Analysis
-
max time kernel
175s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220414-en -
resource tags
arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system -
submitted
17-07-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
Resource
win7-20220414-en
General
-
Target
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
-
Size
1.7MB
-
MD5
f2d7e52b6f02da7e308e27681ba27b39
-
SHA1
b96aba9b3e867c22e29c72e083b14f1865a1c7ff
-
SHA256
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9
-
SHA512
e8e015025b0574e78900c10eaac7d869fec223164181392b2d0683ae87d7a61d645bfed9a1439a586cacc70bb633f5a6d10b7e39b4c5801705bff580412c9623
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
driver.reviver.5.24.0.12-patch.exegoogleup.exegoogleup.exepid process 1412 driver.reviver.5.24.0.12-patch.exe 1220 googleup.exe 544 googleup.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
googleup.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\733sces9a.exe googleup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\733sces9a.exe\DisableExceptionChainValidation googleup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "csunkxk.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 9 IoCs
Processes:
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exedriver.reviver.5.24.0.12-patch.exegoogleup.exe523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exepid process 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1412 driver.reviver.5.24.0.12-patch.exe 1220 googleup.exe 1412 driver.reviver.5.24.0.12-patch.exe 2044 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1220 googleup.exe 1412 driver.reviver.5.24.0.12-patch.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exeexplorer.exedriver.reviver.5.24.0.12-patch.exe523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\mahonia = "C:\\Users\\Admin\\AppData\\Roaming\\mahonia.exe" 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run driver.reviver.5.24.0.12-patch.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Helper 2 = "\"C:\\ProgramData\\Google Helper 2\\733sces9a.exe\"" driver.reviver.5.24.0.12-patch.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\mahonia = "C:\\Users\\Admin\\AppData\\Roaming\\mahonia.exe" 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Helper 2 = "C:\\ProgramData\\Google Helper 2\\733sces9a.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Helper 2 = "\"C:\\ProgramData\\Google Helper 2\\733sces9a.exe\"" explorer.exe -
Processes:
googleup.exedriver.reviver.5.24.0.12-patch.exe523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA googleup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA driver.reviver.5.24.0.12-patch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
driver.reviver.5.24.0.12-patch.exe523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum driver.reviver.5.24.0.12-patch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 driver.reviver.5.24.0.12-patch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
googleup.exeexplorer.exedriver.reviver.5.24.0.12-patch.exe523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exepid process 544 googleup.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe 1412 driver.reviver.5.24.0.12-patch.exe 1412 driver.reviver.5.24.0.12-patch.exe 1412 driver.reviver.5.24.0.12-patch.exe 1412 driver.reviver.5.24.0.12-patch.exe 884 explorer.exe 2044 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 2044 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 2044 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 2044 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 884 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
googleup.exedescription pid process target process PID 1220 set thread context of 544 1220 googleup.exe googleup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
googleup.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 googleup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString googleup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exepid process 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
googleup.exeexplorer.exepid process 544 googleup.exe 544 googleup.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe 884 explorer.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
AUDIODG.EXEgoogleup.exeexplorer.exedescription pid process Token: 33 1812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1812 AUDIODG.EXE Token: 33 1812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1812 AUDIODG.EXE Token: SeDebugPrivilege 544 googleup.exe Token: SeRestorePrivilege 544 googleup.exe Token: SeBackupPrivilege 544 googleup.exe Token: SeLoadDriverPrivilege 544 googleup.exe Token: SeCreatePagefilePrivilege 544 googleup.exe Token: SeShutdownPrivilege 544 googleup.exe Token: SeTakeOwnershipPrivilege 544 googleup.exe Token: SeChangeNotifyPrivilege 544 googleup.exe Token: SeCreateTokenPrivilege 544 googleup.exe Token: SeMachineAccountPrivilege 544 googleup.exe Token: SeSecurityPrivilege 544 googleup.exe Token: SeAssignPrimaryTokenPrivilege 544 googleup.exe Token: SeCreateGlobalPrivilege 544 googleup.exe Token: 33 544 googleup.exe Token: SeDebugPrivilege 884 explorer.exe Token: SeRestorePrivilege 884 explorer.exe Token: SeBackupPrivilege 884 explorer.exe Token: SeLoadDriverPrivilege 884 explorer.exe Token: SeCreatePagefilePrivilege 884 explorer.exe Token: SeShutdownPrivilege 884 explorer.exe Token: SeTakeOwnershipPrivilege 884 explorer.exe Token: SeChangeNotifyPrivilege 884 explorer.exe Token: SeCreateTokenPrivilege 884 explorer.exe Token: SeMachineAccountPrivilege 884 explorer.exe Token: SeSecurityPrivilege 884 explorer.exe Token: SeAssignPrimaryTokenPrivilege 884 explorer.exe Token: SeCreateGlobalPrivilege 884 explorer.exe Token: 33 884 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exepid process 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 2044 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exegoogleup.exegoogleup.exeexplorer.exedescription