32b8ac4b491b0d1be1f27c4e2531c4117aa928551b2ade3c0152c27808fedb2f

General

Target

chrome.exe
Size

12.3MB
MD5

a77ebb32ac51d7605b33e3fdd8191f6e
SHA1

4e91fa8d20ee82aec600ea233a65461d6c5717ee
SHA256

32b8ac4b491b0d1be1f27c4e2531c4117aa928551b2ade3c0152c27808fedb2f
SHA512

5d6ffcf6490dbc71fa81bd79e7dbca3067630331aeb199208486d983e7d402b5ff3aac4ad57b46dcd965b006c721d0b2e7be18e0bb941fa1b4b6c47ecaef7762
SSDEEP

393216:jIFY+4quIREaCe0i5tNV8p9I5h+A9qZ2evV2rZBJi:MF5LuIxf9Vd5hNwZfvV24

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2072	chrome.tmp
2468	Appverif.exe
2756	ChromeSetup.exe
2524	ChromeSetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2840	chrome.exe
1124	cmd.exe
2468	Appverif.exe
820	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2072	chrome.tmp
2072	chrome.tmp
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe
2468	Appverif.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	chrome.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2840 wrote to memory of 2072	2840	chrome.exe	30
PID 2072 wrote to memory of 1124	2072	chrome.tmp	31
PID 2072 wrote to memory of 1124	2072	chrome.tmp	31
PID 2072 wrote to memory of 1124	2072	chrome.tmp	31
PID 2072 wrote to memory of 1124	2072	chrome.tmp	31
PID 1124 wrote to memory of 2468	1124	cmd.exe	33
PID 1124 wrote to memory of 2468	1124	cmd.exe	33
PID 1124 wrote to memory of 2468	1124	cmd.exe	33
PID 1124 wrote to memory of 2468	1124	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\is-L5VDI.tmp\chrome.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L5VDI.tmp\chrome.tmp" /SL5="$40102,12023458,717824,C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\start.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\ProgramData\Appverif.exe
      "C:\ProgramData\appverif.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2468
  - - C:\ProgramData\ChromeSetup.exe
      "C:\ProgramData\ChromeSetup.exe"
      4⤵
      Executes dropped EXE
      PID:2756
  - - C:\ProgramData\ChromeSetup.exe
      "C:\ProgramData\ChromeSetup.exe"
      4⤵
      Executes dropped EXE
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Appverif.exe

Filesize
91KB

MD5
8ef4960e597ab67df52e45a0af124048

SHA1
8846ad8c2992bd2503dc831195898309d00c2bfa

SHA256
849c12b99709eb16790e70cd04c615de75346b15fb9da325f87180b7a7567f42

SHA512
f393da33e61a73e21e2e0504088d3728b3229fb823290031ff42ca1ef83e1d94732f35e023115d6718dab163175184852107bf7e946f7271bb3508af9d000842

Download Submit
C:\ProgramData\ChromeSetup.exe

Filesize
8.5MB

MD5
86eb69942ef2ee2bbebe934cde9eb99c

SHA1
41d96315325c2fd8c7b0b2a1e07df254fb715e49

SHA256
127a82b5b879aa18eba9e35fdc820a0f19fd816e2825ec4cc5f385e4b7a244f3

SHA512
0cd79224479f6b20a8e2edd865890f46a41d434a6403dec5524d11cbf2fd12408eaa32221fa10fc701c6e24cb1edb0ef602b176860b9a9db9dbf63a73556c55c

Download Submit
C:\ProgramData\DesDtCore64.dll

Filesize
209KB

MD5
ef211dd68325f87395a1cf5232501880

SHA1
bc740f18683d7e35a254de4d901e2e184883680a

SHA256
97e32c456e5757fde0cc81de20e041865fd1cbcf42b5e90bf15560703d00bcd3

SHA512
a2ce5351c451dea75f408cb5de215e6e89f51054f693a87abc59f4b2dc9a2699796f2ed6589305cda89d77131a727d779ea6df97eb11b1c9836f5b9c2e089299

Download Submit
C:\ProgramData\start.bat

Filesize
72B

MD5
5f7cbf20bb8fdaf6b0734986cf3de662

SHA1
d79c9d6b4f1d9da0e075b9dd627197ba7f7b8576

SHA256
1ac28dba3ec4d5083adaae3b7edba7ca2d0ef77869203b21ed84fabe0fb55c05

SHA512
e5d0860bf9691aaf1cba76099c76451d4c029560d76677db9a4df5cb776aab5bfa58c882f7d64ba4e816b4ea1799a17a63d185795f5b587af216c9dde2bc6b8f

Download Submit
\Users\Admin\AppData\Local\Temp\is-L5VDI.tmp\chrome.tmp

Filesize
2.9MB

MD5
5ee4539394fd28a6feb7c29fba663be0

SHA1
cab38330de72d783a39bde9b47ab5990b8a2b793

SHA256
63df72007101bf222c8c8f1e0522f2117285b34741be04920e38c725622483dd

SHA512
737dcf5461dd1f5022d05fd1b5017b2a574ce77f2575f100feb2ec2070b16d9751e3cca3b609932e8eb342d5e81c4380d8b7f42a147ddce1e6ae832154b3519f

Download Submit
memory/2072-9-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/2072-21-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/2840-0-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2840-2-0x0000000000401000-0x00000000004A8000-memory.dmp

Filesize
668KB

Download
memory/2840-31-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing