a78d950b4efd0d703b0676693b608a7a03476d713243444f5eec108a3f724293

Analysis

max time kernel
1214s
max time network
1602s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
23-01-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.exe
Size

3.9MB
MD5

c4e07632ff79098a7a20c296ff897d8a
SHA1

affe33da9f32b73bf2b6c20141ce76be44e64841
SHA256

a78d950b4efd0d703b0676693b608a7a03476d713243444f5eec108a3f724293
SHA512

1c773346ed19372d9d895552029bd41853933d317e188b2bcba909c0100b197d56c110600a51e33043de59c811434bf0afcf01d73169dfb9e018ee50b5de5538
SSDEEP

49152:HqMnHHY4/Kcd8g+WhN4nU9Q2ptlr3DRfNJTX8ZTtz0+6nW1wAA6o:HznY6Ks8gBhNNa2/lRfNJTXKJIFLAAT

Score

3^/10

Malware Config

Signatures

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2596	3040	WerFault.exe	72
4064	3040	WerFault.exe	72
4164	2772	WerFault.exe	95
1040	2772	WerFault.exe	95

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505003389676786"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe
3292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3292	2212	chrome.exe	78
PID 2212 wrote to memory of 3292	2212	chrome.exe	78
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 4896	2212	chrome.exe	81
PID 2212 wrote to memory of 1256	2212	chrome.exe	80
PID 2212 wrote to memory of 1256	2212	chrome.exe	80
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82
PID 2212 wrote to memory of 3900	2212	chrome.exe	82

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
1⤵
PID:3040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 712
  2⤵
  - Program crash
  PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 712
  2⤵
  - Program crash
  PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcae599758,0x7ffcae599768,0x7ffcae599778
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3572 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:8
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1776,i,364035462527195229,271538545872403778,131072 /prefetch:8
  2⤵
  PID:3716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4988

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\install.exe
  install
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 688
    3⤵
    - Program crash
    PID:4164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 680
    3⤵
    - Program crash
    PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
114B

MD5
18a4aa818f0d6afdce64ec3ace46e2e3

SHA1
4a7e518fcba1f4f3597ee615205ab488f0def4fc

SHA256
4bff5b19d03ac4cc191dc9ff30a67b612cfc2b0ecf823d3b9cf03621e64c55dc

SHA512
7e1c41b56de5da0f5c7e98500a00863acb98c887495dd1698ddbeed7d723cb2d3b2e750b781085ce75928877668d129bccb18465aa041b3a3294dbd3f6d966a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\ce60e244-542d-40e3-a3b6-af8bcd5f10db.dmp

Filesize
1.2MB

MD5
2a50f71aecbbdfa5e93489f12feebd1f

SHA1
db41080d1dd49fbca7f352708ab22536cd3a9c93

SHA256
f6af9f9ba123457828cd9b648b01ac0e3cf4ba0a598ba4c4ac3282a18edf6693

SHA512
3cddd025326a21c9c45e8749b880ceacf2f05cbc120cff48d97649ba77048f4ee0a5335c59b4c86918a9a414917e392a3523a39c231f8613d9f3a0fd86192391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
cd279afd22dabc79860a7b38ceb716ee

SHA1
bee303f886f848bee814eca3d58511faeeaca66f

SHA256
7d122fc3f38ac6f75fba0b3205f6bb367a405b2fa6566f6f28ca5352d9f3f1dd

SHA512
75d37e5ab49c1d53930352fe370b71ebe0f461a6439e73f15f59a97f8d618193f3d77e924d7d12c2e491ed6f298381e65d134eaa3e5d2ddc485058b36b8e5885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2a3518ce81e74729726375b5f38dc0c4

SHA1
100aeeb5d89fc1f1eab0120b423a18e0f6e7fae0

SHA256
247830fcd1396b040293642e03bcb30b85e0a8c183f69b7575c6327d57d5b9fd

SHA512
a75dc0a89a87d455098c08012c11b3ec15adcb693c7f961c455b96246832340faaf71601eaa235df5cc9b966ca9a36e29065db6a7ce2aae89d72ba7a7597ab6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
50d00db165c374bec9f9930ec225bfe7

SHA1
ca653512074e134c95804d9e4776e16d222f2ded

SHA256
9d7274a71f5f9fef7846b203d9d2611ddfe255f56523d547acbcd3d43f2d68b9

SHA512
ae764aced36e1b5c965b728d7743c4a947bfe9f571f44ab38a020cbb2f5e2a0906f7a98cecd1c4ba69940a97d33a6b6a3cfc7087e2d50608222ae25625f09101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
304c4141eee8046d5ec3217a20947180

SHA1
36706d364c2051aa3282741618dc15e20ac0c20e

SHA256
f141b428f5dc8131891f822f640bed6d70c9891b78bb3261d206376eca74ee07

SHA512
3fc471bc44ddffcc1046e207a4f1c93e357d38142b1922c6530ce0c3f041e81064a0ec283998dc399502579a0e0be8ba51bb21b1eb3d5bbe1f25e98e8ba593d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
357d14c8e43f2bec79ec7395e225b4f4

SHA1
11c76ef0c3b2201583182ccf4084b0e90d0fdea2

SHA256
21a7074c5e7da5d8871988345826c2de1e736ec883f7216d9ecaf7c3afa71c63

SHA512
7c328852236e6f0c67ec384ddd977cbb6753193df5877c0209a85f51bc4cb94fbd99382ff6f9bd482f0c7c35ba27eae647450290df218715b59ada0510a83d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/2772-103-0x0000000000400000-0x00000000007E2A00-memory.dmp

Filesize
3.9MB

Download
memory/2772-106-0x00000000009C0000-0x0000000000A39000-memory.dmp

Filesize
484KB

Download
memory/2772-108-0x00000000009C0000-0x0000000000A39000-memory.dmp

Filesize
484KB

Download
memory/2772-112-0x00000000009C0000-0x0000000000A39000-memory.dmp

Filesize
484KB

Download
memory/3040-36-0x00000000007F0000-0x0000000000869000-memory.dmp

Filesize
484KB

Download
memory/3040-0-0x0000000000400000-0x00000000007E2A00-memory.dmp

Filesize
3.9MB

Download
memory/3040-5-0x00000000007F0000-0x0000000000869000-memory.dmp

Filesize
484KB

Download
memory/3040-3-0x00000000007F0000-0x0000000000869000-memory.dmp

Filesize
484KB

Download