f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d

Analysis

max time kernel
175s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
Size

273KB
MD5

c7a7cf64fb49f2a066da34a7f78fe977
SHA1

537eac4c5324aa3be30ac19d49ba8397ed9d8474
SHA256

f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d
SHA512

35b87de7b1d1063f0cf85325770d0c429fbe3e8cf237a8c3a52929e64869972bbea0fe476415c979a683117eaeae8b0be6943c5313d7775333df91fa58bcdc74
SSDEEP

6144:S8UEj2jCkegTOZeOmBxZ86fwMB49fAxHwkX2lYVe5EBDZUE0k4g9IwoSb:S8U1+go0xZDA9fpkmge+DZUPkF3oSb

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\google\\google.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
1196	google.exe
604	google.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
	upx
behavioral1/memory/1536-59-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/files/0x000b000000012326-71.dat	upx
behavioral1/files/0x000b000000012326-74.dat	upx
behavioral1/files/0x000b000000012326-73.dat	upx
behavioral1/files/0x000b000000012326-72.dat	upx
behavioral1/files/0x000b000000012326-76.dat	upx
behavioral1/memory/1536-77-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/memory/1196-79-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/memory/1536-80-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/files/0x000b000000012326-84.dat	upx
behavioral1/memory/604-85-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1196-89-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral1/files/0x000b000000012326-87.dat	upx
behavioral1/memory/604-90-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/604-91-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/604-94-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\google = "C:\\Windows\\google\\google.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\google = "C:\\Windows\\google\\google.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	google.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 0	1196	google.exe
PID 1196 set thread context of 604	1196	google.exe	42

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\google\google.txt	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
File opened for modification	C:\Windows\google\google.txt	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
File created	C:\Windows\google\google.exe	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
File opened for modification	C:\Windows\google\google.exe	google.exe
File opened for modification	C:\Windows\google\google.exe	google.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	google.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
1196	google.exe
604	google.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1052	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	28
PID 1536 wrote to memory of 1052	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	28
PID 1536 wrote to memory of 1052	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	28
PID 1536 wrote to memory of 1052	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	28
PID 1052 wrote to memory of 376	1052	cmd.exe	30
PID 1052 wrote to memory of 376	1052	cmd.exe	30
PID 1052 wrote to memory of 376	1052	cmd.exe	30
PID 1052 wrote to memory of 376	1052	cmd.exe	30
PID 1052 wrote to memory of 472	1052	cmd.exe	31
PID 1052 wrote to memory of 472	1052	cmd.exe	31
PID 1052 wrote to memory of 472	1052	cmd.exe	31
PID 1052 wrote to memory of 472	1052	cmd.exe	31
PID 1536 wrote to memory of 1496	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	33
PID 1536 wrote to memory of 1496	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	33
PID 1536 wrote to memory of 1496	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	33
PID 1536 wrote to memory of 1496	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	33
PID 1496 wrote to memory of 1296	1496	cmd.exe	34
PID 1496 wrote to memory of 1296	1496	cmd.exe	34
PID 1496 wrote to memory of 1296	1496	cmd.exe	34
PID 1496 wrote to memory of 1296	1496	cmd.exe	34
PID 1536 wrote to memory of 628	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	35
PID 1536 wrote to memory of 628	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	35
PID 1536 wrote to memory of 628	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	35
PID 1536 wrote to memory of 628	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	35
PID 628 wrote to memory of 1652	628	cmd.exe	37
PID 628 wrote to memory of 1652	628	cmd.exe	37
PID 628 wrote to memory of 1652	628	cmd.exe	37
PID 628 wrote to memory of 1652	628	cmd.exe	37
PID 1536 wrote to memory of 1500	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	38
PID 1536 wrote to memory of 1500	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	38
PID 1536 wrote to memory of 1500	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	38
PID 1536 wrote to memory of 1500	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	38
PID 1500 wrote to memory of 1192	1500	cmd.exe	40
PID 1500 wrote to memory of 1192	1500	cmd.exe	40
PID 1500 wrote to memory of 1192	1500	cmd.exe	40
PID 1500 wrote to memory of 1192	1500	cmd.exe	40
PID 1536 wrote to memory of 1196	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	41
PID 1536 wrote to memory of 1196	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	41
PID 1536 wrote to memory of 1196	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	41
PID 1536 wrote to memory of 1196	1536	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	41
PID 1196 wrote to memory of 0	1196	google.exe
PID 1196 wrote to memory of 0	1196	google.exe
PID 1196 wrote to memory of 0	1196	google.exe
PID 1196 wrote to memory of 0	1196	google.exe
PID 1196 wrote to memory of 0	1196	google.exe
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42
PID 1196 wrote to memory of 604	1196	google.exe	42

C:\Users\Admin\AppData\Local\Temp\f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
"C:\Users\Admin\AppData\Local\Temp\f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUACJF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    PID:376
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EBith.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "google" /t REG_SZ /d "C:\Windows\google\google.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIVWS.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "google" /t REG_SZ /d "C:\Windows\google\google.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyLMI.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\google\google.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    PID:1192
- C:\Windows\google\google.exe
  "C:\Windows\google\google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\google\google.exe
    C:\Windows\google\google.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DyLMI.bat

Filesize
156B

MD5
231b3bcf0c27ebf8105042a52c5e5237

SHA1
bfd1cb997d4c9f0384bc491b36cbea716f3c110c

SHA256
ed9ba1d2e7d1af35cb4bc819d617792034413e9081e38f29875397b86411e6dc

SHA512
42654cce0464035a88e3f0243769e7c13eee0d8f4e8caed80f56ef56a5c68468bbed37397912aa61bbd9c4eee56ec747086988208be37d10a06e6f788fd5ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBith.bat

Filesize
121B

MD5
cacbedc0e43d91ca35ee1746830ee6ef

SHA1
3a1fa382f5794bbd7b0a304e411ead0b9b1c1e89

SHA256
afc5fa77872b3692d8cfad640cb783f2df6f3024c216521c289ef7e8085b4408

SHA512
dd560b695e7d4d7dfc3486d8b0b0310a7229fbb5e3e36c014b8f7d52331134076b59d59fd51bf6ff51d511c49d951b48a3a7f2710f9577cf346a361976e93def

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUACJF.bat

Filesize
251B

MD5
dc364dbeb88d1c30ba583f73093a5181

SHA1
3c19dfe65f4a9113b70b4c3838ab88f8f56a00d4

SHA256
7de8fa231ae8006b320a88d6ea10ebe05076f348b38f7484538c3bce34b79bbc

SHA512
3716b7b6fb4b9e20434a19a7b6a26e9b5aec6938d07f9e17d37e1f38d3a8e1014cbadc54e79c8705742e4bb25451711897433feac9ea6d5719fa406e665344e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIVWS.bat

Filesize
121B

MD5
66616664345c504b501b5f199894e9cc

SHA1
827b6229c0228d4517d62a44e4c21bd813a080a6

SHA256
e5c67556d771f94bf2141036477a59e7eb79d804c5214616a3627c89a390aae2

SHA512
dbeac9ab5c385b8455bfef2b2c739ee1d08a74941291a2de01a1d72eb2c151afc0ce1719b7d76ff4a65979d2d2397fe4342e12405672a0346be841cc27a91f68

Download Submit
C:\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
C:\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
C:\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
\Windows\google\google.exe

Filesize
273KB

MD5
ff561b12a8d49ed7275dfe61572e4994

SHA1
3b5da7263e0374339d04fb404bb14ac356ca9294

SHA256
36ba82f1ede13b02b417554f3b9100911db9d060d350b07145a5aff0e614ce00

SHA512
7427fd59a1d2d1a3edb44783990f3e3108d759aa758b2e4fee79fb42028959cfa184189855b967b8e78882afbc7a5132e52acfbe75712abf8eb6c004aa878b10

Download Submit
memory/0-83-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/604-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/604-90-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/604-94-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/604-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1196-89-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1196-79-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1536-80-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1536-78-0x0000000003090000-0x0000000003238000-memory.dmp

Filesize
1.7MB

Download
memory/1536-77-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/1536-56-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1536-59-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads