4111caa479b633587137483ff7af548e2aab7180617cc5a6363884151f546a58b0b40a7bdb7edc3024bb26989
-
Filesize
9KB
MD54b2794840b114be5011da81ad4c462d8
SHA166cf9461efa6fb1e55af037515121d2a856670ac
SHA25660dbaed2358a02ed2102cc2158c05fce9bba87674d68f1114198423bd8460a93
SHA51228d60ca188d99af1e6338d97cbcde497f5325c1a7da132b7d8f9c29a630d93570b488db40bc3ded89fa96c04153298b6a15128f641fcb1134cfa8d933d9e8b2c
-
Filesize
248B
MD57d1c3743cb7af1f479ef8a94c1dc44da
SHA1228abfe62f4f166bb0881e273c2bd6bffb3167d4
SHA256434d977609d8c580895a2b3b74f0948e2670bdeef5d06a1325c4940264b95f6c
SHA512e00f310e0c09b0e78ee98e8c1efdbb2caf6cac0e5fde51536123443f54f271c0232b4521c02de5083eb18cc03d350d37a0cb1ed2da58c6a0830b5462def34276