Analysis
-
max time kernel
152s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:41
Static task
static1
Behavioral task
behavioral1
Sample
a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe
Resource
win10v2004-20220812-en
General
-
Target
a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe
-
Size
91KB
-
MD5
c2887dc9cc1ee1a2a0d5e145b7753b8d
-
SHA1
d617275d213589106069904de3a75cce2966f456
-
SHA256
a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6
-
SHA512
b3bb53a7c82f1a33baf42ae908ad23ff0cd86a20edc6cb13068003b472abe0a5b08c4d852a730c284ff2f109013ad8c825a1ffc60f6b356a89d7f44442c64bd4
-
SSDEEP
768:6JaHSmit+p/t5PhSsDPkwL2VY607aDXRKP4k4oh7Ta96SAKlZCKFcbFL:6JEPiY/L5jlYY66arRKP4k4WXP+CbL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GoogleUpdate.exepid process 1420 GoogleUpdate.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
GoogleUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\3faa9e17f2b5365ead6b57afa5ff3fbe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleUpdate.exe\" .." GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3faa9e17f2b5365ead6b57afa5ff3fbe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GoogleUpdate.exe\" .." GoogleUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
GoogleUpdate.exedescription pid process Token: SeDebugPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe Token: 33 1420 GoogleUpdate.exe Token: SeIncBasePriorityPrivilege 1420 GoogleUpdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exeGoogleUpdate.exedescription pid process target process PID 1760 wrote to memory of 1420 1760 a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe GoogleUpdate.exe PID 1760 wrote to memory of 1420 1760 a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe GoogleUpdate.exe PID 1760 wrote to memory of 1420 1760 a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe GoogleUpdate.exe PID 1420 wrote to memory of 1504 1420 GoogleUpdate.exe netsh.exe PID 1420 wrote to memory of 1504 1420 GoogleUpdate.exe netsh.exe PID 1420 wrote to memory of 1504 1420 GoogleUpdate.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe"C:\Users\Admin\AppData\Local\Temp\a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.exe"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.exe" "GoogleUpdate.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.exeFilesize
91KB
MD5c2887dc9cc1ee1a2a0d5e145b7753b8d
SHA1d617275d213589106069904de3a75cce2966f456
SHA256a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6
SHA512b3bb53a7c82f1a33baf42ae908ad23ff0cd86a20edc6cb13068003b472abe0a5b08c4d852a730c284ff2f109013ad8c825a1ffc60f6b356a89d7f44442c64bd4
-
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.exeFilesize
91KB
MD5c2887dc9cc1ee1a2a0d5e145b7753b8d
SHA1d617275d213589106069904de3a75cce2966f456
SHA256a88d8cc771b86d5118c2b9b88d4779898c7ff81d784473518b4313b4dce9f7b6
SHA512b3bb53a7c82f1a33baf42ae908ad23ff0cd86a20edc6cb13068003b472abe0a5b08c4d852a730c284ff2f109013ad8c825a1ffc60f6b356a89d7f44442c64bd4
-
memory/1420-56-0x0000000000000000-mapping.dmp
-
memory/1420-59-0x000007FEF3580000-0x000007FEF3FA3000-memory.dmpFilesize
10.1MB
-
memory/1420-60-0x000007FEED8B0000-0x000007FEEE946000-memory.dmpFilesize
16.6MB
-
memory/1504-61-0x0000000000000000-mapping.dmp
-
memory/1504-62-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB
-
memory/1760-54-0x000007FEF3580000-0x000007FEF3FA3000-memory.dmpFilesize
10.1MB
-
memory/1760-55-0x000007FEF24E0000-0x000007FEF3576000-memory.dmpFilesize
16.6MB