77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37

General

Target

77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe
Size

48KB
MD5

a30000b0091381b46ea9bd80c2dfc080
SHA1

dc10fd371e827b55446aad9bf8f18e1dcd34af73
SHA256

77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37
SHA512

56482fdd7ff6f21e451d3f348243e670986e8b12606738035fb96143c0eb1b96dd32dfd4d3bee9ab6d0014c0e65a10d7596780adc1932616ef85626c18b267d8
SSDEEP

768:BZ6DFma8K6HC4kj5Jp9jrQOV/W4jcAFVLymH6SKd3j8oi4p63Suc:+FSHHzgJL5V/Wec4OmaSs8M64

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3524	Smssvchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Smssvchost\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240586406.dll"	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe

Loads dropped DLL 3 IoCs

pid	Process
2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe
3372	svchost.exe
3524	Smssvchost.exe

Creates a Windows Service
persistence

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Smssvchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Smssvchost.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\240586406.dll	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4196	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe
2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1536	2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe	85
PID 2028 wrote to memory of 1536	2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe	85
PID 2028 wrote to memory of 1536	2028	77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe	85
PID 1536 wrote to memory of 4196	1536	cmd.exe	87
PID 1536 wrote to memory of 4196	1536	cmd.exe	87
PID 1536 wrote to memory of 4196	1536	cmd.exe	87
PID 3372 wrote to memory of 3524	3372	svchost.exe	89
PID 3372 wrote to memory of 3524	3372	svchost.exe	89
PID 3372 wrote to memory of 3524	3372	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe
"C:\Users\Admin\AppData\Local\Temp\77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\77b9bdaabfc44623b250506afbc21196faf13807a2204b749538d17b5b800c37.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:4196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Smssvchost"
1⤵
PID:1680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Smssvchost"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\Smssvchost.exe
  C:\Windows\system32\Smssvchost.exe "c:\program files (x86)\google\240586406.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\240586406.dll

Filesize
26KB

MD5
81d76e81ec536e85a6095a3375dc0672

SHA1
2d1aef19a6c85f7e168c1545a699c2a0a86b328f

SHA256
89d003d5177aba72aa23821ba7cf9036a071c51c18575fba2dd2ddac747a4fcb

SHA512
00c928817372818fa31a8ad970552340acb806eb14e04d917702f35685630945ffb9781ebac7ba412939abb7c30a8b4d4675e55216374e9ba392f50f1b3709d0

Download Submit
C:\Program Files (x86)\Google\240586406.dll

Filesize
26KB

MD5
81d76e81ec536e85a6095a3375dc0672

SHA1
2d1aef19a6c85f7e168c1545a699c2a0a86b328f

SHA256
89d003d5177aba72aa23821ba7cf9036a071c51c18575fba2dd2ddac747a4fcb

SHA512
00c928817372818fa31a8ad970552340acb806eb14e04d917702f35685630945ffb9781ebac7ba412939abb7c30a8b4d4675e55216374e9ba392f50f1b3709d0

Download Submit
C:\Program Files (x86)\Google\240586406.dll

Filesize
26KB

MD5
81d76e81ec536e85a6095a3375dc0672

SHA1
2d1aef19a6c85f7e168c1545a699c2a0a86b328f

SHA256
89d003d5177aba72aa23821ba7cf9036a071c51c18575fba2dd2ddac747a4fcb

SHA512
00c928817372818fa31a8ad970552340acb806eb14e04d917702f35685630945ffb9781ebac7ba412939abb7c30a8b4d4675e55216374e9ba392f50f1b3709d0

Download Submit
C:\Windows\SysWOW64\Smssvchost.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\Smssvchost.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\program files (x86)\google\240586406.dll

Filesize
26KB

MD5
81d76e81ec536e85a6095a3375dc0672

SHA1
2d1aef19a6c85f7e168c1545a699c2a0a86b328f

SHA256
89d003d5177aba72aa23821ba7cf9036a071c51c18575fba2dd2ddac747a4fcb

SHA512
00c928817372818fa31a8ad970552340acb806eb14e04d917702f35685630945ffb9781ebac7ba412939abb7c30a8b4d4675e55216374e9ba392f50f1b3709d0

Download Submit
memory/1536-135-0x0000000000000000-mapping.dmp

Download
memory/3524-137-0x0000000000000000-mapping.dmp

Download
memory/4196-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing