runningrat | 7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4

Analysis

max time kernel
188s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Size

84KB
MD5

347a3d54f1eb89003fc3ffc15eecc9fa
SHA1

d59b10e282d5a84cfbcd92accb69c8dadfd262eb
SHA256

7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4
SHA512

b0a515b732e0438a7ee905e3ba2eafb7ac221f8323470a2c30ea970881bdadca9cc2b7b0ffc712a5617eb0fb893b1696c7a8cc0efa1473afadc9fdcd7459fb30
SSDEEP

1536:/fFYrHzmJcABxt2mE5OAkYJLz4agc5fHLl71Bxdm+Zz8Dq:arTmJ/vElJLz4axLl1BxHZU

Score

10^/10

runningrat evasion persistence rat

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe:*:enabled:@shell32.dll,-1"	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

RunningRat payload 1 IoCs

resource	yara_rule
behavioral2/memory/1568-132-0x0000000000400000-0x0000000000415000-memory.dmp	family_runningrat

Executes dropped EXE 1 IoCs

pid	Process
4336	123.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240592265.dll"	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Loads dropped DLL 3 IoCs

pid	Process
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1832	svchost.exe
4336	123.exe

Creates a Windows Service
persistence

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\123.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\123.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\CMD.EXE	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\240592265.dll	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4720	1568	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Token: SeIncBasePriorityPrivilege	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Token: SeTakeOwnershipPrivilege	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Token: SeRestorePrivilege	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Token: SeBackupPrivilege	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
Token: SeChangeNotifyPrivilege	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 572	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	76
PID 1568 wrote to memory of 572	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	76
PID 1568 wrote to memory of 572	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	76
PID 1568 wrote to memory of 572	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	76
PID 1568 wrote to memory of 572	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	76
PID 1568 wrote to memory of 572	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	76
PID 1568 wrote to memory of 660	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	2
PID 1568 wrote to memory of 660	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	2
PID 1568 wrote to memory of 660	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	2
PID 1568 wrote to memory of 660	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	2
PID 1568 wrote to memory of 660	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	2
PID 1568 wrote to memory of 660	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	2
PID 1568 wrote to memory of 768	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	1
PID 1568 wrote to memory of 768	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	1
PID 1568 wrote to memory of 768	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	1
PID 1568 wrote to memory of 768	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	1
PID 1568 wrote to memory of 768	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	1
PID 1568 wrote to memory of 768	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	1
PID 1568 wrote to memory of 776	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	74
PID 1568 wrote to memory of 776	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	74
PID 1568 wrote to memory of 776	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	74
PID 1568 wrote to memory of 776	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	74
PID 1568 wrote to memory of 776	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	74
PID 1568 wrote to memory of 776	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	74
PID 1568 wrote to memory of 784	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	73
PID 1568 wrote to memory of 784	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	73
PID 1568 wrote to memory of 784	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	73
PID 1568 wrote to memory of 784	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	73
PID 1568 wrote to memory of 784	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	73
PID 1568 wrote to memory of 784	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	73
PID 1568 wrote to memory of 892	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	72
PID 1568 wrote to memory of 892	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	72
PID 1568 wrote to memory of 892	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	72
PID 1568 wrote to memory of 892	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	72
PID 1568 wrote to memory of 892	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	72
PID 1568 wrote to memory of 892	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	72
PID 1568 wrote to memory of 940	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	4
PID 1568 wrote to memory of 940	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	4
PID 1568 wrote to memory of 940	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	4
PID 1568 wrote to memory of 940	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	4
PID 1568 wrote to memory of 940	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	4
PID 1568 wrote to memory of 940	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	4
PID 1568 wrote to memory of 1004	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	3
PID 1568 wrote to memory of 1004	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	3
PID 1568 wrote to memory of 1004	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	3
PID 1568 wrote to memory of 1004	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	3
PID 1568 wrote to memory of 1004	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	3
PID 1568 wrote to memory of 1004	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	3
PID 1568 wrote to memory of 436	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	71
PID 1568 wrote to memory of 436	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	71
PID 1568 wrote to memory of 436	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	71
PID 1568 wrote to memory of 436	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	71
PID 1568 wrote to memory of 436	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	71
PID 1568 wrote to memory of 436	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	71
PID 1568 wrote to memory of 640	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	5
PID 1568 wrote to memory of 640	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	5
PID 1568 wrote to memory of 640	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	5
PID 1568 wrote to memory of 640	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	5
PID 1568 wrote to memory of 640	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	5
PID 1568 wrote to memory of 640	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	5
PID 1568 wrote to memory of 832	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	6
PID 1568 wrote to memory of 832	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	6
PID 1568 wrote to memory of 832	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	6
PID 1568 wrote to memory of 832	1568	7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe	6

