3ddc5e393369da156a53fa6158c0c06f600473a8ee1eb90f13eb5660a2c53e97

Analysis

max time kernel
150s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-09-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromeSetup.exe
Size

8.5MB
MD5

20ac85a347e838048aca93ea86eb0094
SHA1

1e82f94af5629a0e13223ddd88741a81382694ed
SHA256

3ddc5e393369da156a53fa6158c0c06f600473a8ee1eb90f13eb5660a2c53e97
SHA512

eca41d0178254d90d47b0d94c22c671f742b265f01002d8079d3b1d6a2352991b7aee707374ee692d266a2ef7d0061effd95fc1f97b8cf8284e7b0ac661a2566
SSDEEP

196608:ZNWvMZmI8qx5AxLg+mB6qDVKrNo+RpPOSdeIZ5yH+7BzLZMYFnIwBxu330G:Za4Wqx5YLg+y/DVKrNoCPoIZ5I+7B/25

Score

6^/10

discovery evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\a88c9657-5218-40e0-91cc-d60c07461cfd.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\prefs.json	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57aff7.TMP	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source5012_1397568924\chrome.7z	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\c73f9d7a-16b1-47b5-8d61-84f6b81e533b.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RFe57d820.TMP	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\726bc708-9629-4586-8da7-e47b47b8f7cf.tmp	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\3bfa6654-e986-4372-85eb-068f98858b5f.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\a88c9657-5218-40e0-91cc-d60c07461cfd.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\c73f9d7a-16b1-47b5-8d61-84f6b81e533b.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\SETUP.EX_	128.0.6613.120_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\Google4212_40200768\bin\updater.exe	ChromeSetup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\manifest.fingerprint	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\CHROME.PACKED.7Z	128.0.6613.120_chrome_installer.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\setup.exe	128.0.6613.120_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	ChromeSetup.exe
File created	C:\Windows\SystemTemp\Google4212_40200768\updater.7z	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_4664_2066027468\-8a69d345-d564-463c-aff1-a69d9e530f96-_128.0.6613.120_all_adbxy32a53sblo4vimdvvirvwnoq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\85b26139-acb1-490c-a93a-5925dc977dc2.tmp	updater.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\128.0.6613.120_chrome_installer.exe	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\Google4212_974889714\UPDATER.PACKED.7Z	ChromeSetup.exe
File created	C:\Windows\SystemTemp\Google4212_40200768\bin\uninstall.cmd	ChromeSetup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\_metadata\verified_contents.json	updater.exe

Executes dropped EXE 9 IoCs

pid	Process
3472	updater.exe
1140	updater.exe
1436	updater.exe
5056	updater.exe
4664	updater.exe
2984	updater.exe
1568	128.0.6613.120_chrome_installer.exe
5012	setup.exe
3616	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1568	128.0.6613.120_chrome_installer.exe
5012	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\1.0\ = "GoogleUpdater TypeLib for IUpdaterCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\TypeLib\ = "{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\AppID = "{521FDB42-7130-4806-822A-FC5163FAD983}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\ = "{27634814-8E41-4C35-8577-980134A96544}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{699F07AD-304C-5F71-A2DA-ABD765965B54}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib\ = "{85AE4AE3-8530-516B-8BE4-A456BF2637D3}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\ = "IPolicyStatus2System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ProgID	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F966A529-43C6-4710-8FF4-0B456324C8F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\ = "GoogleUpdater TypeLib for ICurrentStateSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\TypeLib\ = "{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ServiceParameters = "--com-service"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D576ED7F-31DA-4EE1-98CE-1F882FB3047A}\1.0\ = "GoogleUpdater TypeLib for IAppWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F966A529-43C6-4710-8FF4-0B456324C8F4}\1.0\ = "GoogleUpdater TypeLib for IPolicyStatus4System"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1588C1A8-27D9-563E-9641-8D20767FB258}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0486745C-8D9B-5377-A54C-A61FFAA0BBE4}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4334319-8210-469B-8262-DD03623FEB5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{E9CD91E3-A00C-4B9E-BD63-7F34EB815D98}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\TypeLib\ = "{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC738913-8AA7-5CF3-912D-45FB81D79BCB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\130.0.6679.0\\updater.exe\\5"	updater.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3472	updater.exe
3472	updater.exe
3472	updater.exe
3472	updater.exe
3472	updater.exe
3472	updater.exe
1436	updater.exe
1436	updater.exe
1436	updater.exe
1436	updater.exe
1436	updater.exe
1436	updater.exe
4664	updater.exe
4664	updater.exe
4664	updater.exe
4664	updater.exe
4664	updater.exe
4664	updater.exe
4664	updater.exe
4664	updater.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4212	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	4212	ChromeSetup.exe
Token: 33	1568	128.0.6613.120_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	1568	128.0.6613.120_chrome_installer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3472	4212	ChromeSetup.exe	81
PID 4212 wrote to memory of 3472	4212	ChromeSetup.exe	81
PID 4212 wrote to memory of 3472	4212	ChromeSetup.exe	81
PID 3472 wrote to memory of 1140	3472	updater.exe	82
PID 3472 wrote to memory of 1140	3472	updater.exe	82
PID 3472 wrote to memory of 1140	3472	updater.exe	82
PID 1436 wrote to memory of 5056	1436	updater.exe	84
PID 1436 wrote to memory of 5056	1436	updater.exe	84
PID 1436 wrote to memory of 5056	1436	updater.exe	84
PID 4664 wrote to memory of 2984	4664	updater.exe	87
PID 4664 wrote to memory of 2984	4664	updater.exe	87
PID 4664 wrote to memory of 2984	4664	updater.exe	87
PID 4664 wrote to memory of 1568	4664	updater.exe	89
PID 4664 wrote to memory of 1568	4664	updater.exe	89
PID 1568 wrote to memory of 5012	1568	128.0.6613.120_chrome_installer.exe	90
PID 1568 wrote to memory of 5012	1568	128.0.6613.120_chrome_installer.exe	90
PID 5012 wrote to memory of 3616	5012	setup.exe	91
PID 5012 wrote to memory of 3616	5012	setup.exe	91

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SystemTemp\Google4212_40200768\bin\updater.exe
  "C:\Windows\SystemTemp\Google4212_40200768\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={E02DAFCB-E910-FC99-00AF-E439B8728DD2}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
  2⤵
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SystemTemp\Google4212_40200768\bin\updater.exe
    C:\Windows\SystemTemp\Google4212_40200768\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x124a6cc,0x124a6d8,0x124a6e4
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1140

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x133a6cc,0x133a6d8,0x133a6e4
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5056

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --system --windows-service --service=update
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=130.0.6679.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x133a6cc,0x133a6d8,0x133a6e4
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\128.0.6613.120_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\128.0.6613.120_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\85b26139-acb1-490c-a93a-5925dc977dc2.tmp"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\85b26139-acb1-490c-a93a-5925dc977dc2.tmp"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.120 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7ea3746b8,0x7ff7ea3746c4,0x7ff7ea3746d0
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\Crashpad\settings.dat

Filesize
40B

MD5
e36544f3bdb620b2b281ad1e02dd7b81

SHA1
157f8ba0ac4340886020a0fbe8338b5236a330f7

SHA256
cf5109366216812715b047d27781236b107220127648950cde5368e674c631aa

SHA512
19f1973d199a332961eaa2005607df9c03f02a290cb189009e2d77c56345fae57dae3a078c54ad0dea0e4ed1788882110dcec8204f8f3ca028fa3fcc61e04356

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
511B

MD5
0d368f67b3506945a88e5f7a77cb8776

SHA1
8b2d9c9ecccebbafb37dd8d847e07470fac06639

SHA256
60d8b56353954619285857a0c783334db24cef07c6d521b10b60d7c49f4d2beb

SHA512
0235eca0cc75a30e705e45031164f80a1883cb020406e1c57cd3874e17efadc4c0bac9a19545169a028de4930b8bbff0b6891574a1f282b6e76871f2993f49ff

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
c88c3ad52765a523b2b598bf2c5a9216

SHA1
4ebada495c7ec0e2ae7d92aa2be7c049d2b0e512

SHA256
e450a8d057f11bb4cd98343448b3fd8a70b0f22bd7eb6b84b6fb03731b36fc32

SHA512
a21348e047b3e84ce8a14a6298f518d1c4f512a7155360e1d85121d77ab9b4d51d09dbe67e6aad5a19b758f69b1a177a54c2e848de23d6cb66f6c7ff9b2c40b5

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
227350f44c11f7dc5e4229d041dfa72f

SHA1
66f6d2bfd37e6b9df9ead8c40500db5fbd4ea9ba

SHA256
e82892f132a5432c6e8c02d6f36faea67b272497cbc82c5f0cfabde79372ac7e

SHA512
6231d93293181be9e398a2e811a0e5a0b141fd8a02523656b6c6e6740e6aab37d53139c1cd3c30b9cc0b1dac187d594189ae0131e5f44b2739de74c5c1fa146d

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
5f4fd6f58c69659fb468924e77c69351

SHA1
aca8a814ec0a8b9dc31332ef50c74fb7714f5eb4

SHA256
12022d1350e524279461ec383365facc0b3f959de43600054ba0f7eb1d9ab88b

SHA512
fc8568a228ce8bf85200759618adfad451aa09db17b71e403fa3cc8853984cb61307dc0c7f067d0af779204559b100a778b3fc452ff8f71faa63bbda8bcedf81

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
6KB

MD5
609cd697e920edac43b9048a9c4a0e60

SHA1
08c99fa96349eed1c6e041fff18b3a66e071b1c5

SHA256
4b9f54cbc3fbe999a8db91df0326ff2f18841588d08a1d970cc9b487e85a9961

SHA512
db723d43a591bc0c593b1bd4b4c3bd49b0564abb37eca9a9eb6f98cf8555796288fdb7bd8ebeb34756bc7df9581cca9c696cbee389a5c16865efe92081dd8c64

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
9KB

MD5
b46a30a11b6bece37cb8eca3cc7b9c8e

SHA1
ba8b21eca8c52f8090d4303d8497d97008f75d93

SHA256
c55e6bf0342efc3fc8a108fd84e585029574ac557a2bbd04619d8ddada0c8613

SHA512
8205491f695ce1c989f5d9d4c72bad834d25a5ab972fc41f028a786c7b14340e1c4fb7ce568facf5dad4f344b5be52155688d59d2316bbb63b41052893265ef3

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
421173fc871d1c9cdab99830ab354f1d

SHA1
b964d645506087377d1d53fc79b7d2ad38c9323e

SHA256
3c37c0e4a7b592c56445e732ab7b2007a02dec1f0232c7833dce80338f1f0e16

SHA512
05b0582e00142ad126c7552e748f81176dfe681735b781d3118b9260c14b61333beba002092f25a5722639c800e093b47dd89587be6d0d9cb09a49ded8239d8e

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
6b9cca08b7f94eb4f59133540124f601

SHA1
c0cb3b982dd63556bc7994bf249e04b9128211fc

SHA256
c46e8c9ef3b23317a38480fd0ae06e98db4e0d91fad52084e8f04e1600b06073

SHA512
ffc63b410ed69151139928f928cf5aea8d0de1124a6109e3860bf9fe0dc1addd02f6447a2041eb3612f719f893b64e07a3ddbba34878adfb5dc0d3409549f36a

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
990094a5f8b90b092c743cf2c36dbb4e

SHA1
f7553dc5a6dff325e5c6b683ad06622d610b906e

SHA256
3d98f1f63ee415016848775bb92af204367e18ebcee25ed376c6a4344bf9d8b9

SHA512
d4fad4f0d4dec9f035b82414720db060a1da3705de22933616669a503f5b6de644cbff90f11a7699e013e43e6012eab4a7a07c3201385a948a088da839fca537

Download Submit
C:\Windows\SystemTemp\Google4212_40200768\bin\updater.exe

Filesize
4.7MB

MD5
c583e91ddee7c0e8ac2a3d3aacad2f4c

SHA1
3d824f6aa75611478e56f4f56d0a6f6db8cb1c9b

SHA256
7f67129760223e5ddf31219f0b2e247555fbac85f4b6f933212ac091a21debf9

SHA512
0edbc9a7e3b6bf77d9a94242ee88b32af1b1f03c248290e750f355e921f49d62af13acfeed118ec624fb3e2c6131226ac17bb3d206316b056c1f7cf55642e069

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\85b26139-acb1-490c-a93a-5925dc977dc2.tmp

Filesize
678KB

MD5
5602e343ab53cfae74644013c5b8ac29

SHA1
4131f4bd39aa1fdb4d61a978557dd24488fb2c21

SHA256
89e326efb50cd739ad4b01cd9ae79ab4133498163eb7ab142fd1261977cbdd64

SHA512
2cb56b1f2b462c86dc1f6247341d3a4c7480b5dc05bc5b5e784888a5dbd9e1c9dc44fd86816337e1c561b61b3b72e1bf7065e8091749870b505ce00d00f1f3de

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4664_1822685377\CR_4C1ED.tmp\setup.exe

Filesize
4.1MB

MD5
7822231bf7f2801b211946d4b4cec6c3

SHA1
de84c7498b47c298ba7b6b7aa872382db9e92b14

SHA256
222e92a6ba0e8f5b78244a8f43852fe40b0f6544ebe4036d7eb5ff80c22e8b16

SHA512
f9acf77c1c4cb1e5738a38bcd8a315f4ca6b0bb3f800ffbc1ef370cedff62d3b42fd2553eb2da0dbdc73f4e6b669a6345ea055047dca126ffd52c74b3e2be396

Download Submit