Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
23/11/2023, 10:06
General
-
Target
ChromeSetup.exe
-
Size
17.9MB
-
MD5
d5e9e6554281ea3efa2b1e40aeb9cb8b
-
SHA1
4152ca6e3146483ab96a8cea6cad1285cd12e80f
-
SHA256
3cbd732d1d9b72c12fd0b5338f6ea6417ec2d242f258fedab71fe48cdadccc2a
-
SHA512
5ac8bc3817923304025e4c6f4f8090f1bc1a69cb8a9fc327aac47ecdcc62a4f3cc68ed7d77ac8aba3e1dbb9b83d9bd9d1cb7181e1bc9608486a4274ccd7c69b4
-
SSDEEP
393216:VexY3xqC4zlB2qIbgpXAKCcOcfUz15rJE:0i8CClB2lUpX1BO8C5rJE
Malware Config
Signatures
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 16 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\modwnrhnigsm.exe"C:\Users\Admin\AppData\Local\Temp\modwnrhnigsm.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1000078001\hv.exe"C:\Users\Admin\AppData\Local\Temp\1000078001\hv.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bhjwjtjdusgf.exe"C:\Users\Admin\AppData\Local\Temp\bhjwjtjdusgf.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1x4.0.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\pinterests\XRJNZC.exe"C:\ProgramData\pinterests\XRJNZC.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f6⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pxodcfubixklgwvrfm.exe"C:\Users\Admin\AppData\Local\Temp\pxodcfubixklgwvrfm.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5e6feb2feedcd40debe9652807abe05a2
SHA1960c00c0247a8002fb2c750915239d058d28c6a6
SHA256c4e7f8b515bb1affff353fc47f448d67656e8adad59e5124231d314266c12d64
SHA512eb908d5a9e8608bb1b48acdffcb176d94adc2d29d550637755c2ae025f5c7943520dacfc95995772e9fd1e7c4267dc18b863c4a0221208fb06d77f8f68f8229a
-
Filesize
5.2MB
MD5e6feb2feedcd40debe9652807abe05a2
SHA1960c00c0247a8002fb2c750915239d058d28c6a6
SHA256c4e7f8b515bb1affff353fc47f448d67656e8adad59e5124231d314266c12d64
SHA512eb908d5a9e8608bb1b48acdffcb176d94adc2d29d550637755c2ae025f5c7943520dacfc95995772e9fd1e7c4267dc18b863c4a0221208fb06d77f8f68f8229a
-
Filesize
5.2MB
MD5e6feb2feedcd40debe9652807abe05a2
SHA1960c00c0247a8002fb2c750915239d058d28c6a6
SHA256c4e7f8b515bb1affff353fc47f448d67656e8adad59e5124231d314266c12d64
SHA512eb908d5a9e8608bb1b48acdffcb176d94adc2d29d550637755c2ae025f5c7943520dacfc95995772e9fd1e7c4267dc18b863c4a0221208fb06d77f8f68f8229a
-
Filesize
4.0MB
MD5c04fb6fd0153009aed24dee63047c4aa
SHA1120dadef65d907eb09898d7dcd3e4ee99b7f763d
SHA256107732c9883b6616b6c6398234d6e44843de70e8724023d62ca3e908019e58e0
SHA512f4356784b6586bc3dfd438fb0d166cdd9910ce8f70110443997bb449c49f14306c8535717bc3e6d05017586d39fd2b11fdb9efcd72068eab333f0aa09f01ec52
-
Filesize
4.0MB
MD5c04fb6fd0153009aed24dee63047c4aa
SHA1120dadef65d907eb09898d7dcd3e4ee99b7f763d
SHA256107732c9883b6616b6c6398234d6e44843de70e8724023d62ca3e908019e58e0
SHA512f4356784b6586bc3dfd438fb0d166cdd9910ce8f70110443997bb449c49f14306c8535717bc3e6d05017586d39fd2b11fdb9efcd72068eab333f0aa09f01ec52
-
Filesize
4.0MB
MD5c04fb6fd0153009aed24dee63047c4aa
SHA1120dadef65d907eb09898d7dcd3e4ee99b7f763d
SHA256107732c9883b6616b6c6398234d6e44843de70e8724023d62ca3e908019e58e0
SHA512f4356784b6586bc3dfd438fb0d166cdd9910ce8f70110443997bb449c49f14306c8535717bc3e6d05017586d39fd2b11fdb9efcd72068eab333f0aa09f01ec52
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.2MB
MD50c1f96ef7290e9878e11070d7893d63a
SHA1b844fac5f1f8169edfcf03f0597070b238d2aea7
SHA2561aafc84f8bee9cc2d5e49f6c9c964dfd098c07581db9d83715d0c007ee006a8c
SHA51238286bebcdb2c982d1ac0f1ee32c96c2cfd329787e7e069061dea2e935e907cf4f5e84e757bb086c4e790d6b8e2db2a780602fa4931b048806e5e557c9354cdb
-
Filesize
7.2MB
MD50c1f96ef7290e9878e11070d7893d63a
SHA1b844fac5f1f8169edfcf03f0597070b238d2aea7