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:768
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3456
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1528
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3624
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2084
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:4588
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2896
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4664
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4384
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3728
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3540
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3372
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3280

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1120
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2544

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:704
- C:\Users\Admin\AppData\Local\Temp\7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe
  "C:\Users\Admin\AppData\Local\Temp\7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4.exe"
  2⤵
  - Modifies firewall policy service
  - Sets DLL path for service in the registry
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1624
    3⤵
    - Program crash
    PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2484

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
1⤵
PID:5092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1832
- C:\Windows\SysWOW64\123.exe
  C:\Windows\system32\123.exe "c:\program files (x86)\google\240592265.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1568 -ip 1568
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\240592265.dll

Filesize
26KB

MD5
721a67aa77b60c431aff25e5b6072ae1

SHA1
256e64e033990f262be1f02b8186bedb1679c53e

SHA256
2cf838f679e15e87e685dfbbc2a85d06434a972b2d63de52f9d4377010e7e6af

SHA512
c951f82f7e99691cf7cb1e327e8b6d63aa867ff16709a15ab1b935c8e6370482b3952abf3764ffd2e4040ae053c80700c5a777cfef6f7d8c5a2a165c3422992f

Download Submit
C:\Program Files (x86)\Google\240592265.dll

Filesize
26KB

MD5
721a67aa77b60c431aff25e5b6072ae1

SHA1
256e64e033990f262be1f02b8186bedb1679c53e

SHA256
2cf838f679e15e87e685dfbbc2a85d06434a972b2d63de52f9d4377010e7e6af

SHA512
c951f82f7e99691cf7cb1e327e8b6d63aa867ff16709a15ab1b935c8e6370482b3952abf3764ffd2e4040ae053c80700c5a777cfef6f7d8c5a2a165c3422992f

Download Submit
C:\Program Files (x86)\Google\240592265.dll

Filesize
26KB

MD5
721a67aa77b60c431aff25e5b6072ae1

SHA1
256e64e033990f262be1f02b8186bedb1679c53e

SHA256
2cf838f679e15e87e685dfbbc2a85d06434a972b2d63de52f9d4377010e7e6af

SHA512
c951f82f7e99691cf7cb1e327e8b6d63aa867ff16709a15ab1b935c8e6370482b3952abf3764ffd2e4040ae053c80700c5a777cfef6f7d8c5a2a165c3422992f

Download Submit
C:\Windows\SysWOW64\123.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\123.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\program files (x86)\google\240592265.dll

Filesize
26KB

MD5
721a67aa77b60c431aff25e5b6072ae1

SHA1
256e64e033990f262be1f02b8186bedb1679c53e

SHA256
2cf838f679e15e87e685dfbbc2a85d06434a972b2d63de52f9d4377010e7e6af

SHA512
c951f82f7e99691cf7cb1e327e8b6d63aa867ff16709a15ab1b935c8e6370482b3952abf3764ffd2e4040ae053c80700c5a777cfef6f7d8c5a2a165c3422992f

Download Submit
memory/1568-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1568-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download