Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

GoogleUpdateCore.exe

windows10-1703-x64

1

GoogleUpdateCore.exe

windows7-x64

10

GoogleUpdateCore.exe

windows10-2004-x64

6

Resubmissions

12/02/2023, 17:24

230212-vyv7wafd49 10

12/02/2023, 14:28

230212-rs1cvsee85 1

Analysis

  • max time kernel
    1237s
  • max time network
    1245s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2023, 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GoogleUpdateCore.exe

  • Size

    339KB

  • MD5

    dffce796a69f576b2ce5161c5bf23249

  • SHA1

    9cfac609a83d93c7727a6cfa8ee75c2f3d5d7281

  • SHA256

    a1094fd210d9c5845758c9c144a863b0d98fcd71e5fff9ce6ea2abe6b25e0fc2

  • SHA512

    959a626766dd615b4022dacc9dcebc845cdafc82f37ecbd3264e7dc2e6a8c65c15ecb54561d7991f4593d3f5bdb1fe6064dbb722eb4e59e92e93b7820e857289

  • SSDEEP

    3072:fub/CFYzAFsmRZIK3D8tjoBYOh8joBYOhVjoBYOhAeaqJsQy4Wr/CCs3iI84450v:fa/CVZ3D8OeaWyXVsa44vBjjzue8GMu

Score
10/10
asyncrathttps://api.telegram.org/botrat

Malware Config

Extracted

Family

asyncrat

Version

丽杰ョょ诶жצョרョバぎウ東バ尺迪迪制Ежर马ばぎंょ煙

Botnet

https://api.telegram.org/bot

Mutex

713693179

Attributes
  • delay

    9000

  • install

    false

  • install_file

    notepad.exe

  • install_folder

    رچىقمپازجغنصشعیوهاخجطۆلقهنهم..

  • pastebin_config

    https://www.youtube.com/

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 6 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GoogleUpdateCore.exe
    "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateCore.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\tmp1D6F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1D6F.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" w4khkLFu3HEG3bx6A21EYGEQQO6B6kSn3s2F9JrUHvFWQPQ30rnPnBu6RiEJ1cPbkn5IIpQLWNX6FTBUEDoU3ndj6l5e1MGt9l1NBCV2Y1w1uM8JAo0bIGYeE56AAK6C7MX7F3BKI3LKMT293Y4KxBRHxAOLRYLBRu3gYLgn3gMD3Haj487U2W9E8B2xl1vjyFDsHLEDE6m42mJoi3oUm8O8P3OiIDVuRt46XIAO99hVMb0GVA6YTDgRk8RJ4B2H9F0M2swq4VSTTB8YIX4hJKTOb40Fgh7Vb2RO390yTw5OVllI2GKL8Ttov24RUXLYPF45GS3mbrIPiGWI3xLH292J98l4Fe1319qP56H4O008tpg0oIA43bucb33urj146oFM92wHOTLX3ILk7JD5AT37623dk5OBhf6C11phrOVWEK4uPf7SC79g16fl9HRXdA32HA9qDQ6MU7BDK8NBE1u7yQ5ASQkEVypv2XExo2EMm8137R2IAvJ22YMUt1EPu9soOC3hfLOG1Yc8WArEmG0CCFP1FSd596OSqcG3K31c6n60EvGF76cq7LB4U9gQ090g0oXGMTw9B5HC14EePE6P22wpQ91E8STQ35YPfTGcu81V7lqy6e3IM73ht0wR26D6RYh7G69TMUI3Q2hnXwR3Al55vF05CUBPFV4S8X5ggdFhPD1B3SdAC55bmMivGv8AHyh456RPX3928JRXELoTW462tHF4e2QmY1P072IRNP3L6771Q6TCu2W8uhUH4xK6xFYoD6PXRPhyqF2M38rLJxJqy1jBB66yniLYWjwRKe2reqUCYOH1WQ16geQaQXxVbJCocB0FDYW6362cVYb2M4GV6Q9pajxY40CYRCYXt841cEw4W6S54ILXIPraGBsLPfU59jsF7hAL0T1U7UqiqByKTFt6SI0XJ50YDCrk5iex6711a198F61NL3m6A7J6m76yIjYXdb3ILcDYIGS609ih0GEP5Cgt6UkI0Ayx31Q01LCo7pvNc5E1Yy
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\system32\cmd.exe
        "cmd" /c ping google.com & del "C:\Users\Admin\AppData\Local\Temp\tmp1D6F.tmp.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\system32\PING.EXE
          ping google.com
          4⤵
          • Runs ping.exe
          PID:932

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9feeab957d395302d8e609b750901d9e

    SHA1

    2ee7d375d9ced3260bace976d1c67360fbef7cf0

    SHA256

    3aff74ea2e94b4078ea91d6441f1767411ba8e208603cfd31d81b3707cdb9f37

    SHA512

    826065d453b0e01244f65000764634f6422ea927afd46b075eee0182ba17630d1e1bc7f30837ad5e5312ccb8b884e652c53cf20bb56715ddb01f2d8e2a62e429

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a301c450c299f517d4a0474479f49e3b

    SHA1

    b4f76e7e9124ddb1304e6dce1df52c8600e02886

    SHA256

    8f0c71dd4786dc4f6b1797905f5d0dd498fececdbfc31760839194704061a29e

    SHA512

    09853282ad6732be2e08a4c1bd6c62d91f23c7be72d054bb5e7484e8de980925c0cfdfaad63329ce18d5b4d0e064cc464ade12abb8bbde5c748b19a8248f89c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp1D6F.tmp.exe
    Filesize

    688KB

    MD5

    3cfa08af2e428627fc94d12cf816fa84

    SHA1

    fd620819a91ab99ccf03e564803da214775be163

    SHA256

    d76a3ee345f410aebfc11949c542acfea7b7445c3e396f1f2d7a785875d3595d

    SHA512

    95e0250f1686e36a5073d8b39a6833c30ad5447858edbc890fedd71393cbb4dd6d084f7b1442ebc78d56f6dd3b0b3794f12b7fad148d234407d7954856132848

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp1D6F.tmp.exe
    Filesize

    688KB

    MD5

    3cfa08af2e428627fc94d12cf816fa84

    SHA1

    fd620819a91ab99ccf03e564803da214775be163

    SHA256

    d76a3ee345f410aebfc11949c542acfea7b7445c3e396f1f2d7a785875d3595d

    SHA512

    95e0250f1686e36a5073d8b39a6833c30ad5447858edbc890fedd71393cbb4dd6d084f7b1442ebc78d56f6dd3b0b3794f12b7fad148d234407d7954856132848

    Download Submit

  • memory/1212-66-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-70-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-78-0x0000000075D01000-0x0000000075D03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1212-76-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-65-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-74-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-68-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1212-69-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1636-54-0x0000000000A80000-0x0000000000ADA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1636-58-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1636-57-0x000000001B3D6000-0x000000001B3F5000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1636-56-0x000000001B3D6000-0x000000001B3F5000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1636-55-0x0000000000160000-0x000000000016C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1972-64-0x00000000004D0000-0x00000000004EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1972-63-0x0000000000490000-0x00000000004D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1972-62-0x0000000000D00000-0x0000000000DB0000-memory.dmp

    Filesize

    704KB

    Download