Overview

overview

7

Static

static

1

ChrоmеSеtuр.exe

windows7-x64

6

ChrоmеSеtuр.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    106s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ChrоmеSеtuр.exe

  • Size

    18.5MB

  • MD5

    aab9abec81f255e7f73d3ac2b393b82f

  • SHA1

    66294e12d96a95dfecd59dd07bf1a7d77827a17d

  • SHA256

    fcdb330d3323935ce117f9a457282b7d7aa6a13e7bdbfaca5b82d310f0f6ee59

  • SHA512

    cd413c7f935f8cefc1aa6bfb712af06315304fc56946f97d400f2b00ec368f3c34f5637c59f33c3bdb3ce161b02953f5df07b7c4e3db4f5b70563742c5b71261

  • SSDEEP

    393216:FeeErqRTbb2awJ9ry9izxOLzdZZn2rSDnBlnNn+Wv+yegR0XS1TxJsqN/IMzTzJH:FeeErqRTbb2awJ9ry9izxOLzdZZn2rSn

Score
7/10
spyware

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChrоmеSеtuр.exe
    "C:\Users\Admin\AppData\Local\Temp\ChrоmеSеtuр.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5092
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:5016
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1232

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f4g130wo.q3x.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1232-30-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

      Download

    • memory/1232-32-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2888-6-0x00000260C17C0000-0x00000260C180C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2888-4-0x00000260C2040000-0x00000260C2246000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2888-5-0x00000260C15B0000-0x00000260C17B6000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2888-3-0x00000260C1E20000-0x00000260C203E000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2888-7-0x00000260C1810000-0x00000260C19ED000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2888-8-0x00007FFF6CD30000-0x00007FFF6D7F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2888-9-0x00000260A8300000-0x00000260A8310000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2888-0-0x00000260A5440000-0x00000260A66CE000-memory.dmp

      Filesize

      18.6MB

      Download

    • memory/2888-2-0x00000260A8300000-0x00000260A8310000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2888-33-0x00007FFF6CD30000-0x00007FFF6D7F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2888-1-0x00007FFF6CD30000-0x00007FFF6D7F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5092-15-0x0000021433C20000-0x0000021433C42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5092-23-0x00007FFF6CD30000-0x00007FFF6D7F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5092-24-0x000002141AC40000-0x000002141AC50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5092-25-0x000002141AC40000-0x000002141AC50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5092-26-0x000002141AC40000-0x000002141AC50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5092-29-0x00007FFF6CD30000-0x00007FFF6D7F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5092-22-0x000002141AC40000-0x000002141AC50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5092-21-0x000002141AC40000-0x000002141AC50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5092-20-0x00007FFF6CD30000-0x00007FFF6D7F1000-memory.dmp

      Filesize

      10.8MB

      Download