Analysis
-
max time kernel
30s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 07:47
General
-
Target
ChromeSetup.exe
-
Size
8.0MB
-
MD5
780d9df36221ccd24716da39ee3e2708
-
SHA1
3a2e4f8bc401856f1870e9fd3a3977044db68729
-
SHA256
f765d1d4012f47223a47c5992da55066e81d76b0714eb347ca6a54c55f4e374c
-
SHA512
36b1df97a9b0a3ae9cae704f722537c877c6b8a091c513be66bd16645cdf9ab424912e6dac3ddfbbf9419a9d0acc17113dec88418b8134e641a87028e8e4d6c0
-
SSDEEP
196608:bWi1ZYP2rPma7ts+ndryl6xmrsUbX1YmbWxAnwvS:b7e2rua7tsedwrsUbX1YcWxAnw
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in System32 directory 1 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google1836_1249624114\bin\updater.exe"C:\Program Files (x86)\Google1836_1249624114\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={1E5E5C4F-2824-A1A8-B948-33835CA392B5}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=22⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google1836_1249624114\bin\updater.exe"C:\Program Files (x86)\Google1836_1249624114\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x27c,0x280,0x284,0x278,0x288,0x552604,0x552610,0x55261c3⤵
- Drops file in Program Files directory
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update-internal1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x922604,0x922610,0x92261c2⤵
- Drops file in Program Files directory
- Executes dropped EXE
-
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --system --windows-service --service=update1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe"C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x922604,0x922610,0x92261c2⤵
- Drops file in Program Files directory
- Executes dropped EXE
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\126.0.6478.127_chrome_installer.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\126.0.6478.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\de0dc617-3abe-4859-b154-8eed488e0cac.tmp"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\de0dc617-3abe-4859-b154-8eed488e0cac.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff66bf646a8,0x7ff66bf646b4,0x7ff66bf646c04⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe"C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1780_1369066556\CR_B6D27.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff66bf646a8,0x7ff66bf646b4,0x7ff66bf646c05⤵
- Executes dropped EXE
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5512a822caed80f9fa3f0dfce20d4faa1
SHA116f470de73681ce7ec9b3251ac081879fb37798c
SHA2568de9266347276d18fe49f84b86f09e6035df2c10e39f22d85bf33d43cf0f5f2c
SHA5129fc3d74dddd28b325fe3b803c1217d7374b61ae6d7eecb46aa2dafb643b7a45387caba015421da524cc0416c9b3bdbb3d871120c1275e421f86e9d80a3781802
-
Filesize
40B
MD539478f62ae4138961ec18bf49312f132
SHA1d32997c59969fdf4875d651740005a372ee813a7
SHA2568ff206c689ee486184ae347202cfbcf07e9aa8688468a221d06208aff2b8b714
SHA512e9d224100b8f70a192c6286d62cd8d4cacc0be8fb67436954d483cf50eab7c8966618ce29f2dfc431ed03449b27e40eb0476d80cd7f9de44eb12749441988a2e
-
Filesize
354B
MD5e0ee4da712ce8c124aa6591511138c42
SHA13c995aa84f0c88624b3998304a39803bd99f116e
SHA25644ea110f766b1c1df4863665f334421b1d0dd450b859f2d75a53a96d005ab7ff
SHA512dd93f581ecbf41c75c85388d0eeb809fe64f5c5e0e8b24f13b20b8d2b88cb98c873ebfaeff8a6bdc985b548ed6e866ffc53f465ac5a01018fcd9c58c7faec17c
-
Filesize
