Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/01/2025, 12:58
General
-
Target
Chrome Update.exe
-
Size
119KB
-
MD5
a39f21db0576a82177ee4c806766d763
-
SHA1
ee4676f4dedd24003ce1bd972cbce95ef51fa07f
-
SHA256
825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db
-
SHA512
ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133
-
SSDEEP
3072:IAWfRzlXCwwFwOwWAmm+G/bxqH8QWqzCrAZuuyn1:IAD1SWHe/bgRY
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
Extracted
gurcu
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdate
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210546
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210547
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210548
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210549
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210550
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getFile?file_id=BQACAgQAAxkBAAMIZ3qCMF_cjzyyw9uX36HfJgjkWLEAAoQZAAKhZdFTilOkM3y6NaU2B
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendPhoto?chat_id=705362059
Signatures
-
Gurcu family
-
Toxiceye family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation rat.exe Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation Chrome Update.exe -
Executes dropped EXE 1 IoCs
pid Process 3532 rat.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3172 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4512 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe 4608 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3532 rat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe 3532 rat.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4000 Chrome Update.exe Token: SeDebugPrivilege 3172 tasklist.exe Token: SeDebugPrivilege 3532 rat.exe Token: SeDebugPrivilege 3532 rat.exe Token: SeDebugPrivilege 4424 taskmgr.exe Token: SeSystemProfilePrivilege 4424 taskmgr.exe Token: SeCreateGlobalPrivilege 4424 taskmgr.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3532 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4000 wrote to memory of 2260 4000 Chrome Update.exe 86 PID 4000 wrote to memory of 2260 4000 Chrome Update.exe 86 PID 4000 wrote to memory of 4116 4000 Chrome Update.exe 88 PID 4000 wrote to memory of 4116 4000 Chrome Update.exe 88 PID 4116 wrote to memory of 3172 4116 cmd.exe 90 PID 4116 wrote to memory of 3172 4116 cmd.exe 90 PID 4116 wrote to memory of 3668 4116 cmd.exe 91 PID 4116 wrote to memory of 3668 4116 cmd.exe 91 PID 4116 wrote to memory of 4512 4116 cmd.exe 92 PID 4116 wrote to memory of 4512 4116 cmd.exe 92 PID 4116 wrote to memory of 3532 4116 cmd.exe 93 PID 4116 wrote to memory of 3532 4116 cmd.exe 93 PID 3532 wrote to memory of 4608 3532 rat.exe 98 PID 3532 wrote to memory of 4608 3532 rat.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4000"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3668
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4512
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4608
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD55d5f0ce9e518a93748b389f3784eff72
SHA1ca75586dbaae06fde8755e93da8fb0517d1a3755
SHA256656d2baaf6661aba0953df2eceb39cdbdf7a7c147ff4ae203b78c454b3633f32
SHA5129c5e55b758479850d5923edcbd70fda0587d699ac81924024b3265e23350612e7180e6ea54e8e2ae5aa7bd3da78fa991647c2d2475ae5e0a747cf86139d3ab1c
-
Filesize
119KB
MD5a39f21db0576a82177ee4c806766d763
SHA1ee4676f4dedd24003ce1bd972cbce95ef51fa07f
SHA256825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db
SHA512ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133