Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ChromeHistory.exe
Resource
win7-20240220-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
ChromeHistory.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
comctl32.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
comctl32.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
iteSql.dll
Resource
win7-20240220-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
iteSql.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
resources.dll
Resource
win7-20240419-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
resources.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
ChromeHistory.exe
-
Size
233KB
-
MD5
5ae56682a3ad6210a76469e9d074abaf
-
SHA1
8cc2bcd404a1e6785f2080bda906bc5d4f7bc399
-
SHA256
02ea208909d0fbb5767f1cde4872cf5deee52d550fa1b459f5e0ccce6c2a4ce7
-
SHA512
1aa84c9ccb55215c08e51cfbc2803a6592d71e294bf735b801004b357530abc617acab60ce1384b21c6033a0e59f18ee8a4a9c35951eb820df84bd11036ac475
-
SSDEEP
6144:jbLYUUWhnyl8xBPHhPhEholbw4LM/bXbgXRZ:jb9/hyl8/RaqlbnLM/brAZ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\comctl32.ocx ChromeHistory.exe File opened for modification C:\Windows\SysWOW64\comctl32.ocx ChromeHistory.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3528 1816 WerFault.exe 90 -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62823C20-41A3-11CE-9E8B-0020AF039CA3} ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373FF7F2-EB8B-11CD-8820-08002B2F4F5A}\ProxyStubClsid32 ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\InprocServer32\ThreadingModel = "Apartment" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl.1\ = "Microsoft StatusBar Control, version 5.0 (SP2)" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB955-5C57-11CF-8993-00AA00688B10} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E84-DF38-11CF-8E74-00A0C90F26F8}\ = "IProgressBar" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}\ = "IListItems10" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{373FF7F2-EB8B-11CD-8820-08002B2F4F5A} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\ = "Microsoft TabStrip Control, version 5.0 (SP2)" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}\TypeLib ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8}\ = "IImages" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\VersionIndependentProgID\ = "COMCTL.TabStrip" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ProgCtrl\CLSID ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanel11" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA62-E020-11CF-8E74-00A0C90F26F8}\ = "INode" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8AE-850A-101B-AFC0-4210102A8DA7}\ = "IListItems10" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\ = "ListViewEvents" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\ = "IListItem" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\ = "IListItems11" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Version\ = "1.3" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\comctl32.ocx, 16" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ = "IProgressBarEvents" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\InprocServer32 ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\TypeLib ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83604-895E-11D0-B0A6-000000000000}\ = "IColumnHeader" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000}\InprocServer32 ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32 ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\TypeLib\Version = "1.3" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TabStrip.1\ = "Microsoft TabStrip Control, version 5.0 (SP2)" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ImageListCtrl ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB956-5C57-11CF-8993-00AA00688B10}\InprocServer32 ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32 ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl\CLSID\ = "{6B7E638F-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} ChromeHistory.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ = "IButton" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CurVer ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94442-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877894-E026-11CF-8E74-00A0C90F26F8}\TypeLib ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8} ChromeHistory.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" ChromeHistory.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83600-895E-11D0-B0A6-000000000000} ChromeHistory.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1904 ChromeHistory.exe 1816 ChromeHistory.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1904 wrote to memory of 832 1904 ChromeHistory.exe 88 PID 1904 wrote to memory of 832 1904 ChromeHistory.exe 88 PID 1904 wrote to memory of 832 1904 ChromeHistory.exe 88 PID 1904 wrote to memory of 1816 1904 ChromeHistory.exe 90 PID 1904 wrote to memory of 1816 1904 ChromeHistory.exe 90 PID 1904 wrote to memory of 1816 1904 ChromeHistory.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeHistory.exe"C:\Users\Admin\AppData\Local\Temp\ChromeHistory.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe REGSVR32.EXE C:\Windows\system32\comctl32.ocx /s2⤵PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\ChromeHistory.exeC:\Users\Admin\AppData\Local\Temp\ChromeHistory2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 8803⤵
- Program crash
PID:3528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1816 -ip 18161⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7