492B
MD525063c04c9a38df19a1eb1a5faeb22fe
SHA12a63c9e9dc12c179f97c1b00b6864604f425784a
SHA25645d6823bf385bc181ce0354cb7620dd31ddf2def8e1f2592aa0df573e1dc1714
SHA51232a0d8a67904ece76f09ec1007af86fa4c8e232116cbaf815e4480e917b0325ca15bf35cfc77c842fbc15e5b00c6c657d831d9696459c4dec6b8655508c0416a
-
Filesize
49B
MD5a640ca2e70d5d86ee61c65b5fa0a5de3
SHA1932854c7284e88d764a5f455c2559430282630e3
SHA256143f8c59a52692d27d38a2da2d510f37237faeee74850381917768adee0975e6
SHA512855f3de6bda41d5a015922c4127947bd9ad51b2b137ccdbef5232b2f373c24b7c99f0806466c1cbd49387a4d6984f10f71e69dc7ab9a9274e4ec1d376758cdf2
-
Filesize
4KB
MD5aad56e51f8ac4b054630c2a5c92b0c53
SHA1dead8b94002c857b445754f68b24df5c8d601c64
SHA256d86313004b0cba5a2abf6995d6623a139721521c533d004a33fe5973ab9b8a00
SHA5124100d19d339c732f22d9189fb6dbb87f22e8cf42edd0e4f74ba3b89459e3054ae6e8f17be04c978a913dac769dc1519ec8b91cb94db116cc9ec3426aae94cb94
-
Filesize
5KB
MD5385f9bc36fc1ff8ea055139d863a115b
SHA1224133573e82bc9fc44ce8e154b5cf9aebfcdc6f
SHA256024256c640dae8766434e515fcc3b6608387f0658fe234ab28067ee5f131d613
SHA512f59fcad6ee41097d9ee1004261eb4e0b3a4c8078f868265664fc999f01a0dd77f96ad0205b5bc25695975bb10ec8ffd44bd61a077a434dcf3dbd972a0509c2dc
-
Filesize
12KB
MD53ca119f03fe5fdfc973870bf144b66e3
SHA16a441e421885c158c5885705691211f6115ffefa
SHA256feea2dff21ba991afa4d3c2e4b516f8c0dc411dcecf73f75b0454056410fb26e
SHA5123af77035094e96fcd064e2368641ea0588ba3622f7d41893a66a9d094342442ed241bd14fb3a99f4dad45e8db90254fd2cae0ffbee38723100ff28202eafe3b9
-
Filesize
1KB
MD5a3b3717f607aeefd13a8620bf0249126
SHA1967c5f677da42c8c168ed02d0eeb711a77488324
SHA256ae36ec2e246d16f4f4a322a761d5eb8a3a83f3b26c0caa1b7da51589c12573b0
SHA512b323ff92dc94c726f535e9d5e16be2fcce2af041cd6da14841913b75ff912bf9a7ebd81812c9a3f3a32bc79d666a8f20b1141b6b737a888cf925ad7bd446ff4e
-
Filesize
1KB
MD55d21430459639729d0c5295ec47c72d0
SHA1c8bca46cdbc1e98cc0fbee2e6a0afd0ba6734b76
SHA2563b8fa3358ecd94efb7e3c9bc44919a0c558cd9914d829dc24451f730f44230b3
SHA512efccf9e728f244c61e11fa2dbd46ec8c914323e6d41c1c8b345f5a9613519b31dfe058e3a0e7a3d8e38d8596eb4cb81e46c18901671710e29cb39fb417cec70a
-
Filesize
4.1MB
MD50849095a80f74794bcac8b3561fc4a58
SHA15b27f31892bb7b04c62d3b1f612a45415a3bc32e
SHA25627dbc6e6ac8630b50fc5473e9a7f341c7d759806f762aa522698ec10bf2f2e62
SHA5121f52e20fc2812af55e00b7aea59b00af262ea87bc7b652504a3be9b26e500fffeffbed52dc21132b22645f46f2a59f546485e9089e7cfb5f0154041918f52e5c
-
Filesize
652KB
MD544c7f06f320e8068a00af6f8930c0511
SHA1e68c5ff16e0c28a2ec146198b96bfad291743c4b
SHA256c0dd8ff1c80385821da0fe5102b40420ebe4b476b5832382553dbb6d51ae33c9
SHA51282343ada963b593fce6718b9d460bfc7d359be629de1b8cf38dc638ba30495d0b5d271d658a9125fe674fe5b3375767e88ce7d8ae6f23d34f89e342d796aa644
-
Filesize
2.7MB
MD5d09b0bceaaccb0b4c2fc6b95b9a5241a
SHA15ada2eddc6954dfc50aff07276909866418ce799
SHA25613e2a3b4ddff74975fd41b9a1d4ed57de5ec67c0f377791dbbba5c8402690eb8
SHA512aec811b8ae222d21108fff90c501278cfccc1d76f4b01469339f08f09514ff31d508e2abec7ed3c53e196f34ab73544be969e5e284a220e0206d680d8e602ba7
-
Filesize
22KB
MD58a7d8cb4d5b94c9f98f1a8f3232773fe
SHA135565bb3461c7939dd46639d584078a81394d764
SHA2563f91c4255b1d0abe9e6619fa18ae0f3756a80733f4e96cb301ba13d205cbe4b0
SHA512824bf73ea49293deadeddf886b8c541dc1d87fcf698282a5a19a351fe53b7a6a593f347ed5069f8adad15286d3a13932178b25fd422b7c84dc6354176e590caf