bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba

Analysis

max time kernel
8s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
Size

1.8MB
MD5

9b49a7aa16b37e4a5dc0d7dadd2d62f4
SHA1

2cb7867e65c8c2772f40af2f7298717f8d581de1
SHA256

bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba
SHA512

135ac8b7e953a0a2be5f9ba7f9735cab3352995a44e05c0b432106f4aef2cda01b35a3f959dc4bb767f6cf47c2c6c5892a18efe137a2b549a27039cda829b6d4
SSDEEP

49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAEgDUYmvFur31yAipQCtXxc0H:qvbjVkjjCAzJCU7dG1yfpVBlH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
216	alg.exe
4076	DiagnosticsHub.StandardCollector.Service.exe
4372	fxssvc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c4e30f88d9bbff8e.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\psuser.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleUpdateSetup.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTE5FC.tmp	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleUpdate.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_hi.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_th.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ur.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleUpdateOnDemand.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_hu.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_no.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ko.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_sw.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_tr.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleCrashHandler.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\psmachine_64.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_fa.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_gu.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_hr.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_zh-CN.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ca.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_da.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_sv.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_te.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdate.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\psmachine.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleCrashHandler64.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_es.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_kn.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_nl.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_pt-PT.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ro.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_sr.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ta.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleUpdateSetup.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_am.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_fi.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_sl.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_zh-TW.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleUpdateComRegisterShell64.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ar.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_bn.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_en-GB.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_id.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_is.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\psuser_64.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_de.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_en.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_it.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ms.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ru.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_uk.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_vi.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\GoogleUpdateCore.exe	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_bg.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_fr.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_lt.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_mr.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_et.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_ja.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_cs.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_el.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_es-419.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
File created	C:\Program Files (x86)\Google\Temp\GUME5FB.tmp\goopdateres_fil.dll	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	368	bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe

C:\Users\Admin\AppData\Local\Temp\bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe
"C:\Users\Admin\AppData\Local\Temp\bdd2829e18767d805a8d6a221d81ced42ec8981ffb72da45b8b1addecb5afcba.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
512KB

MD5
6799ce6369764694ee10030e4000b667

SHA1
43ea01bfb4070b1853f8069087c72b9c616df508

SHA256
2c249f0e4763319a752ba64d30062f638bd16aa9faccfd2a4064f2410a9e709c

SHA512
b3a24059a7cfe6494c78e66d38024f62df06e1fa47d71ae02881ff5a2c4391e49491b90c80e6dae95db9b07e2e18a4039a01b4e6aea66be4269c42a3f27ca441

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a9421bf38c8a138f9282fac3673a8a0a

SHA1
a7ceafeef63b4feaac75e73694360ae56a0cb0d1

SHA256
bb3931aa4ed77f31f73fa5a8b488336f4c7b5436317d53e30e843077a4e95eb8

SHA512
b80098438faf7fe011e5e7119016c4d7cca53629fc3740e265308ab5535b569e458ea6523e5df6c84a536b0a5515235dccc29b7596700605e041a315b234f064

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e868d4d80739f16494d091b0ba8cbfe7

SHA1
847b53afeede1f003ee087d402c8440117ef4742

SHA256
4d1f531d315d6cfdb16da65e2b0292d690a3075598ce73e9a6b32a3c35c3ad92

SHA512
5621f5295623e35064aab6f723ba022631ad8239c845f4fdc5298edddf973d5ddded95efd45913dc01d396caac34e4a45763c394046c728962b1cf3e9fd9921a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
7f81d6c284e2ebc749ff4e16df4f0a00

SHA1
934e8d7f90e4e6fa2813577e5c29300c7400f466

SHA256
4025e25bef498883b89d95626ee91d2b1445b3ed7cb9691cd7fe03ac9a90d9ec

SHA512
8f7d9550ae9b6a12cf298634ad9d571c4000b688bf4755f59e1541f3d06f3991d63848629637ecd7f98cc3285ced76be7f8ad2e77ee296890c1efc94b1ad3e01

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
576KB

MD5
76ec395f5a361c4df29abcecb7692c35

SHA1
fda3680a353aaff2d255b8fae1317fdac87c6cb5

SHA256
d98b3e52b6659f3f3efedc8084afd79ba8f053a921aefdc543e7c950f07928d8

SHA512
55f75ffa91bdadf3f881e92b0dfd3924da2addb02dbdca6f0575ce910f189dccba4c26c95ff21d23ed9ee64f6ada6e8b0c09a2677274675179415edab14a6940

Download Submit
memory/216-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/216-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/216-44-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/368-1-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/368-7-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/368-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/368-184-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4076-95-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4076-101-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4076-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4372-106-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4372-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4720-186-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4720-187-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download