25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe
Size

228KB
MD5

011bb75fb268a7d8ec0c65176bb18570
SHA1

1ad5b8251012ef4aa1c968c8a97ebdb3eeb48999
SHA256

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd
SHA512

ecfbca52a9fcc833d3a5a271172e3ef483bbbf076e9255f8922f7434c291d85f3a8967973777a032186f9bc7e57b463cb7d7d9c94b58b1dbb98ffb619b5442c4
SSDEEP

3072:PNR8MhW0lc+5cTpk6nq0l90o+VEz4vel4f2ZnZKfNsJQ1cZiQ8:Pp/lc3pk+91z4vV2nWS8

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

goog1le.exe

pid process

4880 goog1le.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3424 netsh.exe

pid	process
3424	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

goog1le.exe

pid	process
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe
4880	goog1le.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

goog1le.exe

description pid process

Token: SeDebugPrivilege 4880 goog1le.exe

description	pid	process
Token: SeDebugPrivilege	4880	goog1le.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exegoog1le.exe

description	pid	process	target process
PID 2820 wrote to memory of 4880	2820	25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe	goog1le.exe
PID 2820 wrote to memory of 4880	2820	25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe	goog1le.exe
PID 4880 wrote to memory of 3424	4880	goog1le.exe	netsh.exe
PID 4880 wrote to memory of 3424	4880	goog1le.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe
"C:\Users\Admin\AppData\Local\Temp\25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\goog1le.exe
  "C:\Users\Admin\AppData\Local\Temp\goog1le.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\goog1le.exe" "goog1le.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\goog1le.exe

Filesize
228KB

MD5
011bb75fb268a7d8ec0c65176bb18570

SHA1
1ad5b8251012ef4aa1c968c8a97ebdb3eeb48999

SHA256
25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd

SHA512
ecfbca52a9fcc833d3a5a271172e3ef483bbbf076e9255f8922f7434c291d85f3a8967973777a032186f9bc7e57b463cb7d7d9c94b58b1dbb98ffb619b5442c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\goog1le.exe

Filesize
228KB

MD5
011bb75fb268a7d8ec0c65176bb18570

SHA1
1ad5b8251012ef4aa1c968c8a97ebdb3eeb48999

SHA256
25e8214b16a263f671a643e0272376c1f1d70b0b585ec7ab83c9234710da9bdd

SHA512
ecfbca52a9fcc833d3a5a271172e3ef483bbbf076e9255f8922f7434c291d85f3a8967973777a032186f9bc7e57b463cb7d7d9c94b58b1dbb98ffb619b5442c4

Download Submit
memory/2820-132-0x0000000000490000-0x00000000004CE000-memory.dmp

Filesize
248KB

Download
memory/2820-133-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-137-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-138-0x0000000000000000-mapping.dmp

Download
memory/4880-134-0x0000000000000000-mapping.dmp

Download
memory/4880-139-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-140-0x00007FFAB7130000-0x00007FFAB7BF1000-memory.dmp

Filesize
10.8MB

Download