Overview

overview

6

Static

static

1

chromeremo...st.msi

windows11-21h2-x64

6

Resubmissions

29-06-2024 08:55

240629-kvv3laxdmn 6

28-06-2024 08:26

240628-kb466azdng 7

28-06-2024 04:33

240628-e6m88s1fkc 6

Analysis

  • max time kernel
    1669s
  • max time network
    1685s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-06-2024 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chromeremotedesktophost.msi

  • Size

    20.5MB

  • MD5

    5f259c755b3dcbbbbc27f9513cddac61

  • SHA1

    0e672bad7b67cc1f234b265f3af21976935c4903

  • SHA256

    9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce

  • SHA512

    4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3

  • SSDEEP

    393216:CQzX7/PFKRpAvIpgY6KKsIHNHSHY7nTMkJ5K6cOomwZCtgO5gAkUmZbXF:tzX7/cTHAK1uASTMkboRCtgO1kUmZbX

Score
6/10
executionpersistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 21 IoCs
  • Loads dropped DLL 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 44 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3732
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BD5B56BDF37DC549E71A334752E12C0C C
      2⤵
      • Loads dropped DLL
      PID:3392
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2704
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding BDDE13D1D50412C9A82C541253F319E9
        2⤵
        • Loads dropped DLL
        PID:3648
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 28F9CC3FA129C3003794A7B3F6C3993B E Global\MSI0000
        2⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion' -Target 'C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\' -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:4804
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:552

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Privilege Escalation

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e580dd7.rbs
      Filesize

      283KB

      MD5

      a5a2f30d003c48f0054e2d609e22e1be

      SHA1

      0b72a63738bab21a90ffdbfc83fd77d0b87e2829

      SHA256

      fb0d8d6e93e19df884a6d91f94027bb4611f8b359e75cab87a0d452b7457c68e

      SHA512

      bc31c3b5ea2250e1c63630526e849535972f043bd48bd2e11a9f691d3112f24ba54d27c5b261b000b509c12b6d8e8e6e8d0a0477afabb0a7a7eacad14bd224d8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSIF3B6.tmp
      Filesize

      168KB

      MD5

      a0962dd193b82c1946dc67e140ddf895

      SHA1

      7f36c38d80b7c32e750e22907ac7e1f0df76e966

      SHA256

      b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

      SHA512

      118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ghlifhn.ss4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Windows\Installer\MSI1019.tmp
      Filesize

      88KB

      MD5

      85fcf7b457b7194bbeb46db22fae05c3

      SHA1

      5eca64d0d4ab4599852a475a7dd25beb88ae1c27

      SHA256

      e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

      SHA512

      12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

      Download Submit
    • C:\Windows\Installer\e580dd6.msi
      Filesize

      20.5MB

      MD5

      5f259c755b3dcbbbbc27f9513cddac61

      SHA1

      0e672bad7b67cc1f234b265f3af21976935c4903

      SHA256

      9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce

      SHA512

      4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      12.8MB

      MD5

      ef422803d81253fc36f8bc952fa024f9

      SHA1

      e389dd9c629f7f59796f20d5e94e257c67898b7f

      SHA256

      642bec768a6195ffe364b7c6ea663f4f484771f645b717af1de06a0c969ab2f8

      SHA512

      09175f596cfbda86ac6fa3c5d598842e358bdfa2bcc0524f4d99a0e017e8402f55e6aa86e837564a75dbaae4aca58457529c25f9a4fa03e2e1160c233f125e34

      Download Submit
    • \??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b73848be-b125-43fc-a4b9-1651df6344ad}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      7b14ab80f8a5653853114e0d83ae3ba2

      SHA1

      77773fc3076c6a49feb214a96dba8714bc5f5a34

      SHA256

      17daa45c5998f25280f2cdd44947b9f73d62c08bbdc80ce3bfd25bebbcac3ac1

      SHA512

      b1c5bf0485cf47f524a315744a1d50e36eba1b8ffc4ffa431740d3407001b7cfaff54af5d66c80c96488aded230ba75051786ff0387cd89eac79540ccc08de4f

      Download Submit
    • memory/4804-52-0x0000000005E90000-0x0000000005EF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4804-51-0x0000000005E20000-0x0000000005E86000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4804-50-0x0000000005C80000-0x0000000005CA2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4804-61-0x0000000005F00000-0x0000000006257000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4804-62-0x00000000063F0000-0x000000000640E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4804-63-0x0000000006440000-0x000000000648C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4804-64-0x00000000069B0000-0x0000000006A46000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4804-65-0x00000000068F0000-0x000000000690A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4804-66-0x0000000006940000-0x0000000006962000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4804-67-0x0000000007BB0000-0x0000000008156000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4804-49-0x0000000005610000-0x0000000005C3A000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4804-48-0x0000000004F40000-0x0000000004F76000-memory.dmp
      Filesize

      216KB

      Download