ee93b7ef5509884b9451ea08347f2444d0a51fed2b98307f55f3ce6890a621dd

Analysis

max time kernel
1792s
max time network
1793s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2024, 15:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ChromeSetup_v1.3.87.369.exe
Size

3.2MB
MD5

3a1c8cccaf96747bc5d4a0cbe221a9a4
SHA1

d5641fa2764a6b36ed79c5155c0ddb1f204aabe4
SHA256

ee93b7ef5509884b9451ea08347f2444d0a51fed2b98307f55f3ce6890a621dd
SHA512

f06bf733428b292113976cceb0124786ef814bb60e02a9beb648dd0eb57855f0b0f9b36860f458a641df6d38a1b6716d45356aeb9acf8467112a97eec772dd50
SSDEEP

24576:ISI4YvRO+E+hziLDDwGUhzEB7Doqs2p4Uxn8LEkymXERBaZ7R1wmGaT9yqEjb0eO:xaZaMo4JLEXKUL/H6oMla6yJDO

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 50 IoCs

flow	pid	Process
26	2904	rundll32.exe
27	2904	rundll32.exe
29	2904	rundll32.exe
30	2904	rundll32.exe
31	2904	rundll32.exe
32	2904	rundll32.exe
33	2904	rundll32.exe
34	2904	rundll32.exe
35	2904	rundll32.exe
36	2904	rundll32.exe
38	2904	rundll32.exe
39	2904	rundll32.exe
40	2904	rundll32.exe
41	2904	rundll32.exe
42	2904	rundll32.exe
43	2904	rundll32.exe
44	2904	rundll32.exe
45	2904	rundll32.exe
46	2904	rundll32.exe
47	2904	rundll32.exe
48	2904	rundll32.exe
49	2904	rundll32.exe
50	2904	rundll32.exe
51	2904	rundll32.exe
52	2904	rundll32.exe
53	2904	rundll32.exe
54	2904	rundll32.exe
55	2904	rundll32.exe
56	2904	rundll32.exe
57	2904	rundll32.exe
58	2904	rundll32.exe
59	2904	rundll32.exe
60	2904	rundll32.exe
61	2904	rundll32.exe
62	2904	rundll32.exe
63	2904	rundll32.exe
64	2904	rundll32.exe
65	2904	rundll32.exe
66	2904	rundll32.exe
67	2904	rundll32.exe
68	2904	rundll32.exe
69	2904	rundll32.exe
70	2904	rundll32.exe
71	2904	rundll32.exe
72	2904	rundll32.exe
73	2904	rundll32.exe
74	2904	rundll32.exe
75	2904	rundll32.exe
76	2904	rundll32.exe
77	2904	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4092	cleanmgr.exe
2904	rundll32.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	ChromeSetup_v1.3.87.369.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DiskClr\\DiskClr_v7.7.dll"	ChromeSetup_v1.3.87.369.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Disk Cleanup = "C:\\Windows\\SysWOW64\\cleanmgr.exe /verylowdisk"	ChromeSetup_v1.3.87.369.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node\CLSID	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}	ChromeSetup_v1.3.87.369.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DiskClr\\DiskClr_v7.7.dll"	ChromeSetup_v1.3.87.369.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	ChromeSetup_v1.3.87.369.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4092	cleanmgr.exe
4092	cleanmgr.exe
2904	rundll32.exe
2904	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 4092	3700	ChromeSetup_v1.3.87.369.exe	81
PID 3700 wrote to memory of 4092	3700	ChromeSetup_v1.3.87.369.exe	81
PID 3700 wrote to memory of 4092	3700	ChromeSetup_v1.3.87.369.exe	81
PID 4092 wrote to memory of 2904	4092	cleanmgr.exe	86
PID 4092 wrote to memory of 2904	4092	cleanmgr.exe	86
PID 4092 wrote to memory of 2904	4092	cleanmgr.exe	86

C:\Users\Admin\AppData\Local\Temp\ChromeSetup_v1.3.87.369.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup_v1.3.87.369.exe"
1⤵
- Registers COM server for autorun
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\SysWOW64\cleanmgr.exe" /verylowdisk
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DiskClr\DiskClr_v7.7.dll,Cleaner
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskClr\DiskClr_v7.7.dll

Filesize
1011KB

MD5
e4c1798dff6319fdcc5071b177c4ec28

SHA1
8d2c450e47515999a6ca956bb4c53e40ea929632

SHA256
dc50491b564dd8464d6be3b5605e0b55016acb8341b6b21ced5858baecc22f65

SHA512
b2cb4b502d2042c7c3593a43fd79cc760a7f04aaa0785ec114aaaa0a801cd9f26be3c36bf77956e0ca689012a41990c0b847e7e0927a78f157bf01baaba8ad5f

Download Submit
C:\Users\Admin\AppData\Local\cleanup.txt

Filesize
3B

MD5
b3967a0e938dc2a6340e258630febd5a

SHA1
640bacfb48aefac1f91028c01603e5c78d4f63ca

SHA256
02e6295d8f522840f09b5194b3f023799ad6ed3306d9296005787e792224df20

SHA512
ff1f2acaac6436e89901b10f7cbc94c2a7b975e4c4eac2754e5dc6f047d43c4a089286ae0841154a8e22e71ee75ac3ff23ad12b43ef62575a0ef8c5800574a37

Download Submit
memory/2904-10-0x00000000025A0000-0x0000000002615000-memory.dmp

Filesize
468KB

Download
memory/2904-11-0x0000000000B70000-0x0000000000B83000-memory.dmp

Filesize
76KB

Download
memory/2904-13-0x00000000025A0000-0x0000000002615000-memory.dmp

Filesize
468KB

Download
memory/3700-0-0x00000000015C0000-0x00000000016D5000-memory.dmp

Filesize
1.1MB

Download
memory/3700-1-0x0000000001810000-0x0000000001943000-memory.dmp

Filesize
1.2MB

Download
memory/3700-6-0x0000000001810000-0x0000000001943000-memory.dmp

Filesize
1.2MB

Download
memory/4092-5-0x0000000002D60000-0x0000000002DD5000-memory.dmp

Filesize
468KB

Download
memory/4092-7-0x0000000002CC0000-0x0000000002CD3000-memory.dmp

Filesize
76KB

Download
memory/4092-8-0x0000000002D60000-0x0000000002DD5000-memory.dmp

Filesize
468KB

Download