Overview

overview

7

Static

static

1

GoogleChom...64.msi

windows7-x64

7

GoogleChom...64.msi

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GoogleChome Setup_x64.msi.v

  • Size

    46.5MB

  • Sample

    240915-l3sg4sxhkh

  • MD5

    007b60f7f360605f0bca91a9b4737dbb

  • SHA1

    e487241d09fce5ba85128057cff04ad630dd2706

  • SHA256

    b546a6355082b41c6508ed78b635f39bacb26e1df9a8184087eda5c8c644fbb0

  • SHA512

    b6085d72f58f5e93e4ad132ff5e9d4ce174caea0fb0d6ff3fc8f752f6d8fd4d27a01fb83db89e4ea12a0c692123c0a28edc6dc57ca298eafdc4bf5aa8a1146f8

  • SSDEEP

    786432:VgdbzwOnEXasVPBbBbdiztjYMzfg78I+lQqQuH+2LV0gVah/CaVSgAtClrzlGAU:V4w/ZjBbdizpjQnIQuH+UelKiAtClf

Score
7/10
discoverypersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      GoogleChome Setup_x64.msi.v

    • Size

      46.5MB

    • MD5

      007b60f7f360605f0bca91a9b4737dbb

    • SHA1

      e487241d09fce5ba85128057cff04ad630dd2706

    • SHA256

      b546a6355082b41c6508ed78b635f39bacb26e1df9a8184087eda5c8c644fbb0

    • SHA512

      b6085d72f58f5e93e4ad132ff5e9d4ce174caea0fb0d6ff3fc8f752f6d8fd4d27a01fb83db89e4ea12a0c692123c0a28edc6dc57ca298eafdc4bf5aa8a1146f8

    • SSDEEP

      786432:VgdbzwOnEXasVPBbBbdiztjYMzfg78I+lQqQuH+2LV0gVah/CaVSgAtClrzlGAU:V4w/ZjBbdizpjQnIQuH+UelKiAtClf

    Score
    7/10
    discoverypersistenceprivilege_escalationspywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks