3ba6af4e0072bd3ac9fe8372ac543f95488a7cada32ca70ae87782c779064cab

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gchrome.exe
Size

2.8MB
MD5

49fd4020bf4d7bd23956ea892e6860e9
SHA1

c5d8f155209badd278437d0e534648f8d5c35aae
SHA256

d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2
SHA512

b532f3e0451759727eba1e1559ba20131d1900ef958d1cd3c2dc4e65cfafbce5cadfe52d867048751815e0c8b7afcd0679725c937fe7b1aecd21699773627817
SSDEEP

49152:sVic4rcPjPlzIWJDn8Ss2y44enoerL/TrRCxREX4x+va:42etHsFenjvT9/X44

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	gchrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 3 IoCs

pid	Process
444	chrome.exe
4104	chrome.exe
4992	chrome.exe

Loads dropped DLL 4 IoCs

pid	Process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IChrome = "C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe"	gchrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 444 set thread context of 4992	444	chrome.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gchrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
436	WINWORD.EXE
436	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4024	gchrome.exe
4024	gchrome.exe
4024	gchrome.exe
4024	gchrome.exe
4024	gchrome.exe
4024	gchrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
4104	chrome.exe
4104	chrome.exe
4104	chrome.exe
4104	chrome.exe
4104	chrome.exe
4104	chrome.exe
4104	chrome.exe
4104	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	gchrome.exe
Token: SeDebugPrivilege	444	chrome.exe
Token: SeDebugPrivilege	4104	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
436	WINWORD.EXE
436	WINWORD.EXE
436	WINWORD.EXE
436	WINWORD.EXE
436	WINWORD.EXE
436	WINWORD.EXE
436	WINWORD.EXE
436	WINWORD.EXE
4992	chrome.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 444	4024	gchrome.exe	94
PID 4024 wrote to memory of 444	4024	gchrome.exe	94
PID 4024 wrote to memory of 444	4024	gchrome.exe	94
PID 444 wrote to memory of 4104	444	chrome.exe	100
PID 444 wrote to memory of 4104	444	chrome.exe	100
PID 444 wrote to memory of 4104	444	chrome.exe	100
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104
PID 444 wrote to memory of 4992	444	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\gchrome.exe
"C:\Users\Admin\AppData\Local\Temp\gchrome.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4992

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ProtectSubmit.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2292

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\New text document.txt
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
374B

MD5
64d0ea593af826007cb9abbf79e840c7

SHA1
7aed84fa22085c628116ddb67e4d42fb5504cfa2

SHA256
37819e65613096c3bb416fcc601da8fcf36ade5bd45d10ebb62dd43b606f3dff

SHA512
cefc0382195c6e4fcc254e19d8b71579bdb4849e5de6f6d927b24df1f19678992a93dd77cb46686868a1b332a862e60fecfaa9734c252c389fabf429dd037929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
adccd063c6cd0d03f5918538b6b45788

SHA1
06bd4b0cea1ca612d3e1182d78e406348c86a6c6

SHA256
d9186b465b936a0bdcacc410f01d93bb6ad8a938831532cc23f9c06f7387864e

SHA512
a7ebd10351273ebe8c4030b725e1d88a7cec334e62de724f872af2630d3eda70c2f1975bd2bbed880e905d60129f4a56837bad4d9c702ce142c3fc5e67d4d568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
079f3e916d83bf489d7a808a5c905ff9

SHA1
af650bb0f889aa4d559a8580dc34802723b4e92e

SHA256
741f13f1d5a118667ffacba3b3e8a90c1a5308b84dbe9893f0a0ac77114ebe0e

SHA512
0162c65c1b13336a89753e6b28f8127988405780938454b04d4945d7c990f8c76caddef7970f708dd60fed256e08a0ca8c0eaf2d8c01be53f1a5ab73c7398774

Download Submit
C:\Users\Admin\AppData\Roaming\Tamir.SharpSsh.dll

Filesize
196KB

MD5
2859f8073bc71c8a0331e46ece0e6213

SHA1
44222d0ef6c407a879c60b9e180f727e29733fe4

SHA256
059b6748030ea8be6ff9b34169beaa61df8d7756514a54c13c61f20f4f1f6dd5

SHA512
fa0d04cf2fb0eff55f50b6358489cde32b507f0f4dfdc8eec8dc22961ae9f02eb1361fadd4161b50d90f6228fa0c2f467e0f40ca3b0957a83a6c557d64f0e3cf

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
2.8MB

MD5
49fd4020bf4d7bd23956ea892e6860e9

SHA1
c5d8f155209badd278437d0e534648f8d5c35aae

SHA256
d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2

SHA512
b532f3e0451759727eba1e1559ba20131d1900ef958d1cd3c2dc4e65cfafbce5cadfe52d867048751815e0c8b7afcd0679725c937fe7b1aecd21699773627817

Download Submit
C:\Users\Admin\Documents\New text document.txt

Filesize
32B

MD5
e4654597b12592c4a148957486cb2d55

SHA1
8d6492af07c691fbc2a86194f81c19e59dc6a83c

SHA256
9f1dd5ca1a61cba953238c0b8f96f808436762078cc5aace854d4e5cbda4b744

SHA512
35f1367d238dd77314b891d890831ed7d59aca7dfd0bea87d2c1f60f8f901341031c65108b3e16defd1eedfa295727c5acfba8fed2ec58ee61708d8dbe75dc8e

Download Submit
memory/436-24-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-28-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-106-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-103-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-104-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-105-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-23-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-25-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-39-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-26-0x00007FF885E30000-0x00007FF885E40000-memory.dmp

Filesize
64KB

Download
memory/436-27-0x00007FF8C5E4D000-0x00007FF8C5E4E000-memory.dmp

Filesize
4KB

Download
memory/436-107-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-29-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-31-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-33-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-32-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-30-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-35-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-34-0x00007FF883AD0000-0x00007FF883AE0000-memory.dmp

Filesize
64KB

Download
memory/436-37-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-38-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-36-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-41-0x00007FF8C5DB0000-0x00007FF8C5FA5000-memory.dmp

Filesize
2.0MB

Download
memory/436-40-0x00007FF883AD0000-0x00007FF883AE0000-memory.dmp

Filesize
64KB

Download
memory/444-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/444-18-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/444-42-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/444-65-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/444-21-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/444-20-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/444-19-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4024-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/4024-17-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4024-4-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4024-3-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4024-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4024-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4992-108-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download