pid process target process PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1412 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe driver.reviver.5.24.0.12-patch.exe PID 1744 wrote to memory of 1220 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe googleup.exe PID 1744 wrote to memory of 1220 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe googleup.exe PID 1744 wrote to memory of 1220 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe googleup.exe PID 1744 wrote to memory of 1220 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe googleup.exe PID 1744 wrote to memory of 2044 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe PID 1744 wrote to memory of 2044 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe PID 1744 wrote to memory of 2044 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe PID 1744 wrote to memory of 2044 1744 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 1636 1220 googleup.exe msiexec.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 1220 wrote to memory of 544 1220 googleup.exe googleup.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 544 wrote to memory of 884 544 googleup.exe explorer.exe PID 884 wrote to memory of 1244 884 explorer.exe Dwm.exe PID 884 wrote to memory of 1244 884 explorer.exe Dwm.exe PID 884 wrote to memory of 1244 884 explorer.exe Dwm.exe PID 884 wrote to memory of 1244 884 explorer.exe Dwm.exe PID 884 wrote to memory of 1244 884 explorer.exe Dwm.exe PID 884 wrote to memory of 1244 884 explorer.exe Dwm.exe PID 884 wrote to memory of 1296 884 explorer.exe Explorer.EXE PID 884 wrote to memory of 1296 884 explorer.exe Explorer.EXE PID 884 wrote to memory of 1296 884 explorer.exe Explorer.EXE PID 884 wrote to memory of 1296 884 explorer.exe Explorer.EXE PID 884 wrote to memory of 1296 884 explorer.exe Explorer.EXE PID 884 wrote to memory of 1296 884 explorer.exe Explorer.EXE PID 884 wrote to memory of 1412 884 explorer.exe driver.reviver.5.24.0.12-patch.exe PID 884 wrote to memory of 1412 884 explorer.exe driver.reviver.5.24.0.12-patch.exe PID 884 wrote to memory of 2044 884 explorer.exe 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe PID 884 wrote to memory of 2044 884 explorer.exe 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe PID 884 wrote to memory of 968 884 explorer.exe DllHost.exe PID 884 wrote to memory of 968 884 explorer.exe DllHost.exe PID 884 wrote to memory of 968 884 explorer.exe DllHost.exe PID 884 wrote to memory of 968 884 explorer.exe DllHost.exe PID 884 wrote to memory of 968 884 explorer.exe DllHost.exe PID 884 wrote to memory of 968 884 explorer.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe"C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe"C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1412
-
-
C:\Users\Admin\AppData\Roaming\googleup.exe"C:\Users\Admin\AppData\Roaming\googleup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵PID:1636
-
-
C:\Users\Admin\AppData\Roaming\googleup.exe"C:\Users\Admin\AppData\Roaming\googleup.exe"4⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exeC:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe3⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
PID:2044
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1244
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5483909440b46c664ba6038a008740901
SHA17ad5a1f895cb5b79838f3a65130242b441a47774
SHA2564669de9e3c6e60e94071e8163e5f958f244b468e7809dae38679100a5e5382d7
SHA512c3d5e5842ac07809135205a4a07e562760b70be2f41411352b1c8c9372079087cef1517886f9362df00e2e8706199fb3bcbedbdcb4d142532f2e03a4330baaab
-
Filesize
144KB
MD50cd8d6746093c2b02b18e0da737a12d4
SHA119ec4c49c3adedb152137254c35bafc8b64407c8
SHA256800d1d7f8bbdfc6a445bff377f76ee792552232b955b849fa5d86dabd41c16fb
SHA512d63c431704e91afb4e3180d7a29be0d042094858c841229836910d32e7c0a215e284bb7d66d9897d9405dd4d9ab472e6b61e8b78d4127ae350df21df1157728e
-
Filesize
309KB
MD57bf0b17bdb0de1668e13502c74ed6cb6
SHA1f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77
-
Filesize
309KB
MD57bf0b17bdb0de1668e13502c74ed6cb6
SHA1f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77
-
Filesize
309KB
MD57bf0b17bdb0de1668e13502c74ed6cb6
SHA1f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77
-
Filesize
1.7MB
MD5f2d7e52b6f02da7e308e27681ba27b39
SHA1b96aba9b3e867c22e29c72e083b14f1865a1c7ff
SHA256523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9
SHA512e8e015025b0574e78900c10eaac7d869fec223164181392b2d0683ae87d7a61d645bfed9a1439a586cacc70bb633f5a6d10b7e39b4c5801705bff580412c9623
-
Filesize
64KB
MD517a4c0292cb99df37a87c7b8f2587847
SHA194f9ce48130d12171396a213949d7ddca06e9eae
SHA256c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA51262205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567
-
Filesize
2KB
MD513249bc6aa781475cde4a1c90f95efd4
SHA10d8698befd283ca69d87ce44dad225ef792b06da
SHA2563922a8c1b0f58b74fc3d89d7eec3fe5c5b0e8bda6b36491d2380431dd8e8284a
SHA512aec8b793c4a1c9789af70fdaad3aa473a581585e8b76669d187cabe6c88363bacbed28200dd8f243f9dd50fc8fc27339f0e687341024d466a4d5078c28a768d2
-
Filesize
9KB
MD5780d14604d49e3c634200c523def8351
SHA1e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b
-
Filesize
139KB
MD5d7ded77042b691a5c5db7d501a047b9d
SHA1d4da48a37fbae8f9ae5a0dcf11120374395360d3
SHA25685767ce14351b0da5fdc03219fa45548ac4d42901ca0aec399eee3043bea0932
SHA512d26dda75a97539239ec9ad515b4c29738e23a93db411fdcdad7ccb7ee432f4e424085b8061876f6be7ea09f79b1fc93b733f6c5ede294b2ec58dadfb221981e4
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6
-
Filesize
144KB
MD50cd8d6746093c2b02b18e0da737a12d4
SHA119ec4c49c3adedb152137254c35bafc8b64407c8
SHA256800d1d7f8bbdfc6a445bff377f76ee792552232b955b849fa5d86dabd41c16fb
SHA512d63c431704e91afb4e3180d7a29be0d042094858c841229836910d32e7c0a215e284bb7d66d9897d9405dd4d9ab472e6b61e8b78d4127ae350df21df1157728e
-
Filesize
309KB
MD57bf0b17bdb0de1668e13502c74ed6cb6
SHA1f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77