f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d

Analysis

max time kernel
190s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
Size

273KB
MD5

c7a7cf64fb49f2a066da34a7f78fe977
SHA1

537eac4c5324aa3be30ac19d49ba8397ed9d8474
SHA256

f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d
SHA512

35b87de7b1d1063f0cf85325770d0c429fbe3e8cf237a8c3a52929e64869972bbea0fe476415c979a683117eaeae8b0be6943c5313d7775333df91fa58bcdc74
SSDEEP

6144:S8UEj2jCkegTOZeOmBxZ86fwMB49fAxHwkX2lYVe5EBDZUE0k4g9IwoSb:S8U1+go0xZDA9fpkmge+DZUPkF3oSb

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\google\\google.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	google.exe
984	google.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
	upx
behavioral2/memory/532-133-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/memory/532-149-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/files/0x000a000000022e52-151.dat	upx
behavioral2/files/0x000a000000022e52-152.dat	upx
behavioral2/memory/532-153-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/memory/2812-156-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/memory/984-159-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/files/0x000a000000022e52-160.dat	upx
behavioral2/memory/984-162-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2812-163-0x0000000000400000-0x00000000005A8000-memory.dmp	upx
behavioral2/memory/984-164-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/984-167-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/984-168-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google = "C:\\Windows\\google\\google.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\google = "C:\\Windows\\google\\google.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	google.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 0	2812	google.exe
PID 2812 set thread context of 984	2812	google.exe	98

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\google\google.exe	google.exe
File created	C:\Windows\google\google.txt	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
File opened for modification	C:\Windows\google\google.txt	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
File created	C:\Windows\google\google.exe	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
File opened for modification	C:\Windows\google\google.exe	google.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	google.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
2812	google.exe
2812	google.exe
984	google.exe
984	google.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 3896	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	83
PID 532 wrote to memory of 3896	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	83
PID 532 wrote to memory of 3896	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	83
PID 3896 wrote to memory of 4664	3896	cmd.exe	86
PID 3896 wrote to memory of 4664	3896	cmd.exe	86
PID 3896 wrote to memory of 4664	3896	cmd.exe	86
PID 3896 wrote to memory of 3936	3896	cmd.exe	87
PID 3896 wrote to memory of 3936	3896	cmd.exe	87
PID 3896 wrote to memory of 3936	3896	cmd.exe	87
PID 532 wrote to memory of 3884	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	88
PID 532 wrote to memory of 3884	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	88
PID 532 wrote to memory of 3884	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	88
PID 3884 wrote to memory of 4068	3884	cmd.exe	90
PID 3884 wrote to memory of 4068	3884	cmd.exe	90
PID 3884 wrote to memory of 4068	3884	cmd.exe	90
PID 532 wrote to memory of 1780	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	91
PID 532 wrote to memory of 1780	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	91
PID 532 wrote to memory of 1780	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	91
PID 1780 wrote to memory of 916	1780	cmd.exe	93
PID 1780 wrote to memory of 916	1780	cmd.exe	93
PID 1780 wrote to memory of 916	1780	cmd.exe	93
PID 532 wrote to memory of 1448	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	94
PID 532 wrote to memory of 1448	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	94
PID 532 wrote to memory of 1448	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	94
PID 1448 wrote to memory of 2948	1448	cmd.exe	96
PID 1448 wrote to memory of 2948	1448	cmd.exe	96
PID 1448 wrote to memory of 2948	1448	cmd.exe	96
PID 532 wrote to memory of 2812	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	97
PID 532 wrote to memory of 2812	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	97
PID 532 wrote to memory of 2812	532	f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe	97
PID 2812 wrote to memory of 0	2812	google.exe
PID 2812 wrote to memory of 0	2812	google.exe
PID 2812 wrote to memory of 0	2812	google.exe
PID 2812 wrote to memory of 0	2812	google.exe
PID 2812 wrote to memory of 0	2812	google.exe
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98
PID 2812 wrote to memory of 984	2812	google.exe	98

C:\Users\Admin\AppData\Local\Temp\f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe
"C:\Users\Admin\AppData\Local\Temp\f0fde91f35e72918f5d56739d9c0d98e8d359b8cf78243d5500f3ce27c08be8d.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUACJF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center /v UACDisableNotify /t REG_DWORD /d 0 /f
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ErsKS.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "google" /t REG_SZ /d "C:\Windows\google\google.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVgNV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "google" /t REG_SZ /d "C:\Windows\google\google.exe" /f
    3⤵
    - Adds Run key to start application
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BhokQ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "Explorer.exe, C:\Windows\google\google.exe" /f
    3⤵
    - Modifies WinLogon for persistence
    PID:2948
- C:\Windows\google\google.exe
  "C:\Windows\google\google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\google\google.exe
    C:\Windows\google\google.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BhokQ.bat

Filesize
156B

MD5
231b3bcf0c27ebf8105042a52c5e5237

SHA1
bfd1cb997d4c9f0384bc491b36cbea716f3c110c

SHA256
ed9ba1d2e7d1af35cb4bc819d617792034413e9081e38f29875397b86411e6dc

SHA512
42654cce0464035a88e3f0243769e7c13eee0d8f4e8caed80f56ef56a5c68468bbed37397912aa61bbd9c4eee56ec747086988208be37d10a06e6f788fd5ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErsKS.bat

Filesize
121B

MD5
cacbedc0e43d91ca35ee1746830ee6ef

SHA1
3a1fa382f5794bbd7b0a304e411ead0b9b1c1e89

SHA256
afc5fa77872b3692d8cfad640cb783f2df6f3024c216521c289ef7e8085b4408

SHA512
dd560b695e7d4d7dfc3486d8b0b0310a7229fbb5e3e36c014b8f7d52331134076b59d59fd51bf6ff51d511c49d951b48a3a7f2710f9577cf346a361976e93def

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUACJF.bat

Filesize
251B

MD5
dc364dbeb88d1c30ba583f73093a5181

SHA1
3c19dfe65f4a9113b70b4c3838ab88f8f56a00d4

SHA256
7de8fa231ae8006b320a88d6ea10ebe05076f348b38f7484538c3bce34b79bbc

SHA512
3716b7b6fb4b9e20434a19a7b6a26e9b5aec6938d07f9e17d37e1f38d3a8e1014cbadc54e79c8705742e4bb25451711897433feac9ea6d5719fa406e665344e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rVgNV.bat

Filesize
121B

MD5
66616664345c504b501b5f199894e9cc

SHA1
827b6229c0228d4517d62a44e4c21bd813a080a6

SHA256
e5c67556d771f94bf2141036477a59e7eb79d804c5214616a3627c89a390aae2

SHA512
dbeac9ab5c385b8455bfef2b2c739ee1d08a74941291a2de01a1d72eb2c151afc0ce1719b7d76ff4a65979d2d2397fe4342e12405672a0346be841cc27a91f68

Download Submit
C:\Windows\google\google.exe

Filesize
273KB

MD5
fbea7120a8f72a98fa95a7a03a921dd2

SHA1
c3ad1f59d85a251b08c99726b8e592da8d9f59dd

SHA256
df62a51a0ef4f002238fe9d2a2dcd80af77f0f827e2424f7e943a96c6dff9088

SHA512
e35de1e679666d9796a4a23be9ca7c63495866c492f1f7b9b3de34c9dfe870eaccc672436ba0d0af03a1ea84d674cd5170b4b2623e0add5f23945b060bbed98a

Download Submit
C:\Windows\google\google.exe

Filesize
273KB

MD5
fbea7120a8f72a98fa95a7a03a921dd2

SHA1
c3ad1f59d85a251b08c99726b8e592da8d9f59dd

SHA256
df62a51a0ef4f002238fe9d2a2dcd80af77f0f827e2424f7e943a96c6dff9088

SHA512
e35de1e679666d9796a4a23be9ca7c63495866c492f1f7b9b3de34c9dfe870eaccc672436ba0d0af03a1ea84d674cd5170b4b2623e0add5f23945b060bbed98a

Download Submit
C:\Windows\google\google.exe

Filesize
273KB

MD5
fbea7120a8f72a98fa95a7a03a921dd2

SHA1
c3ad1f59d85a251b08c99726b8e592da8d9f59dd

SHA256
df62a51a0ef4f002238fe9d2a2dcd80af77f0f827e2424f7e943a96c6dff9088

SHA512
e35de1e679666d9796a4a23be9ca7c63495866c492f1f7b9b3de34c9dfe870eaccc672436ba0d0af03a1ea84d674cd5170b4b2623e0add5f23945b060bbed98a

Download Submit
memory/0-157-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/532-133-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/532-153-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/532-149-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/984-168-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/984-164-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/984-167-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/984-162-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/984-159-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2812-156-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2812-163-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads