6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565

General

Target

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
Size

3.6MB
MD5

9ecc50f5d5bac02c24a7e2deeb4a21a7
SHA1

e63b36ed4e21ca374cdb9092e5c1d7b515ba2e2f
SHA256

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565
SHA512

6d59630b340c368d21ce3d92473000615d22d2989a777afdab1b439a809f14e9a926489e10d584331c1d464c1b59335de2e3c4692a355238066986f47e2a6fd4

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GodzillaConsole.exe

pid process

2044 GodzillaConsole.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

pid	process
2044	GodzillaConsole.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

Drops file in Windows directory 2 IoCs

Processes:

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

description	ioc	process
File created	C:\Windows\aehcb.exe	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
File created	C:\Windows\FrontPlugin005.dll	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1316 schtasks.exe
1296 schtasks.exe
1656 schtasks.exe

pid	process
1316	schtasks.exe
1296	schtasks.exe
1656	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exeGodzillaConsole.exe

pid	process
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exeGodzillaConsole.exe

pid	process
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
2044	GodzillaConsole.exe
2044	GodzillaConsole.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exetaskeng.exe

description	pid	process	target process
PID 1700 wrote to memory of 1316	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1316	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1316	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1316	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1296	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1296	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1296	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1296	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1656	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1656	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1656	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1656	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1972	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1972	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1972	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1972	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1340	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1340	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1340	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1700 wrote to memory of 1340	1700	6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe	schtasks.exe
PID 1784 wrote to memory of 2044	1784	taskeng.exe	GodzillaConsole.exe
PID 1784 wrote to memory of 2044	1784	taskeng.exe	GodzillaConsole.exe
PID 1784 wrote to memory of 2044	1784	taskeng.exe	GodzillaConsole.exe
PID 1784 wrote to memory of 2044	1784	taskeng.exe	GodzillaConsole.exe

C:\Users\Admin\AppData\Local\Temp\6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
"C:\Users\Admin\AppData\Local\Temp\6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn godzilla_client /tr "'C:\Users\Admin\AppData\Local\Temp\Godzilla.exe'" /sc minute /mo 30 /f
2⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn godzilla_console /tr "'C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe'" /sc onlogon /f
2⤵
- Creates scheduled task(s)
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn aehcb /tr "'C:\Windows\aehcb.exe'" /sc onlogon /delay 0005:00 /f /rl highest
2⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn wmvdspapp /f
2⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /tn godzilla_console
2⤵
PID:1340

C:\Windows\system32\taskeng.exe
taskeng.exe {AD3AD6F9-791E-4F75-9216-03115295093C} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Bootkit

1

T1067

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DC8427C35D8C2D687708F3820CE5670E
Filesize
503B

MD5
979635baba3944c15ef62cef0bca88fd

SHA1
3ed203e31baabb6b00cb1e4418dc6879be5f32fb

SHA256
6dbd2f97e3f7b304b72487f1cc204f5556a08af9f196d32609ec0fc61f80501c

SHA512
bf24cc9152b76f5571fcf023f38e3270ec77d7abfccdd03c6ceeb49cff02fe6f4e25220ba94994e15d2dbaacf20a4c45f5419b68ebb522d340253c20e9cce9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
c73188dd017781e4573e89ccc5c3b5bc

SHA1
1fa65e19c58fc50d2ec607ce705d0bb43502c349

SHA256
41becfb3fc29fa66e0d72d4ca190bf965d7596adb127a256b4e8e89934b3dbd6

SHA512
6408dc0f1ac429097ffbf6a94b07d851a4a01bc74e0102f8d66e59650cf668906ecf0f4e6e7a88d89856556c219421f7c8242b492f5f77a0bd56eded3b06ecb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d02807a0dcab16b9a7c93e0712669e8a

SHA1
d08eba5b3984e7062417752631bd414dd16f67fd

SHA256
9ed360751e19f45df0dd5b4f20b52dda7152d9718103ff37622e4957189cf932

SHA512
76839a5493872cf2ce5e9913c57408daa5d5e1682c3a6b4b08deb4daa86f92a83a5d302837f09db6c4d09f1b9f7359a79edbd251308a1c7773e3082ac6dd0eb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DC8427C35D8C2D687708F3820CE5670E
Filesize
552B

MD5
c53cb7d95194fc7d97bdba548a604ffc

SHA1
611783ae049fe67e5d03bf2cf6f2a40929e26594

SHA256
9b9df31a09ef2e734292f73f588af42d598e65b20fc4c3b2a988b5d7aa435ef3

SHA512
4dfaaacd2c2fb537e35c2879b50b1aeb371bd21efe798f3fed549dd55e7658e22448547b70c9454d46308e4ed20c2fe905299d27b0b7e600fe88cb2647e6f7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
Filesize
3.5MB

MD5
55d46eb91f28c9f54b65967c9acc7702

SHA1
de7dcc245b967be6cc92dcce0ade92bb973139e8

SHA256
4b239922d5b61ad53cc9d63c73e4f67446b6162890797f01ddf5928027ea2ebf

SHA512
4b6484f56a2bbac40245901f2941aab7fe9b1b98a01ec886f714e86a51927d18b1be229f70366483469ba06f713a3b2e8f1f766b6cb857174b9de90954aa4032

Download Submit
C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
Filesize
3.5MB

MD5
55d46eb91f28c9f54b65967c9acc7702

SHA1
de7dcc245b967be6cc92dcce0ade92bb973139e8

SHA256
4b239922d5b61ad53cc9d63c73e4f67446b6162890797f01ddf5928027ea2ebf

SHA512
4b6484f56a2bbac40245901f2941aab7fe9b1b98a01ec886f714e86a51927d18b1be229f70366483469ba06f713a3b2e8f1f766b6cb857174b9de90954aa4032

Download Submit
memory/1296-56-0x0000000000000000-mapping.dmp

Download
memory/1316-55-0x0000000000000000-mapping.dmp

Download
memory/1340-59-0x0000000000000000-mapping.dmp

Download
memory/1656-57-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1972-58-0x0000000000000000-mapping.dmp

Download
memory/2044-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads