Overview

overview

10

Static

static

1

chrome_setup.msi

windows7-x64

7

chrome_setup.msi

windows10-1703-x64

10

chrome_setup.msi

windows10-2004-x64

10

chrome_setup.msi

windows11-21h2-x64

10

Resubmissions

27-01-2024 20:08

240127-ywzn3achhm 10

22-01-2024 09:33

240122-ljg72adfc8 10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chrome_setup.msi

  • Size

    304KB

  • MD5

    6b63f4f44ed6a243acbf0ee18c5fb5a2

  • SHA1

    3d6e13fa319d4de1393c23579753833260b3ef2e

  • SHA256

    e34cf173d4a9a9f8c1556c52de1410f3086a1c3f080ea1a8f52726394277a994

  • SHA512

    ba1811c4556d8bd113563d4c175795f6d76b48faa259915a30a341ac425cfa309d74d8028749fe5b87eaf26332136657aae5e34e0db08054f689276db746e809

  • SSDEEP

    3072:NspAtO9mXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8hIZEZnWv:vtO9iRQYpgjpjew5DHyGxcqo8f

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrome_setup.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2264
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5C9FD9245146F31BB124D4D7A48574C2
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2932
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1560
      • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
        3⤵
        • Executes dropped EXE
        PID:1140
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:2064
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2348
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "00000000000005AC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2520
  • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe"
      2⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 476
        3⤵
        • Program crash
        PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files.cab
    Filesize

    56KB

    MD5

    f8ba117f135d10e3eb80472c1ec46469

    SHA1

    6c084a82bf4ebafde30c5b3182f83dcb66933671

    SHA256

    9bc48ce1d31060a52f1f879fd140d96d60f60dd2d53d83efca323819b048b9f1

    SHA512

    3985a44a1a0907153f1a1eeaf8e91dcf25c0f6f27abc70edbbe5922e281b70fd7c308df022200a35daf2044eb2323f101ded0a5f0f592aed2bd8a50de4f0e0fa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\files\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b-2022-04-20-15-57-51.exe
    Filesize

    56KB

    MD5

    84c1567969b86089cc33dccf41562bcd

    SHA1

    53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2

    SHA256

    516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

    SHA512

    72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\msiwrapper.ini
    Filesize

    1KB

    MD5

    4034b06c78bf7ef130fc6e0c6649f608

    SHA1

    13f3f9058db699de2723d31d68f6131a0efb070a

    SHA256

    3a3acbd214c5f034aadc4044258a052e784e6d5c591094103354041ef55d25ef

    SHA512

    5eed62d949aa75c4c622f5afb7ce0642871c37712938af28cbd3abd6851536eb7d6025d3a14fd9e187ec8dbc4216e6813019192a965a6f861a9fe8df19747bfd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MW-6aed367f-252f-45ee-8a58-d40c6f5e74a7\msiwrapper.ini
    Filesize

    1KB

    MD5

    a8f4d87be9482a43eea6ab0b9d8ddf6c

    SHA1

    7c22d587508f4388aef683e999b9193e7af47571

    SHA256

    f4246d56cd522969b18537f728d714a4e8559bba4396235fc5c4cf3749feaac4

    SHA512

    1316b627f4bfd0290fc6d60f2fbd7413b333085ee434c5c09f30e47953d1346605738c08ecd067a2d23e145379a6ea1093b67848ef29792d0ad69d887951c258

    Download Submit
  • C:\Windows\Installer\MSI1FC0.tmp
    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

    Download Submit