Overview

overview

7

Static

static

1

Google Chr...up.msi

windows7-x64

7

Google Chr...up.msi

windows10-2004-x64

7

Resubmissions

10-08-2024 17:35

240810-v54slazdmn 10

10-08-2024 16:53

240810-vd96assepe 7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Google Chrome-x64-Setup.msi

  • Size

    87.8MB

  • MD5

    afbc265d30830f5454019f1e48ffec3a

  • SHA1

    25500667b2df8894df6cd9b405f4c77525d0369e

  • SHA256

    50fcb1bb818b1d14a036532f5e1b3ac7aca4b62f03b8cd3ac4af36f9689f6b9a

  • SHA512

    fdb54624eebb1ec99cdd16c712c255ab4c6201e946dde49b3e50a054ffab4e281daa1b3316a36f94f327830223cb697fbd4ec48b061f32edb5fba3ab83a42e0a

  • SSDEEP

    1572864:PuSA0Q9ilL4UxQUoim6casSZrcBsCWpuFg9O/jAaWFFDp+chVF1luEbtYio0z8+U:PnVQ92TQUooc3Uw2F9HHluEbtpoOKdB

Score
7/10
discoveryupx

Malware Config

Signatures

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 18 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Google Chrome-x64-Setup.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1552
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4DC62C85A260E2CACB218D5E4D06289D C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4528
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1624
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 0D91520F89772C5E16347E6550E62F27
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2504
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding E49D1AA0467B1434504C3C5F94AC09FE E Global\MSI0000
        2⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Program Files\Windows Defenderr\xfgRp7UXBM\WsTaskLoad.exe
          "C:\Program Files\Windows Defenderr\xfgRp7UXBM\WsTaskLoad.exe"
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Users\Public\Documents\TaskLoad.exe
            C:\Users\Public\Documents\TaskLoad.exe
            4⤵
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2600
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57f09b.rbs
      Filesize

      53KB

      MD5

      ed85819fe29f33fec9f115d6f3268172

      SHA1

      0ddec6e81d4ad2b0722ba4a0c99797ab5d46147c

      SHA256

      63aaa0f688f51111292fbbf241c09fc79454fdfa5c1241ddf0416ac82e65d2f7

      SHA512

      495c772a0ec25beed0fcd76df7156564d7020e29ff6a9857dc69c613b9a9e9e065cb31fb6a7ea7f575ee9bfb1882ce5f2daf03ab7ff592b93ac8c92084d47226

      Download Submit

    • C:\Config.Msi\e57f09c.rbf
      Filesize

      2KB

      MD5

      1f0e2cf811a13cb67158cb54e05ffcca

      SHA1

      1d94ae30fce8f2f547f9e5a39354c97521cb1ca5

      SHA256

      4ca8e20f1773b340c38dfd10b850db61632976476d25c9afe8380ecc9cecffe0

      SHA512

      b48f6e27bd0fa621fba3ad2bc6fbdea28996e3080e61b36743cbd5f73acc31e45a6c60674a9e1db875e5b57d3153d4d8f57a6309fd000535ce89e4002a427d1b

      Download Submit

    • C:\Program Files\Windows Defenderr\xfgRp7UXBM\Log\WsTaskLoad.txt
      Filesize

      846B

      MD5

      a774bce0670f9150a415b5e2d3eab15f

      SHA1

      04dde6395b1bc6160aaf402b74caf14a56d2a616

      SHA256

      80511a6cc426a619c6160f5a39424988d066695f9834b144c86da076b893707f

      SHA512

      463746668fe6447608cb7adaaeeef73112d3a1dc860e1421ce6ed20abff1e46d7962d09abee7ca62fcecc60c74b15fcb876dad94e3cfd45c3df1f4659754e36a

      Download Submit

    • C:\ProgramData\1
      Filesize

      2.0MB

      MD5

      faf4a129b091a57c3ff694dc721d4f3b

      SHA1

      7430935f501164b46b99766ed9ab68da0db50c24

      SHA256

      b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7

      SHA512

      0103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583

      Download Submit

    • C:\ProgramData\11
      Filesize

      80KB

      MD5

      414b147b0b352988105b72ff1e656ca4

      SHA1

      d2dffdcc844c5895892e50d85714b453e725c698

      SHA256

      5d53b504579bd63f7773f9b3aa54aa6e91aa49109d656d39c571889783074486

      SHA512

      83fbfdda68dc71c0971009212dbccaee7961ed9b8a22e3fb273c40142829d1163e157dd292f9e677fc46d4f52067841e1e6506557ef1e67601eb37320aaa5359

      Download Submit

    • C:\ProgramData\12
      Filesize

      92KB

      MD5

      9f3c5f8c7867de94b5de71ee510d155d

      SHA1

      c1722645f381806dfd66137b9b7f110e6e477e8f

      SHA256

      9cd89cc9b7fbacafa81819da6809a67acf4cb1702eb2ed12f39c3dea64251e14

      SHA512

      6f79730e2d43934e271bc9a67115cdeb13618677fb837bc2f1e058266875232766001b0dc1260f4d39f6ebadade0ad37466a6b5b0122797c73b269556a966dd3

      Download Submit

    • C:\ProgramData\15
      Filesize

      978KB

      MD5

      8e945aaf7128bb3db83e51f3c2356637

      SHA1

      bcc64335efc63cb46e14cc330e105520391e2b00

      SHA256

      4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

      SHA512

      150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

      Download Submit

    • C:\ProgramData\2
      Filesize

      80KB

      MD5

      add79d40dd6d16770eb474a6546a248a

      SHA1

      1c20b639d161bbed30b239b33f8cecc889e89f63

      SHA256

      1b2526f0eaed80391f9c988216b88fdc13794a696300fb0b228554541cf1dd6c

      SHA512

      f8c8e4ff517414b761f4d1a12087a49132ad5123cb5f50013a6d2da6cee3dc4f43b67bc81f04ad47133323ef534d56e8de8767279161ccb59d599f9fa7034c27

      Download Submit

    • C:\ProgramData\2
      Filesize

      80KB

      MD5

      af9d45bbb6449574f372d0345d5ad2c9

      SHA1

      284e2dda18c2c617d350b2ed896cde12fda94cc4

      SHA256

      ee480b0ed3e05c0c415fa1382117d96e24d9e5bc2b8492a317be89869760eb09

      SHA512

      cdae60385c5949fb73af61848160670056d3be63342f8f5c427fe3fd8794ed07c8c2a784e24b368a5f3642f57e403831985e8288751b0e5c32325bcffe87919a

      Download Submit

    • C:\ProgramData\4
      Filesize

      340KB

      MD5

      7c3f402e24af534cc8a37ce473138fac

      SHA1

      369bf0d507bd8b6e177ca86e965695d6dfbf1086

      SHA256

      1c788575d1773865bd95cc981f19ede71320b181eaa0e20d667bfac783d7ea45

      SHA512

      3befed2e7714a21393229781992a29767177b77fb2d94d0de9825ed138b8d70716a27f20140e32fc7a40fa79db7beefe8ff8b8015965573916b108b54267ba4c

      Download Submit

    • C:\ProgramData\YYbefecbbccc.ini
      Filesize

      56B

      MD5

      bad2fea11d5d611baf4b50e782933bae

      SHA1

      ddcbcc3e2bf2a64ea1cd1b73280c16285fe8d430

      SHA256

      ed9bf704bc8a920951b496eaddd2ab16e1d6b094251b23bcb247f544b264eae4

      SHA512

      95ee4b5c6f23d033a9da2f6f381a9036a6b0599a314705287c5f98a82ddaeaa3a2123f9547f787a14805ae7e156f387bc6b39aee6c4b50ad820fbff732438120

      Download Submit

    • C:\ProgramData\a10
      Filesize

      36KB

      MD5

      f0284892937a97caa61afcd3b6ddb6d4

      SHA1

      f3c308e7e4aaa96919882994cdd21cc9f939cabd

      SHA256

      2514913f8a6f4671a058304651289b0babe47d81c044212b3140ed1c1b643b09

      SHA512

      058845e0a9a5892a69f24f3a77086e3f9546493ad40a0e5359aed05cf8882a9f3d7aee0449648d5cb76e51530af3e46af59a9b196cc92318334116c92dde4171

      Download Submit

    • C:\ProgramData\a3
      Filesize

      14B

      MD5

      0d59c87827537cdd7727d1f0e4d6cce4

      SHA1

      6067300c20740cf2899d519382f36c453d9b7fca

      SHA256

      270a9ca2cc8d07c58e43466e95a8aedc7bde468b7b5c0c37845cad5f0d2ab6d2

      SHA512

      324aca54d36574f1a3d7ade872bc5d4bca8b6ae78817cefcf6fe74af51e90f67a808757eb3c84d65c2a8c8e0322cad8b30c83f29e0011c374fd114122ae92d7a

      Download Submit

    • C:\ProgramData\a5
      Filesize

      56B

      MD5

      6f10d76e583b39191028ab57f8edbed9

      SHA1

      fbaa6e99f3a88d1e4cd606ca45debed661135c1d

      SHA256

      847f6e3577892365fadc94648eabdde48b9660590ba109e8387a9cb984aee476

      SHA512

      17a2f133b321fb9ac992e03da4ada3b3e5f1e507c7656d287ea00efddc50885c9ea9f337dd6b8cd52015060b4f0f4fc7832a7a3603ed5a3b498d8da47916743c

