Overview

overview

10

Static

static

1

Chromestup...��.msi

windows7-x64

10

Chromestup...��.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chromestup翻译插件.msi

  • Size

    6.4MB

  • MD5

    5e95a04a874d801f406b1f2531056131

  • SHA1

    66caf403d62d69f065a20ee71d8699456319893d

  • SHA256

    b59cb81b4ea7d8e84a5738b9095d63670362380d0fb16feaa13badc4308c4dc5

  • SHA512

    97c028d9ff9792234b2c5c1551e34c9b68df2bc489b0bdb2389a60021b2a28adb5a931d2f2973fb09194d5e538832bd20b5ed2a9c1cc3919a4119cfc27eceabd

  • SSDEEP

    98304:/PBflMPzidUtZX3GcYXhDpjRPuZ+ksUmz6e30YhLUuunN/A0sO0vcap:HBfMDXXYXlsMz6evpjunNI0x0v

Score
10/10
blackmoonfatalrataspackv2bankerdiscoveryinfostealerpersistenceprivilege_escalationrattrojanvmprotect

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatalrat family
    fatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup翻译插件.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3412
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 33459D3303140BD4B7AB0EE0F491ED6C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2008
    • C:\ProgramData\Smart\setup.exe
      "C:\ProgramData\Smart\setup.exe"
      2⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\ProgramData\NVIDIARV\svchost.exe
        C:\ProgramData\NVIDIARV\svchost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5048
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57f7b1.rbs
    Filesize

    1KB

    MD5

    b0c452f6cd651b1ecbab9d4d8abcb3bf

    SHA1

    f6e350e7a735dcc9a3c96add4e3a733d86252532

    SHA256

    cab626d4c5b1897d53e9e9eda9582b47b97ebb1e8c2e12292745080b99bcdb62

    SHA512

    4ff928e0a4ca5e7ce1c938d2d8aadf933b6ffc3f2c36865d3931978f968c22271835356cacb75a68c0880f124ca16bb020c2084efa8b90d67a76fdf393ff15a3

    Download Submit

  • C:\ProgramData\NVIDIARV\svchost.exe
    Filesize

    3.4MB

    MD5

    e06b6a425c32bafc08908f7364b4f153

    SHA1

    3804397a1f2997db63c8d0133fd90b16a995f4eb

    SHA256

    1cd4f79327c883ad9b869b2dbb93396e283663613065613421b6f3f43eaf8cdb

    SHA512

    c7613d95eb1bab7f5487106686e21b95d240cf1608cb96f1da17b6f11507f38474695ffb76d143d29f4e83931ebfe418fa3bed5f9d74e353e2fcd69bbea3bb5b

    Download Submit

  • C:\ProgramData\Smart\csrss.exe
    Filesize

    978KB

    MD5

    8e945aaf7128bb3db83e51f3c2356637

    SHA1

    bcc64335efc63cb46e14cc330e105520391e2b00

    SHA256

    4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

    SHA512

    150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

    Download Submit

  • C:\ProgramData\Smart\libcef.dll
    Filesize

    756KB

    MD5

    48fbee27eabd6b592e96fe5ff4086077

    SHA1

    f9210d906a7db652c1487af704b065b641ed4f8c

    SHA256

    03115d392d4d012975476906fa61722b8845bdc8aad603021e766864458f9e08

    SHA512

    772375425457d15ac05376ae92bdc76582a6a538f2f9e0d4838396ae08c8ec5206b43e088604e8888440a227c5663035d6bbdff897353d39c339148425727bcf

    Download Submit

  • C:\ProgramData\Smart\setup.exe
    Filesize

    77KB

    MD5

    40e9f7352914f047d2a38c499260be39

    SHA1

    38a327ba8682cf7991b6a10f80d7d747aab4d998

    SHA256

    1063f82b25d035d9027456569bfc08ba436132a36c519ecebe4b7fd7ad1cd34c

    SHA512

    aea8a8a7b62bf3c7712decef260138ed376956cc6aef5e58f9001ddf3e7acd04d4084be3b9a2990fa7486e6842a2c400e1e138358ea08916bade3dd4d159f19a

    Download Submit

  • C:\Windows\Installer\MSIF7FC.tmp
    Filesize

    587KB

    MD5

    c7fbd5ee98e32a77edf1156db3fca622

    SHA1

    3e534fc55882e9fb940c9ae81e6f8a92a07125a0

    SHA256

    e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

    SHA512

    8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

    Download Submit

  • C:\Windows\Installer\MSIF996.tmp
    Filesize

    1.1MB

    MD5

    ae463676775a1dd0b7a28ddb265b4065

    SHA1

    dff64c17885c7628b22631a2cdc9da83e417d348

    SHA256

    83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22

    SHA512

    e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    04c1d74f04a5e28b98706aeaf7efeef5

    SHA1

    907fe3408f871b9f2d0406a7bbd70c076938e4f8

    SHA256

    02030e7fb183f2643a1691f1658ac1ad54d57b02c94d94c46f3aa3577a9c2a1e

    SHA512

    932cde0e58a45a42fd49f3a8e2e6ff5ef47eab3bb283c7fa4bedaa6eef483b63456fd3f5a3e0dcf3ae221c2af4e9bb133fa08dcf5f2336fa434efad5cf71ec9d

    Download Submit

  • \??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c1334c70-fd02-43bf-973e-76ae049aa570}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    f63c867aa560dc950fc993775f78f538

    SHA1

    5d0c06763bfa3f56769fd18a781b681fa28fa325

    SHA256

    838cc7df684f1cbd53544f8769b4e25e4516f5ff7da121f4dc54c7c302ab45d0

    SHA512

    61747e2b2fdce34bc775b4705ad922849f1d430f41e56cda600c4e804806e201dd3ffafbd20a91f770632c70cd867462897781ea8f88724849a0917cd3c6013e

    Download Submit

  • memory/1152-43-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1152-58-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/5048-50-0x0000000010000000-0x000000001002D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5048-48-0x0000000000400000-0x0000000000911000-memory.dmp

    Filesize

    5.1MB

    Download