Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/09/2023, 23:35 UTC

General

  • Target

    СhrоmеSеtup.appx

  • Size

    10.1MB

  • MD5

    1d5e7d2f1e3fc981a5eb32b00c83dbdf

  • SHA1

    74e26a41778aa79a77c62f9b95cb85a39ca8c0cc

  • SHA256

    b1feff99f4f5f7f17f6fe19dadaa1f53be277fd21a8e749f269d067abeb5a4e5

  • SHA512

    43799f0dc0c92dcb98af5e09b6663e62983f99cbc61ef37267d6a26a989d52f59c8dc17314b87432f2457061d1a83852b11f02d5c521cceffec5639aa14688b4

  • SSDEEP

    196608:wMGH/COpgGO6vLxuU5hSS1hSDOkj+d0Jf3HOly8XTLWU7Ss9AMClm:wxH//j+jiul3OlyGV7xP

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell start shell:AppsFolder\GoogleLLC.Chrome_gmwsd4vw032t2!Chrome
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Program Files\WindowsApps\GoogleLLC.Chrome_116.0.5845.141_x64__gmwsd4vw032t2\ChromeSetup.exe
        "C:\Program Files\WindowsApps\GoogleLLC.Chrome_116.0.5845.141_x64__gmwsd4vw032t2\ChromeSetup.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4788
      • C:\Users\Admin\AppData\Roaming\wscinterop\PONDVQYPNAHZWHMWF\ChromeSetup.exe
        C:\Users\Admin\AppData\Roaming\wscinterop\PONDVQYPNAHZWHMWF\ChromeSetup.exe
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:2832

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      2.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      crl.comodoca.com
      Remote address:
      8.8.8.8:53
      Request
      crl.comodoca.com
      IN A
      Response
      crl.comodoca.com
      IN CNAME
      crl.comodoca.com.cdn.cloudflare.net
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      104.18.15.101
      crl.comodoca.com.cdn.cloudflare.net
      IN A
      104.18.14.101
    • flag-us
      GET
      http://crl.comodoca.com/AAACertificateServices.crl
      Remote address:
      104.18.15.101:80
      Request
      GET /AAACertificateServices.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: crl.comodoca.com
      Response
      HTTP/1.1 200 OK
      Date: Sun, 17 Sep 2023 23:35:31 GMT
      Content-Type: application/pkix-crl
      Content-Length: 506
      Connection: keep-alive
      Last-Modified: Sun, 17 Sep 2023 21:44:03 GMT
      ETag: "65077323-1fa"
      X-CCACDN-Mirror-ID: sscrl1
      Cache-Control: max-age=14400, s-maxage=3600
      Expires: Sun, 24 Sep 2023 21:44:03 GMT
      X-CCACDN-Proxy-ID: mcdpinlb6
      X-Frame-Options: SAMEORIGIN
      CF-Cache-Status: HIT
      Age: 3252
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 80852a868f06b7e2-AMS
    • flag-us
      DNS
      101.15.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.15.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      101.14.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.14.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      metmuseum.org
      ChromeSetup.exe
      Remote address:
      8.8.8.8:53
      Request
      metmuseum.org
      IN A
      Response
      metmuseum.org
      IN A
      76.76.21.21
    • flag-us
      GET
      https://metmuseum.org/
      ChromeSetup.exe
      Remote address:
      76.76.21.21:443
      Request
      GET / HTTP/1.1
      Connection: Keep-Alive
      Host: metmuseum.org
      Response
      HTTP/1.1 308 Permanent Redirect
      Cache-Control: public, max-age=0, must-revalidate
      Connection: keep-alive
      Content-Type: text/plain
      Date: Sun, 17 Sep 2023 23:35:44 GMT
      Location: https://www.metmuseum.org/
      Refresh: 0;url=https://www.metmuseum.org/
      Server: Vercel
      Strict-Transport-Security: max-age=63072000
      X-Vercel-Cache: MISS
      X-Vercel-Id: fra1::m6fhl-1694993744775-580c3be607b2
      Transfer-Encoding: chunked
    • flag-us
      DNS
      www.metmuseum.org
      ChromeSetup.exe
      Remote address:
      8.8.8.8:53
      Request
      www.metmuseum.org
      IN A
      Response
      www.metmuseum.org
      IN CNAME
      cname.vercel-dns.com
      cname.vercel-dns.com
      IN A
      76.76.21.61
      cname.vercel-dns.com
      IN A
      76.76.21.241
    • flag-us
      GET
      https://www.metmuseum.org/
      ChromeSetup.exe
      Remote address:
      76.76.21.61:443
      Request
      GET / HTTP/1.1
      Connection: Keep-Alive
      Host: www.metmuseum.org
      Response
      HTTP/1.1 200 OK
      Age: 10746
      Cache-Control: public, max-age=0, must-revalidate
      Connection: keep-alive
      Content-Length: 302089
      Content-Type: text/html; charset=utf-8
      Date: Sun, 17 Sep 2023 20:36:37 GMT
      Etag: "3w2kxf4ve56gwx"
      Permissions-Policy: accelerometer=(), autoplay=(self), camera=(), fullscreen=(self 'https://player.cnevids.com'), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), sync-xhr=(self)
      Referrer-Policy: strict-origin-when-cross-origin
      Server: Vercel
      Strict-Transport-Security: max-age=63072000
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      X-Matched-Path: /en
      X-Powered-By: Next.js
      X-Vercel-Cache: HIT
      X-Vercel-Id: fra1::iad1::bxxwd-1694993744916-6a01022b25b7
    • flag-us
      DNS
      21.21.76.76.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.21.76.76.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      61.21.76.76.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      61.21.76.76.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.81.21.72.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.81.21.72.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      121.208.253.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      121.208.253.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 104.18.15.101:80
      http://crl.comodoca.com/AAACertificateServices.crl
      http
      419 B
      1.2kB
      6
      4

      HTTP Request

      GET http://crl.comodoca.com/AAACertificateServices.crl

      HTTP Response

      200
    • 76.76.21.21:443
      https://metmuseum.org/
      tls, http
      ChromeSetup.exe
      859 B
      6.0kB
      11
      10

      HTTP Request

      GET https://metmuseum.org/

      HTTP Response

      308
    • 76.76.21.61:443
      https://www.metmuseum.org/
      tls, http
      ChromeSetup.exe
      6.1kB
      319.0kB
      125
      236

      HTTP Request

      GET https://www.metmuseum.org/

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      2.159.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      2.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      crl.comodoca.com
      dns
      62 B
      143 B
      1
      1

      DNS Request

      crl.comodoca.com

      DNS Response

      104.18.15.101
      104.18.14.101

    • 8.8.8.8:53
      101.15.18.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      101.15.18.104.in-addr.arpa

    • 8.8.8.8:53
      101.14.18.104.in-addr.arpa
      dns
      72 B
      134 B
      1
      1

      DNS Request

      101.14.18.104.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      metmuseum.org
      dns
      ChromeSetup.exe
      59 B
      75 B
      1
      1

      DNS Request

      metmuseum.org

      DNS Response

      76.76.21.21

    • 8.8.8.8:53
      www.metmuseum.org
      dns
      ChromeSetup.exe
      63 B
      129 B
      1
      1

      DNS Request

      www.metmuseum.org

      DNS Response

      76.76.21.61
      76.76.21.241

    • 8.8.8.8:53
      21.21.76.76.in-addr.arpa
      dns
      70 B
      124 B
      1
      1

      DNS Request

      21.21.76.76.in-addr.arpa

    • 8.8.8.8:53
      61.21.76.76.in-addr.arpa
      dns
      70 B
      124 B
      1
      1

      DNS Request

      61.21.76.76.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      240.81.21.72.in-addr.arpa
      dns
      71 B
      142 B
      1
      1

      DNS Request

      240.81.21.72.in-addr.arpa

    • 8.8.8.8:53
      121.208.253.8.in-addr.arpa
      dns
      72 B
      126 B
      1
      1

      DNS Request

      121.208.253.8.in-addr.arpa

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      11.173.189.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      11.173.189.20.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\GoogleLLC.Chrome_gmwsd4vw032t2\LocalCache\Roaming\wscinterop\PONDVQYPNAHZWHMWF\ChromeSetup.exe

      Filesize

      1.3MB

      MD5

      5f0299e8aa87a9c4ac70ed9f7dc8bb69

      SHA1

      b8d65ffa13dd75ceff65c22f1bc9c6eece28a0e7

      SHA256

      f6b1f463677c99ac7b68241758bf9bf756d448e4d35152c7ff3722c2d1c144da

      SHA512

      37f31078d6965dd0adc585f1f1f062366c5c51b80d681c7d7d987becb8e8697308e96a20ccd990166139226c62db48d1cfa540423930906ff800697ac37bcdfa

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0wguskqv.xdx.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1208-5-0x000001C2E4860000-0x000001C2E4882000-memory.dmp

      Filesize

      136KB

    • memory/1208-10-0x00007FF8F7780000-0x00007FF8F8241000-memory.dmp

      Filesize

      10.8MB

    • memory/1208-11-0x000001C2E3EA0000-0x000001C2E3EB0000-memory.dmp

      Filesize

      64KB

    • memory/1208-12-0x000001C2E3EA0000-0x000001C2E3EB0000-memory.dmp

      Filesize

      64KB

    • memory/1208-14-0x00007FF8F7780000-0x00007FF8F8241000-memory.dmp

      Filesize

      10.8MB

    • memory/4788-15-0x0000000074360000-0x00000000755B4000-memory.dmp

      Filesize

      18.3MB

    • memory/4788-17-0x0000000074360000-0x00000000755B4000-memory.dmp

      Filesize

      18.3MB

    • memory/4788-157-0x0000000000400000-0x00000000007F2000-memory.dmp

      Filesize

      3.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.