bce765dc1c317a4a09000a228a3ce7ba93d802fbb5c7934618f847f5c467aae0

Analysis

max time kernel
220s
max time network
389s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

460KB
MD5

ce9903e5b7a9e6c90024b0a464b41563
SHA1

f6d2a961a83eeff8d37fc8b43530451997a23966
SHA256

bce765dc1c317a4a09000a228a3ce7ba93d802fbb5c7934618f847f5c467aae0
SHA512

3c7aae290acd1701a7035519db4dabc4a26ac36138cfa16947d3ee24cfc30df45fcad1cbd251802c9791a071fafeafe2ed3631f26f1806ca3295ab66a71d49e5
SSDEEP

12288:bxFiAgK2dK2csCm22WFg4wWivbSmZm6p2:LMK2tCOmgJWiWUj2

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2312 2984 WerFault.exe Setup.exe

pid	pid_target	process	target process
2312	2984	WerFault.exe	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

2596 chrome.exe
2596 chrome.exe
2596 chrome.exe
2596 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe
Token: SeShutdownPrivilege	2596	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exechrome.exe

description	pid	process	target process
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2984 wrote to memory of 2312	2984	Setup.exe	WerFault.exe
PID 2596 wrote to memory of 2548	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2548	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2548	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2488	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2444	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2444	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2444	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe
PID 2596 wrote to memory of 2460	2596	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 256
  2⤵
  - Program crash
  PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7109758,0x7fef7109768,0x7fef7109778
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1308 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:2
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3308 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 --field-trial-handle=1164,i,10185269879078030013,14668939391816352013,131072 /prefetch:8
  2⤵
  PID:1592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
14d8c5af6c0ded1a7d6dddea00a6042a

SHA1
5af668205b8b395ee30063d3ac52aef0ab2906bf

SHA256
ca7004d89fb2adccc83820432a089a9ebc7b888136e122e31b135c3e2fefcb28

SHA512
89c00d456e9b3a9b876f6e42a472239a4c45b4e460a434973a71e392176ffaa73d358e337a8536bd6a99368981bd0f313e6b9f9e080cde96fb6e05a1f7e58364

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ad198f701ca1daf78266d0d73bbf4d3a

SHA1
42398de0b7a0d52dbc30604c63458985924d97ae

SHA256
2824c32112d4799d2946b7b17ab76e70315430d37c6fbd563b6289bdd658ff89

SHA512
01aec29422a70207a3d6931e108c7bf67e4b851ad7d5c6dd14054cfcaf619e77627058d001183456e083e2a8b2dbc93bcb9e9abf814f104ac0a795e4614ecd36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/2984-0-0x0000000001390000-0x0000000001404000-memory.dmp

Filesize
464KB

Download