f023428fd5b42414f1763c8b748f67549cb24e7df6e76f91b93d32ec1d449ef9

Analysis

max time kernel
1199s
max time network
839s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrome_updater.exe
Size

2.6MB
MD5

08373560048f06bed6625a074f197701
SHA1

98b05d083c66d37dca4bd20affcc90dfc013ecbb
SHA256

f023428fd5b42414f1763c8b748f67549cb24e7df6e76f91b93d32ec1d449ef9
SHA512

a093802439281e0c35648969f3e57f6c0e226932a6184841036b354f5f590bf354391b508d6d2f903caf767da46c4a0817a6906f28499ac80b349974c7edee20
SSDEEP

49152:1TfNcC2P0OwoRmgdan5gHOycuWAaScJmkbbfe8U8pFtZL0EX:1TfN32P0OwosgdanOuyc4aScJmkbLe8r

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	chrome_updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	chrome_updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
1360	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
1540	chrome_updater.exe

Loads dropped DLL 1 IoCs

pid	Process
480	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	chrome_updater.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	chrome_updater.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 2460	1540	chrome_updater.exe	83

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2520	sc.exe
2584	sc.exe
1996	sc.exe
2420	sc.exe
1452	sc.exe
1608	sc.exe
2980	sc.exe
2456	sc.exe
1128	sc.exe
1212	sc.exe
1888	sc.exe
2508	sc.exe
2656	sc.exe
2788	sc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b04f4b1ed567da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2004	chrome_updater.exe
1880	powershell.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
2004	chrome_updater.exe
1540	chrome_updater.exe
892	powershell.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe
1540	chrome_updater.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeShutdownPrivilege	2496	powercfg.exe
Token: SeShutdownPrivilege	2484	powercfg.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeShutdownPrivilege	2464	powercfg.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeShutdownPrivilege	2596	powercfg.exe
Token: SeShutdownPrivilege	2888	powercfg.exe
Token: SeShutdownPrivilege	2060	powercfg.exe
Token: SeShutdownPrivilege	2064	powercfg.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2428	2792	cmd.exe	34
PID 2792 wrote to memory of 2428	2792	cmd.exe	34
PID 2792 wrote to memory of 2428	2792	cmd.exe	34
PID 1360 wrote to memory of 548	1360	cmd.exe	62
PID 1360 wrote to memory of 548	1360	cmd.exe	62
PID 1360 wrote to memory of 548	1360	cmd.exe	62
PID 2148 wrote to memory of 1600	2148	cmd.exe	69
PID 2148 wrote to memory of 1600	2148	cmd.exe	69
PID 2148 wrote to memory of 1600	2148	cmd.exe	69
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83
PID 1540 wrote to memory of 2460	1540	chrome_updater.exe	83

C:\Users\Admin\AppData\Local\Temp\chrome_updater.exe
"C:\Users\Admin\AppData\Local\Temp\chrome_updater.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2004
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2428
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2656
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2788
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2456
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "GoogleUpdate"
  2⤵
  - Launches sc.exe
  PID:1996
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "GoogleUpdate" binpath= "C:\ProgramData\Google\Chrome\Application\chrome_updater.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\chrome_updater.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:548
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "GoogleUpdate"
  2⤵
  - Launches sc.exe
  PID:1128
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1212

C:\ProgramData\Google\Chrome\Application\chrome_updater.exe
C:\ProgramData\Google\Chrome\Application\chrome_updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1608
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1888
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2508
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2520
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2980
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
7f00c36bf9255f977c67b852ba5dcd53

SHA1
f3503bdb5d5a580ffa8f9dd83e35c204a5f5c149

SHA256
167986dfdf7d2e14742a08afdad0cb4eb2a15ed85735133a122ff0ae302b86de

SHA512
6fe4fe7e74148959aa0da55e49b96780bdd1efafd196759faa9d5af4f127ed46834cb9f1fbdd5ac35cefedb19310e428079e2b8c788cb8e3efac8a99aa6f0fd2

Download Submit
\ProgramData\Google\Chrome\Application\chrome_updater.exe

Filesize
2.6MB

MD5
08373560048f06bed6625a074f197701

SHA1
98b05d083c66d37dca4bd20affcc90dfc013ecbb

SHA256
f023428fd5b42414f1763c8b748f67549cb24e7df6e76f91b93d32ec1d449ef9

SHA512
a093802439281e0c35648969f3e57f6c0e226932a6184841036b354f5f590bf354391b508d6d2f903caf767da46c4a0817a6906f28499ac80b349974c7edee20

Download Submit
memory/892-20-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download
memory/892-25-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download
memory/892-24-0x00000000015B0000-0x0000000001630000-memory.dmp

Filesize
512KB

Download
memory/892-19-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/892-23-0x00000000015B0000-0x0000000001630000-memory.dmp

Filesize
512KB

Download
memory/892-22-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download
memory/892-21-0x00000000015B0000-0x0000000001630000-memory.dmp

Filesize
512KB

Download
memory/892-18-0x000000001A140000-0x000000001A422000-memory.dmp

Filesize
2.9MB

Download
memory/1880-10-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1880-5-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/1880-4-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1880-9-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1880-8-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-7-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1880-6-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-11-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2460-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2460-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2460-31-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2460-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2460-34-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download