Overview

overview

6

Static

static

1

GoogleChorme.msi

windows7-x64

6

GoogleChorme.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GoogleChorme.msi

  • Size

    31.3MB

  • MD5

    46c0158715bf937ebbbd3f0f4160df53

  • SHA1

    4025bb5c7dab4c20f43e27ef59fb7b0d59f20b5e

  • SHA256

    03f9c6613c68094f94d2099b0f5b61afb7e308d70a19b3bc26a2c4d9a65a33f0

  • SHA512

    13a7e0d01d3a79fdd309a447ad130fe3597737dc001ed816f6541f60079b4ee6f36b4d7842fa8672eca94b693925baab6ddb8f84839ad5bf7f0eea3e72f18357

  • SSDEEP

    786432:NOGXRTW9sglw5UbThI9/tCSRwWpe4jbdQ6nF7z:NRaRw5UbdMFKcjbdQCd

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GoogleChorme.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2864
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 234A4F01CAE122EA658449DFC82DB775 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1952
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4500
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 48009BAF5389AB2D1A453AC02F007C84
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\Mylnk\dick.lnk" /f
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:864
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3476
    • C:\gxwoyi\Agghosts.exe
      "C:\gxwoyi\Agghosts.exe" 67
      1⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\tracerpt.exe
        "C:\Windows\SysWOW64\tracerpt.exe"
        2⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe
          3⤵
            PID:3648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57e37b.rbs
        Filesize

        8KB

        MD5

        3ff3a8e2eae2d5fd33220a6a04bd5dba

        SHA1

        ac640fad7a8d1f04a1bf6f3fa85800c0a900b562

        SHA256

        1d902b8e8b91c2d80de943926d6af58815d1ead0f79ae0da1aa473ac9d6b840d

        SHA512

        ebe3ec4138c4a373c58a8a5c4073ae20c3925ef23c5e6c2ab65350e49f679e6827a6e922596a51c9ff250866734e22cbdbfedb84699a87d1a24ff685f2055cd2

        Download Submit

      • C:\Program Files (x86)\Chrome Setup\Chrome Setup\Ensup.log
        Filesize

        5.2MB

        MD5

        1d7cc3187499f8dadc7905cc0d136db6

        SHA1

        f929e95efd9a5deb9ab1c2774ef53697db78fc0f

        SHA256

        6db9f0016f4908dfe4ee908b8e6e46ccac74bb725b43191ee85b4a3d2c41daed

        SHA512

        745771ee686e79dd9452d790a0d279df85e345b3bacc6d362e30f26ee6f7496e63de05b9dfdf8280865e869b5462019e3ac2a8d9d9a33dd8c4cc7802023ae6c8

        Download Submit

      • C:\Program Files (x86)\Chrome Setup\Chrome Setup\MFCLibrary1.dll
        Filesize

        1.8MB

        MD5

        3c3876000b72164b046c783937ebbf60

        SHA1

        1ab7a188590ccd11abc0ba7b55f1c495ca0e6607

        SHA256

        4294b39d25fc61b0163ea3bcb56de6b4f5fe423d50186686661e364cdec4fb9a

        SHA512

        696181bce27076e4e442f36a129dc35b1fd095a49c2576914fab48f572c735d08724f124f7647360030b54e6d3809c89e8c275d31c89ff5edc4d2a7c9242d6e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI88F6.tmp
        Filesize

        550KB

        MD5

        bda991d64e27606ac1d3abb659a0b33b

        SHA1

        a87ee1430f86effa5488ae654704c40aca3424c6

        SHA256

        ffea8222126b77f8da93e27edbadeb8b97fb023ef0d6a51522c35688f66283ca

        SHA512

        94fe1eadd4b4325fc1a8c769180c6ecf92e2dbf9f8262d6746fada603929977f3d40100ba84cffb4074c6900a2b2d307355e6a5116e6f16d9d3173fa17ad461f

        Download Submit

      • C:\Windows\Installer\e57e37a.msi
        Filesize

        31.3MB

        MD5

        46c0158715bf937ebbbd3f0f4160df53

        SHA1

        4025bb5c7dab4c20f43e27ef59fb7b0d59f20b5e

        SHA256

        03f9c6613c68094f94d2099b0f5b61afb7e308d70a19b3bc26a2c4d9a65a33f0

        SHA512

        13a7e0d01d3a79fdd309a447ad130fe3597737dc001ed816f6541f60079b4ee6f36b4d7842fa8672eca94b693925baab6ddb8f84839ad5bf7f0eea3e72f18357

        Download Submit

      • C:\gxwoyi\1.lnk
        Filesize

        1KB

        MD5

        4714b8fd760072cb8ba2c795bcd54b99

        SHA1

        385a49127225a0e826b8e5ca1a9fc11565911c6e

        SHA256

        6b1433f1569e524a37b029b2e77c824c988c645a18074e865c5b6881ece6fdca

        SHA512

        9e6bac25de1cb751ac17fd7f1a9f074ded0427c7d23a945f655b2f0a7f8be81b296662b57f4a90bcce7b86a53c7c48ace9213d16f5ccc16c5fb92518ea4dae20

        Download Submit

      • C:\gxwoyi\Agghosts.exe
        Filesize

        111KB

        MD5

        a9b40e0b76aa5a292cb6052c6c2fd81d

        SHA1

        e15bba9e662ef45350720218617d563620c76823

        SHA256

        f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

        SHA512

        ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

        Download Submit

      • C:\gxwoyi\Ensup.log
        Filesize

        218KB

        MD5

        0ea5c7021018a45083ea4eb31f0fc34d

        SHA1

        d636419a870e4774feb272b73e5c9d57dae9485e

        SHA256

        b80d53a3d3ae6db48a7b1835aedb52e85291f35d55b61aa363994217b890dc8a

        SHA512

        a26e6461361b84da71396bdf8227c0d70f84589b92dd33c6549e1e035c4f5cfa778b4ca22b9ebfc380bd593a43260b53cb4b8f6ccb66381bdc64deb7755f9d79

        Download Submit

      • C:\gxwoyi\VCRUNTIME140.dll
        Filesize

        77KB

        MD5

        f107a3c7371c4543bd3908ba729dd2db

        SHA1

        af8e7e8f446de74db2f31d532e46eab8bbf41e0a

        SHA256

        00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

        SHA512

        fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        d0b3440e1489563517110872393792ee

        SHA1

        f05d9e0f244272648b149785cdaf0a620516db10

        SHA256

        66aefefbef58bec774db81dc1b074db10ed7b09b7d8e95a7e25501f1bc364080

        SHA512

        7fbec228743d9e0aa316c226ece169567b7a047f198e4f83d43c24edf9516e7cdb162b6563730993b7d64ef47947330d15b3a3160407dea23df003c41e4c5225

        Download Submit

      • \??\Volume{f1c94fa5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{08214d0a-6c94-4b04-801c-e3b40a7abcd9}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        fb5d3edd07afe957943d8d1db01fa985

        SHA1

        efd752cb966d0a70fbdb0b65c57b0c8744fe8859

        SHA256

        45b13228499873c2ba76cc2f251c3ad261bef2f4951b6a06294760bb072a6878

        SHA512

        06237a8be6c2a96efc84b6c39f2db0d5fe8f3bb2eb69f96e991d376b4d3313e231386d2589f64fa8a9bd981678efa4a12f422a6e0327aeadf631eb3599ec28c7

        Download Submit

      • memory/1940-71-0x0000000010000000-0x0000000010022000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2748-108-0x0000000000880000-0x00000000008B8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2748-109-0x0000000000880000-0x00000000008B8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2748-110-0x0000000000880000-0x00000000008B8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2748-113-0x0000000000880000-0x00000000008B8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2748-112-0x0000000000880000-0x00000000008B8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4424-45-0x0000000010000000-0x00000000102C3000-memory.dmp

        Filesize

        2.8MB

        Download