SHA2561aafc84f8bee9cc2d5e49f6c9c964dfd098c07581db9d83715d0c007ee006a8c
SHA51238286bebcdb2c982d1ac0f1ee32c96c2cfd329787e7e069061dea2e935e907cf4f5e84e757bb086c4e790d6b8e2db2a780602fa4931b048806e5e557c9354cdb
-
Filesize
7.2MB
MD50c1f96ef7290e9878e11070d7893d63a
SHA1b844fac5f1f8169edfcf03f0597070b238d2aea7
SHA2561aafc84f8bee9cc2d5e49f6c9c964dfd098c07581db9d83715d0c007ee006a8c
SHA51238286bebcdb2c982d1ac0f1ee32c96c2cfd329787e7e069061dea2e935e907cf4f5e84e757bb086c4e790d6b8e2db2a780602fa4931b048806e5e557c9354cdb
-
Filesize
5.2MB
MD5e6feb2feedcd40debe9652807abe05a2
SHA1960c00c0247a8002fb2c750915239d058d28c6a6
SHA256c4e7f8b515bb1affff353fc47f448d67656e8adad59e5124231d314266c12d64
SHA512eb908d5a9e8608bb1b48acdffcb176d94adc2d29d550637755c2ae025f5c7943520dacfc95995772e9fd1e7c4267dc18b863c4a0221208fb06d77f8f68f8229a
-
Filesize
5.2MB
MD5e6feb2feedcd40debe9652807abe05a2
SHA1960c00c0247a8002fb2c750915239d058d28c6a6
SHA256c4e7f8b515bb1affff353fc47f448d67656e8adad59e5124231d314266c12d64
SHA512eb908d5a9e8608bb1b48acdffcb176d94adc2d29d550637755c2ae025f5c7943520dacfc95995772e9fd1e7c4267dc18b863c4a0221208fb06d77f8f68f8229a
-
Filesize
7.2MB
MD50c1f96ef7290e9878e11070d7893d63a
SHA1b844fac5f1f8169edfcf03f0597070b238d2aea7
SHA2561aafc84f8bee9cc2d5e49f6c9c964dfd098c07581db9d83715d0c007ee006a8c
SHA51238286bebcdb2c982d1ac0f1ee32c96c2cfd329787e7e069061dea2e935e907cf4f5e84e757bb086c4e790d6b8e2db2a780602fa4931b048806e5e557c9354cdb
-
Filesize
7.2MB
MD50c1f96ef7290e9878e11070d7893d63a
SHA1b844fac5f1f8169edfcf03f0597070b238d2aea7
SHA2561aafc84f8bee9cc2d5e49f6c9c964dfd098c07581db9d83715d0c007ee006a8c
SHA51238286bebcdb2c982d1ac0f1ee32c96c2cfd329787e7e069061dea2e935e907cf4f5e84e757bb086c4e790d6b8e2db2a780602fa4931b048806e5e557c9354cdb
-
Filesize
3.7MB
MD52955a0e327e5f6153f8fe6ea085880d6
SHA19a1c3c549957f02443b8144c583d33054ac064f4
SHA2562bb859b001f69f28531660244df9ae2dd7764ac82eac5a333f60f368cecb108e
SHA5122ab2a45adef1fbd9f21ae83dc3f4e7b5ab64dd35e29aa0d75e3ed3ccc7c595170710e2e3cf0de53296c41ed3dc6bf5520392f0b733454efa4e60990e4b2fcd05
-
Filesize
3.7MB
MD52955a0e327e5f6153f8fe6ea085880d6
SHA19a1c3c549957f02443b8144c583d33054ac064f4
SHA2562bb859b001f69f28531660244df9ae2dd7764ac82eac5a333f60f368cecb108e
SHA5122ab2a45adef1fbd9f21ae83dc3f4e7b5ab64dd35e29aa0d75e3ed3ccc7c595170710e2e3cf0de53296c41ed3dc6bf5520392f0b733454efa4e60990e4b2fcd05
-
Filesize
176B
MD5488df4d126fecf27815d5a6558a6c0f9
SHA1420372fada16c51bcc019580aaf938edd5184f33
SHA2562b6278edfb0d2bfb53bb3d0c2a5e3e6a63302e2b2cf9130f97b13bdd82f45700
SHA51231ef63faa12aacb223975712b644d52655cdbe37f4bba91036386274c72144b0ab95fe410746607aab72b872367cfd07e707a09b5f19969a21d7290ccb9f4acc
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.3MB
-
Filesize
4KB
-
Filesize
14.3MB
-
Filesize
4KB
-
Filesize
14.3MB
-
Filesize
14.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
13.8MB
-
Filesize
13.8MB
-
Filesize
13.8MB
-
Filesize
13.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
13.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
13.8MB
-
Filesize
8KB
-
Filesize
13.8MB
-
Filesize
13.8MB
-
Filesize
14.3MB
-
Filesize
4KB
-
Filesize
14.3MB
-
Filesize
4KB
-
Filesize
14.3MB
-
Filesize
7.7MB
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
840KB
-
Filesize
7.7MB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.1MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
13.8MB
-
Filesize
13.8MB
-
Filesize
13.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
312KB
-
Filesize
8KB
-
Filesize
30.2MB
-
Filesize
30.2MB
-
Filesize
8KB
-
Filesize
30.2MB
-
Filesize
8KB
-
Filesize
312KB
-
Filesize
30.2MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
10.8MB