6a0b1eb4ab800a30064227310edb5aec07360a47673460a8de060995e8ecf429

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChrоmеSеtuр.exe
Size

8.3MB
MD5

c2099f26093aaa7a9feeed419f20d672
SHA1

08043f3d8c9558ad17669460f5d2ce6339569bef
SHA256

6a0b1eb4ab800a30064227310edb5aec07360a47673460a8de060995e8ecf429
SHA512

4fa0d0a39a83c51b54745c33d2310bdcd167acf979d216dba782a5ac4b26240dd2e0bb1edae3e3228d49fd7ccb5d2be35ca325d889953a22a884424a2c49e2a9
SSDEEP

196608:GYG8SIwhSKe2v0Dk8+MQubojfmBM7i/r/YzF97BQJZQtzv444O0o8fyR9eNNddTJ:GYG8SIwhSKe2v0Dk8+MQubojfmBM7i/n

Score

7^/10

spyware

Malware Config

Signatures

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3276-0-0x000002BC7C3D0000-0x000002BC7CC22000-memory.dmp	net_reactor
behavioral2/memory/3276-2-0x000002BC7E9A0000-0x000002BC7E9B0000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	ChrоmеSеtuр.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ChrоmеSеtuр.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 3668	3276	ChrоmеSеtuр.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
3276	ChrоmеSеtuр.exe
2644	powershell.exe
2644	powershell.exe
2644	powershell.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe
3668	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3276	ChrоmеSеtuр.exe
Token: SeDebugPrivilege	2644	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 2644	3276	ChrоmеSеtuр.exe	96
PID 3276 wrote to memory of 2644	3276	ChrоmеSеtuр.exe	96
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101
PID 3276 wrote to memory of 3668	3276	ChrоmеSеtuр.exe	101

C:\Users\Admin\AppData\Local\Temp\ChrоmеSеtuр.exe
"C:\Users\Admin\AppData\Local\Temp\ChrоmеSеtuр.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i02svoxe.mdh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2644-10-0x00007FFD64210000-0x00007FFD64CD1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-25-0x00007FFD64210000-0x00007FFD64CD1000-memory.dmp

Filesize
10.8MB

Download
memory/2644-13-0x00000276140C0000-0x00000276140E2000-memory.dmp

Filesize
136KB

Download
memory/2644-12-0x00000276140B0000-0x00000276140C0000-memory.dmp

Filesize
64KB

Download
memory/2644-11-0x00000276140B0000-0x00000276140C0000-memory.dmp

Filesize
64KB

Download
memory/3276-4-0x000002BC7E9A0000-0x000002BC7E9B0000-memory.dmp

Filesize
64KB

Download
memory/3276-7-0x000002BC18000000-0x000002BC181F8000-memory.dmp

Filesize
2.0MB

Download
memory/3276-8-0x000002BC18200000-0x000002BC1824C000-memory.dmp

Filesize
304KB

Download
memory/3276-9-0x000002BC18250000-0x000002BC18420000-memory.dmp

Filesize
1.8MB

Download
memory/3276-6-0x000002BC7FDF0000-0x000002BC7FFEA000-memory.dmp

Filesize
2.0MB

Download
memory/3276-5-0x000002BC7FBE0000-0x000002BC7FDF2000-memory.dmp

Filesize
2.1MB

Download
memory/3276-0-0x000002BC7C3D0000-0x000002BC7CC22000-memory.dmp

Filesize
8.3MB

Download
memory/3276-3-0x00007FFD64210000-0x00007FFD64CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-2-0x000002BC7E9A0000-0x000002BC7E9B0000-memory.dmp

Filesize
64KB

Download
memory/3276-1-0x00007FFD64210000-0x00007FFD64CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3276-29-0x00007FFD64210000-0x00007FFD64CD1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-26-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3668-28-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download