8e1dfd0fe2f4be63343c311ece0c39c357bb7341978375661707d1a3bec39046

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update/1.3.36.152/GoogleUpdateComRegisterShell64.exe
Size

190KB
MD5

067c069e3a48184c32333ebbd152eb01
SHA1

e13808892bb9679a81d0ebdf5f51a6df42400149
SHA256

55f4339688f1e72f5da0819abaa1d1f0630f39c496ec1ea0ad8e3458c8df6b02
SHA512

74b3aecbf11f94948264b29481839bdf48d7b37f966cb5e2aa3062e66cf3587ecf247563e3bcc1837e1fb89602d327fdb4f22fa98c695b4d5768bc3f1903a2b4
SSDEEP

3072:HVS38yXLiGySAcz4hp9wuzkHUYqWEybmoY46+pW8UJHqDMC0JGB:HVS31GGySAcz4hUmA0ohnqTm

Score

4^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

GoogleUpdateComRegisterShell64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{85D8EE2F-794F-41F0-BB03-49D56A23BEF4}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{85D8EE2F-794F-41F0-BB03-49D56A23BEF4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{85D8EE2F-794F-41F0-BB03-49D56A23BEF4}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdateComRegisterShell64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods\ = "43"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ = "IJobObserver2"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods\ = "13"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ = "IAppVersion"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods\ = "16"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{85D8EE2F-794F-41F0-BB03-49D56A23BEF4}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods\ = "17"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ = "IApp"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\CLSID\{85D8EE2F-794F-41F0-BB03-49D56A23BEF4}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ = "IBrowserHttpRequest2"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods\ = "12"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ = "IGoogleUpdateCore"	GoogleUpdateComRegisterShell64.exe

C:\Users\Admin\AppData\Local\Temp\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Users\Admin\AppData\Local\Temp\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:2636

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads