c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3

General

Target

c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe
Size

5.8MB
MD5

9ef87855c12e6d92cf1deb46f29aaf99
SHA1

bd85a7dc3223b4a6bcef1cc77de7c53163f71905
SHA256

c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3
SHA512

b7795353879e4a130be04b603efe30234e7732047f485d3b1d57873ca4d38232aa3501c563c24ea1ca3813292ab85f6378bd0b31ab3120c475a8e2f9b935d88b
SSDEEP

49152:vzlnEcO3Cgrb/TbvO90d7HjmAFd4A64nsfJa/pJMBMvDF/4q4auspdkgKKhdvZfm:63CE/Xx4LKhdk1ESpV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
568	ChromeUpdateTaskMachinCore.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	cmd.exe
1980	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ChromeUpdateTaskMachinCore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ChromeUpdateTaskMachinCore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1440	2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe	31
PID 2084 wrote to memory of 1440	2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe	31
PID 2084 wrote to memory of 1440	2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe	31
PID 2084 wrote to memory of 1980	2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe	33
PID 2084 wrote to memory of 1980	2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe	33
PID 2084 wrote to memory of 1980	2084	c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe	33
PID 1980 wrote to memory of 568	1980	cmd.exe	35
PID 1980 wrote to memory of 568	1980	cmd.exe	35
PID 1980 wrote to memory of 568	1980	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe
"C:\Users\Admin\AppData\Local\Temp\c26bd52b68a990d43d6084cc762d79d90e0688b3a060d88c48f70c3b74ef1ae3.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\schtasks.exe
  C:\Windows\system32\schtasks.exe /CREATE /XML C:\Users\Admin\AppData\Local\Temp\XwgHMdCZxQAhLXTrFx /F /TN ChromeUpdateTaskMachinCore
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1440
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe
    "C:\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XwgHMdCZxQAhLXTrFx

Filesize
1KB

MD5
7835474bb8567f7880b246e6ce222544

SHA1
a2e9ec1322afdaf20f7648c567c265ff6370682f

SHA256
7092823922f6836d1fcb96810199f45fff85fa958761cfab5f6c06f2e2f3bb60

SHA512
cac87dcd015ef12c7e9f6f82c31a38b7a90c0e211e27c2b61296db283e160e870ba8c8a876e63a201841114926d304bf8453c08b67a8dc8a7a5d37ae8dc3f249

Download Submit
\Program Files\ChromeUpdateTaskMachinCore\ChromeUpdateTaskMachinCore.exe

Filesize
5.8MB

MD5
fc4c81e74ea21e5cc9e088ff54c5deb5

SHA1
4638afe3f39eaf5d4d9e355d726739ea57c92188

SHA256
b553606ce390a2b498eab9c972b6553ed232711de963fdf6cb1d1c7f8d9503cd

SHA512
2dab74596e387441745310ded9848425e537632f89e59b6b12d0d945cb9ad509e067041a6b8f12c1d5f96f59cb8ad1e8f772ada395a91907bbc4e9ba1d60bd9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads