Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

СhrоmеSеtup.appx

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/09/2023, 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    СhrоmеSеtup.appx

  • Size

    10.1MB

  • MD5

    1d5e7d2f1e3fc981a5eb32b00c83dbdf

  • SHA1

    74e26a41778aa79a77c62f9b95cb85a39ca8c0cc

  • SHA256

    b1feff99f4f5f7f17f6fe19dadaa1f53be277fd21a8e749f269d067abeb5a4e5

  • SHA512

    43799f0dc0c92dcb98af5e09b6663e62983f99cbc61ef37267d6a26a989d52f59c8dc17314b87432f2457061d1a83852b11f02d5c521cceffec5639aa14688b4

  • SSDEEP

    196608:wMGH/COpgGO6vLxuU5hSS1hSDOkj+d0Jf3HOly8XTLWU7Ss9AMClm:wxH//j+jiul3OlyGV7xP

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell start shell:AppsFolder\GoogleLLC.Chrome_gmwsd4vw032t2!Chrome
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Program Files\WindowsApps\GoogleLLC.Chrome_116.0.5845.141_x64__gmwsd4vw032t2\ChromeSetup.exe
        "C:\Program Files\WindowsApps\GoogleLLC.Chrome_116.0.5845.141_x64__gmwsd4vw032t2\ChromeSetup.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4788
      • C:\Users\Admin\AppData\Roaming\wscinterop\PONDVQYPNAHZWHMWF\ChromeSetup.exe
        C:\Users\Admin\AppData\Roaming\wscinterop\PONDVQYPNAHZWHMWF\ChromeSetup.exe
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2832

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\GoogleLLC.Chrome_gmwsd4vw032t2\LocalCache\Roaming\wscinterop\PONDVQYPNAHZWHMWF\ChromeSetup.exe
      Filesize

      1.3MB

      MD5

      5f0299e8aa87a9c4ac70ed9f7dc8bb69

      SHA1

      b8d65ffa13dd75ceff65c22f1bc9c6eece28a0e7

      SHA256

      f6b1f463677c99ac7b68241758bf9bf756d448e4d35152c7ff3722c2d1c144da

      SHA512

      37f31078d6965dd0adc585f1f1f062366c5c51b80d681c7d7d987becb8e8697308e96a20ccd990166139226c62db48d1cfa540423930906ff800697ac37bcdfa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0wguskqv.xdx.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1208-5-0x000001C2E4860000-0x000001C2E4882000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1208-10-0x00007FF8F7780000-0x00007FF8F8241000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1208-11-0x000001C2E3EA0000-0x000001C2E3EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1208-12-0x000001C2E3EA0000-0x000001C2E3EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1208-14-0x00007FF8F7780000-0x00007FF8F8241000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4788-15-0x0000000074360000-0x00000000755B4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4788-17-0x0000000074360000-0x00000000755B4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4788-157-0x0000000000400000-0x00000000007F2000-memory.dmp

      Filesize

      3.9MB

      Download