Overview

overview

10

Static

static

3

Chrome32-64win-e2.exe

windows7-x64

10

Chrome32-64win-e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chrome32-64win-e2.exe

  • Size

    49.5MB

  • MD5

    9a92fb642c8de2a418b0002964795915

  • SHA1

    2842060fa391d281ba178cee76c8997445795753

  • SHA256

    08cde936cf0aea2a3eaa1af53e8e2de33a7a7e240f481ac1457c835555abbce7

  • SHA512

    62522809c52d928bfafc950d3d8be6d0b1c605f03e55b893792e494bc4dfb17876cc36acf9ae01c447b7192b417cc20b172da26312ced54de92838fa54eb1c16

  • SSDEEP

    786432:HwLW+U5I9Zm9jm9jm9jm9jm9jm9jm9jm9jm95:0W+KumNmNmNmNmNmNmNmNmD

Score
10/10
discoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chrome32-64win-e2.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome32-64win-e2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5617698 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Chrome32-64win-e2.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3692679935-4019334568-335155002-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Program Files\GG\CG.exe
        "C:\Program Files\GG\CG.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /all
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\system32\ipconfig.exe
            ipconfig /all
            5⤵
            • Gathers network information
            PID:3036
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\fK9c3.xml
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2916
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\z3a2E.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:364
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
            5⤵
            • UAC bypass
            PID:2244
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
            5⤵
            • UAC bypass
            PID:2280
          • C:\Windows\system32\reg.exe
            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
            5⤵
            • UAC bypass
            PID:2308
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\I8180\hus2D~e2\p+C:\Users\Public\Pictures\I8180\hus2D~e2\w C:\Users\Public\Pictures\I8180\hus2D~e2\nw_elf.dll
          4⤵
            PID:2836
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Users\Public\Pictures\I8180\hus2D~e2\jdy_client_mini.exe
        "C:\Users\Public\Pictures\I8180\hus2D~e2\jdy_client_mini.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\GG\cache_22_4
      Filesize

      9.0MB

      MD5

      be5628882d28ba1bdb9850dc4b7e7fa1

      SHA1

      6d37839c4b8ded05c0e8108696e1b794de59a2a8

      SHA256

      def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

      SHA512

      16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
      Filesize

      5KB

      MD5

      d472a0189aa52f36633ac3d89f5e1219

      SHA1

      4fb2aed9b3527cc29178150696865d22a719b868

      SHA256

      d5e3cd5adcfdc47b3b9ed57c59960efc8792a820e404ac8dda85ef943de7904b

      SHA512

      30cf1c5a676657006e5e94c8967df2f6596e801d865df2405231fe2fab9be759810e559a97ee7085e3dd1d84ede84862351a8cfa4181bafd96c2c95469ddc0ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG
      Filesize

      49KB

      MD5

      6e6a077e106d26ba4a7064c355472cde

      SHA1

      878ab7196eff24b8967ab98c4e930758d2574fc2

      SHA256

      cbf37d70834a4f739db3c649cdf38f5abb9d78582f71a65f95bd40619ea57ac9

      SHA512

      3b1c0f1893e78047989142435f26eee89980470b44dcf9442787799b7e81d0f4153bd7950876aea8313e2a1f460b2094630b674e1630965ed5b003242560260a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.JPG
      Filesize

      30KB

      MD5

      f4e6420595b0418ac0379d33fd264fc0

      SHA1

      c938bc5cad43977ad769f997a7da8d89bf9fa023

      SHA256

      6a321bbb3fc68ca597217b87c042b7f1f7b136cc1ddfb29f0dd396c14568e779

      SHA512

      09f83e41a7b7fee76cde0ccd3461bcbd888c9dbed505f734af88ed11f97fc2217b3ec59f3e989c51be00786ec262f56f971ef8e138263dbf8f80f821477a240f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
      Filesize

      350KB

      MD5

      c916c7815286c5233a49deac81f8543e

      SHA1

      cb964c3c8eae8e7ce170f3ad3a55993f7a1918db

      SHA256

      3d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4

      SHA512

      0d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78

      Download Submit

    • C:\Users\Admin\AppData\Roaming\z3a2E.bat
      Filesize

      392B

      MD5

      30d6eb22d6aeec10347239b17b023bf4

      SHA1

      e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

      SHA256

      659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

      SHA512

      500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

      Download Submit

    • C:\Users\Public\Pictures\I8180\hus2D~e2\NH.txt
      Filesize

      179KB

      MD5

      c9a594eac7c964a6645df3074481cdac

      SHA1

      9a94199ae76c74daf294e1152d323d1fc6916840

      SHA256

      03644a5baabca6f45f4abb3f77c85e5b420f7fb55a73c9ea753d3df460ae6b55

      SHA512

      9d6af76c104e1edb91f105913cc006fa47a47935120cabca7207b8eba877099f4b2357fe8ae419b5f1b1bdedb23dd14952dae332ac505d1d5983c0e76dfeaac1

      Download Submit

    • C:\Users\Public\Pictures\I8180\hus2D~e2\jdy_client_mini.exe
      Filesize

      2.6MB

      MD5

      c206388d7a4c81a52cf637a3e0d2acc8

      SHA1

      c927b021d7f4691ac84a7a54a8d3358f02c89ee6

      SHA256

      1dab81c0d0650a673151e90d475722906f6d71421ceaa8f0df9b14d2e36cd9d3

      SHA512

      247d2277b23360db7d9e7794be80290e1148eb03d5b15ef56710c5dfd62b0374cc05a1529889f00f59813a4e1ed00f35358069a3397fafd65f89205268e4f783

      Download Submit

    • C:\Users\Public\Pictures\I8180\hus2D~e2\nw_elf.dll
      Filesize

      1.7MB

      MD5

      c17a7b1c4836089c0c73b03b8ada5941

      SHA1

      25629c7994565d12969b36f9b3960bafedd7e20a

      SHA256

      0ef6821b9df8c45c7d817c36bf99cf0057a63bcb5709ffdfd721cc50dcd7afd9

      SHA512

      0b6510127be3014b0b46ed7f4fb48b75bf63b566ae700767115d0e6d26d8e487d0261b19952dc9c0d9946e25d424388b41c7b2f9634c8ff008d9d837de335597

      Download Submit

    • C:\Users\Public\Pictures\I8180\hus2D~e2\p
      Filesize

      886KB

      MD5

      2ed406d06efeeea53ba02a605f1d1674

      SHA1

      70085132cb0207b1389581489149c42052ba374b

      SHA256

      7bdd4e0d14aae0653f703b66b8257f6a9c997547d06fb20063cc02929b7cd1b0

      SHA512

      0213c75c9611102a12ccc26e44fffdc7657606da00a6aa98044394a845dbaa25d1e1f987c5963c7db96f965804db29032cd480d15732cbb33a622ba7dc387762

      Download Submit

    • C:\Users\Public\Pictures\I8180\hus2D~e2\w
      Filesize

      886KB

      MD5

      a5b68f44e99929a11b6fead500e8ed61

      SHA1

      6dcd1d94e214a3db96c286758c0e2690dddaa977

      SHA256

      fdf58cf91573dfebe3ea25d567b993570ebd5a2f2fd74fd1e22dcd7103ac18b2

      SHA512

      af8c057851ec682047d550d7190d7450f505b848f87aaf6681400acc9a21253321b06de74d7d932cfc1a7a153bc3d13d791c42b365159ae51184c8ec86f201e9

      Download Submit

    • \Program Files\GG\CG.exe
      Filesize

      19.3MB

      MD5

      ac16d03865ea08366ebb52f9e2954abd

      SHA1

      f5305ae4d3a3dd97ea50eaec77f05a1e46897b37

      SHA256

      07a2352bc77c158edcca7a37b56173e0509feba4ec2ed3ad1008b2cbc3f2e6a1

      SHA512

      f6a38492ac8c0355f4620cb3bd2573b0d58a89398087962cdfb06ed85b870ea91a8dd1d956b3feca8a3c397906f1244edabfa8bb0ab9d05162db503f6ca4fecd

      Download Submit

    • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      Filesize

      4.9MB

      MD5

      b0a1f1e0a106e1a62753c8a07fb3809b

      SHA1

      b4bab82aa173a401a2f16f8b4ad91105a895b2d9

      SHA256

      f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

      SHA512

      ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

      Download Submit

    • memory/2184-85-0x0000000180000000-0x0000000180213000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2184-86-0x0000000180000000-0x0000000180213000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2184-84-0x0000000180000000-0x0000000180213000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2712-105-0x0000000000340000-0x00000000003A9000-memory.dmp

      Filesize

      420KB

      Download