981db65a918db89fba166dc5b9063d873ca4a2528cf9d56e8bf893fd53b98ba0

General

Target

54.exe
Size

126.9MB
MD5

0e1b39c6dcca033d56408b25ec73a34c
SHA1

bdf1f4f39f9e26b6eb2826c75a5e612ea81bacdd
SHA256

981db65a918db89fba166dc5b9063d873ca4a2528cf9d56e8bf893fd53b98ba0
SHA512

b6ff681e36faff90768309d2f12a8607789660c77addacd88bf203e32555c66912ad7ef0e2329931962db62119ba33d9fb24983c8f82b34e18d73d9e4e080fa6
SSDEEP

3145728:GWrAYlpzUwzgWH8/KtNTiQxgMon0xzRkwYZ1KWQ:8YlhUjWH8CvTgMlSo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Chrome.exe

pid process

944 Chrome.exe
Loads dropped DLL 10 IoCs

Processes:

Chrome.exe

pid process

944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
944 Chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Chrome.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chrome.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Chrome.exe

description pid process

Token: SeDebugPrivilege 944 Chrome.exe

pid	process
944	Chrome.exe

pid	process
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe
944	Chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome.exe

description	pid	process
Token: SeDebugPrivilege	944	Chrome.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

54.exe

description	pid	process	target process
PID 2860 wrote to memory of 944	2860	54.exe	Chrome.exe
PID 2860 wrote to memory of 944	2860	54.exe	Chrome.exe
PID 2860 wrote to memory of 944	2860	54.exe	Chrome.exe
PID 2860 wrote to memory of 944	2860	54.exe	Chrome.exe

C:\Users\Admin\AppData\Local\Temp\54.exe
"C:\Users\Admin\AppData\Local\Temp\54.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\ProgramData\Chrome65\Chrome.exe
  "C:\ProgramData\Chrome65\Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome65\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
fe04c40b2c373d07295db79fdbd57fbe

SHA1
a7af34bf77042698173da00b7bded03e2b8e753a

SHA256
dd599f67f02a1ac9a91803f2678a8d1fa2cc45d13b09ff7a7bcebaf7c95fc0cf

SHA512
a55cf689288891d5450bd436ffb2fd68fb98bedeb80a74e2cecec2b2385e0de7e45f9a165929bb156edef76c4aa8b57a8706beab7ebf0582e63978544a793df1

Download Submit
C:\ProgramData\Chrome65\CefSharp.Core.dll

Filesize
941KB

MD5
84610ca711b0b712e005e2d724acfd89

SHA1
0c6f1ebd719d392ca53c598ab80e018f47c62444

SHA256
f9f413668030cbcf215ce430ab4092e1c3de6956a7d8b6795d3dca2608593a5f

SHA512
2747fded0980a1968f91b8d133f0ade553a7a254348d6f17eade7c5495867206dc8f5d9cd492ef7b8466b69294a47a1aef5234a529cb99ee33e650f9ebf078d9

Download Submit
C:\ProgramData\Chrome65\CefSharp.dll

Filesize
271KB

MD5
880d1c9c881faddc788fdf3e6f72e18d

SHA1
20c51b2c1e059266067872273676db6272624b0c

SHA256
cd764da72f1f5c8bea285551861e07975a1b1d26ee81d16ae16d4597ebd3bf31

SHA512
35411de48b8f21f8bce27b8ba60dd63cb84492c7c12dde6c8db173673916031249cc527126855f43d88e40b3d337eac085fe311a83fc6ecf402626682995af61

Download Submit
C:\ProgramData\Chrome65\Chrome.exe

Filesize
35KB

MD5
88b80f92d35d755ee1ef3d83bb5b0e67

SHA1
37b7002a2c13feec1007498bfe7748f62d438e2b

SHA256
5ae2f945d30bb21e22de563c4e4ad59bfb0899e972838c94ae33fafa03df9741

SHA512
1371c6c1e1cfa8f8168595a92bb0cc4ee76c450310ccc9bcd107cd8940971995f36624a1ce93882bd880d084bac45c40e6b2f8f669e03ff40c5775137d788145

Download Submit
\ProgramData\Chrome65\CefSharp.WinForms.dll

Filesize
53KB

MD5
9f463cdc906fcfd0b0b0d095ec7a6843

SHA1
a8ea8b11fea85233ede96686616304b97b8d65cb

SHA256
26013c2e903237545fb8429c909836d506d7b1e7cfded2b87a275a028c1c420b

SHA512
723e68218e2db74b6c25ac1e719de3bd176198cd6c963c9deb9c45dbc516582c8946413003b20fbfe9b3e05f62d8102bd8f3ef20a2d61348fe2f2db5221cc1f3

Download Submit
memory/944-192-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/944-196-0x00000000009B0000-0x00000000009C4000-memory.dmp

Filesize
80KB

Download
memory/944-200-0x0000000000B90000-0x0000000000BDA000-memory.dmp

Filesize
296KB

Download
memory/944-191-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/944-190-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/944-204-0x0000000004F30000-0x0000000005022000-memory.dmp

Filesize
968KB

Download
memory/944-208-0x0000000005620000-0x0000000005774000-memory.dmp

Filesize
1.3MB

Download
memory/944-212-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/944-213-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/944-214-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing