General
-
Target
chromeremotedesktophost.msi
-
Size
20.5MB
-
Sample
240620-kkrbnasern
-
MD5
5f259c755b3dcbbbbc27f9513cddac61
-
SHA1
0e672bad7b67cc1f234b265f3af21976935c4903
-
SHA256
9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce
-
SHA512
4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3
-
SSDEEP
393216:CQzX7/PFKRpAvIpgY6KKsIHNHSHY7nTMkJ5K6cOomwZCtgO5gAkUmZbXF:tzX7/cTHAK1uASTMkboRCtgO1kUmZbX
Malware Config
Targets
-
-
Target
chromeremotedesktophost.msi
-
Size
20.5MB
-
MD5
5f259c755b3dcbbbbc27f9513cddac61
-
SHA1
0e672bad7b67cc1f234b265f3af21976935c4903
-
SHA256
9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce
-
SHA512
4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3
-
SSDEEP
393216:CQzX7/PFKRpAvIpgY6KKsIHNHSHY7nTMkJ5K6cOomwZCtgO5gAkUmZbXF:tzX7/cTHAK1uASTMkboRCtgO1kUmZbX
Score8/10-
Creates new service(s)
-
Stops running service(s)
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks whether UAC is enabled
-
Downloads MZ/PE file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
4Accessibility Features
1Component Object Model Hijacking
1Image File Execution Options Injection
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
4Accessibility Features
1Component Object Model Hijacking
1Image File Execution Options Injection
1Installer Packages
1