      Download Submit

    • C:\ProgramData\a6
      Filesize

      200KB

      MD5

      078c21b8c91b86999427aa349cf5decf

      SHA1

      b939376eaebcf6994890db24ddcb2380c1925188

      SHA256

      ed2c6bc3e77a404b8cf61176844ad19c1fdcae19881206631e3f0831a4bd919a

      SHA512

      a006a36fdcaf4c2403238475163553ba2fe7783fea200f28df46ea980a3907d2b24c854153b45b730195a133fcb28f60c157f33c865ea286ad8c354981cf5885

      Download Submit

    • C:\ProgramData\a7
      Filesize

      498KB

      MD5

      6bc361587f4bced49d8f2439b42a94f9

      SHA1

      373744ac4c39b0e7eeb82933e430713d90179210

      SHA256

      56b6f3f47778bdca406f8713e50965d6ab72271207890dbcf2291a2d5b7b586d

      SHA512

      278a14c68586e1c3921155896f0d740f50f102e7c63c88b84382ad3954f8d401504043d7fa261ba561ee432fae089da16b83e1577ef3660f42419a5abda84c2b

      Download Submit

    • C:\ProgramData\a8
      Filesize

      21KB

      MD5

      da08e194f9a7045dbb19f6e5d5d7f609

      SHA1

      7884062382bf1e7911f7e74198ca9fecec159c61

      SHA256

      9bd52ec7e7750500de33df995fcc7e68ed1da70d125579cf76ae8f787577ef75

      SHA512

      46720cd0677064b00a9e253953b8b6cd5141a99d0090ff0d7c4a24b830ca621878bcdfec3c56880f940662bd78f408782231bdd3cb370e06dadfee71e3e2b2b0

      Download Submit

    • C:\ProgramData\a9
      Filesize

      13KB

      MD5

      37aa892a6f35bcbe9b01f0a424f5d4f6

      SHA1

      e5d60e43a8e0a4b7371bd736e21b1a59546774af

      SHA256

      6feeb95115d7d8a51403996fee1ad219a52151662d3a01a2d17cfb77dbd51f3b

      SHA512

      a5d5ac494cba18bb5b2582310416dc2e146732ba4f2eddab6611393d61ac0ae839bacae0da1e85f0965575e6d6284b1180e2e3adb924f1e19d2d7586d2abbd83

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI8E65.tmp
      Filesize

      588KB

      MD5

      a9941233b9415b479d3b4f3732161eab

      SHA1

      cb2d99af52b3b1c712943b13e45d85c80c732e57

      SHA256

      ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

      SHA512

      cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\chormeui\chomeui.exe
      Filesize

      1.3MB

      MD5

      84ba3c0d3d383c2676810494a7b5d4d4

      SHA1

      51dc4edee8e6d061dddf557861655079bb568308

      SHA256

      1dce1e3cef651f20cad4f096997407db5b5837b60a52b0abb8ad4c087b6a02e0

      SHA512

      6246e29c25c45258a2f244cb31991202d1b57e9309521296787b90d1662b3e9dd14d27cdd5557fbab39b66e18bbb63c9bf346091d0bf2dcfc798745ce030d079

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      98537bf13bbbd75be12d18d854834f8f

      SHA1

      384e4ef520f26b8e3576e6e24777356b24adcbd8

      SHA256

      f3e75a3e8f7c96160a8b3e46106fe1f91cd1f3b59a874c9f26465352d8540f6e

      SHA512

      21cbf1a4881cf44b66a744eaa258be4932f047d97faa4f11c74ec70d75081557c872bcb4fc526bdf12ebcfe1b6df636383942c19350b14cf256e6bf73a38cb6f

      Download Submit

    • \??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{08b59d15-fd8c-4651-b941-6dd78981e2c7}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      867dacbd0580aa3d9235f97f05ed6295

      SHA1

      35463119786fb17a6f74fe0ebf84d959cdda4d22

      SHA256

      f45d38f7719c84154f728bae3786c97ec3a4c500a95281ee9509e493c66d85c7

      SHA512

      9e249dfbdcd72f7e66620ac067b79ff91e9a50e37048e457e239fc059100165a348c0f82fc326bc14c335f49d0d0d47907a71f461171182b560bebf0e88aba88

      Download Submit

    • memory/2376-367-0x0000000002E20000-0x0000000002EAB000-memory.dmp

      Filesize

      556KB

      Download

    • memory/2376-399-0x0000000000400000-0x000000000060E000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2600-389-0x0000000002660000-0x0000000002693000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2600-387-0x00000000025D0000-0x000000000265B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/2600-380-0x00000000025D0000-0x000000000265B000-memory.dmp

      Filesize

      556KB

      Download

    • memory/2600-400-0x0000000000400000-0x000000000060E000-memory.dmp

      Filesize

      2.1MB

      Download