Overview

overview

7

Static

static

3

43bdbbf12d...e1.exe

windows7-x64

7

43bdbbf12d...e1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2024, 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43bdbbf12d876c39f8866a6a8f8400e1.exe

  • Size

    1.2MB

  • MD5

    43bdbbf12d876c39f8866a6a8f8400e1

  • SHA1

    8073e93095aa648866c32d53b3572b52497c0bcd

  • SHA256

    e954cc80416a0beecfa125197fd28446ba6f1f01d748eafb0cf334762dbc8dee

  • SHA512

    cfd3552d54e8d6ce9f4fc8702bae6eebfb2797d8bcec18db0f81d2833458a4c0134d00a6c4b7506b179b0f3ae5ad16e92ad611020160eff81906bb9f8e87cd95

  • SSDEEP

    24576:piHsZP3U9f4uoIFst0GWKNXJLMTpZuTuRi10jbXGskwFShESPMM6fH:zPkJoPt0GXJLepauRG03bFS5PMM6v

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43bdbbf12d876c39f8866a6a8f8400e1.exe
    "C:\Users\Admin\AppData\Local\Temp\43bdbbf12d876c39f8866a6a8f8400e1.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\GoogleUpdaterSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\GoogleUpdaterSetup.exe" -install -extra flow=RegularPack&stat=on&r=ci_gapps.en,ci_picasa.en&brand=GPCK
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2220
      • C:\Users\Admin\AppData\Local\Temp\gisf761890\SearchWithGoogleUpdate.exe
        "C:\Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\..\SearchWithGoogleUpdate.exe" ci GPCK
        3⤵
          PID:2072
        • C:\Program Files (x86)\Google\Google Updater\2.4.1739.5352\GoogleUpdaterAdminPrefs.exe
          "C:\Program Files (x86)\Google\Google Updater\2.4.1739.5352\GoogleUpdaterAdminPrefs.exe" /RegServer
          3⤵
            PID:576
          • C:\Program Files (x86)\Google\Google Updater\2.4.1739.5352\GoogleUpdaterInstallMgr.exe
            "C:\Program Files (x86)\Google\Google Updater\2.4.1739.5352\GoogleUpdaterInstallMgr.exe" /RegServer
            3⤵
              PID:2384
            • C:\Users\Admin\AppData\Local\Temp\gisf761890\GoogleUpdaterService.exe
              "C:\Users\Admin\AppData\Local\Temp\gisf761890\GoogleUpdaterService.exe" /install /appid=GoogleUpdater /auto
              3⤵
                PID:2932
            • C:\Users\Admin\AppData\Local\Temp\gisf761890\GoogleUpdater.exe
              "C:\Users\Admin\AppData\Local\Temp\gisf761890\GoogleUpdater.exe" -trampoline -t "C:\Users\Admin\AppData\Local\Temp\gisf761890" -extra flow=RegularPack&stat=on&r=ci_gapps.en,ci_picasa.en&brand=GPCK
              2⤵
                PID:2184
                • C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
                  "C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe" -t C:\Users\Admin\AppData\Local\Temp\gisf761890 -extra flow=RegularPack&stat=on&r=ci_gapps.en,ci_picasa.en&brand=GPCK
                  3⤵
                    PID:2144
              • C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
                "C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe" -restart_ieuser
                1⤵
                  PID:1788
                • C:\Windows\system32\regsvr32.exe
                  C:\Windows\system32\regsvr32.exe -s "C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll"
                  1⤵
                    PID:1056
                  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                    "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -Embedding
                    1⤵
                      PID:1936
                    • C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
                      "C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe" -systray
                      1⤵
                        PID:2808
                      • C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
                        "C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe" -checkup
                        1⤵
                          PID:2772
                          • C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
                            "C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe" -checkup -httputilsonly
                            2⤵
                              PID:1940
                          • C:\Program Files (x86)\Google\Google Updater\2.4.1739.5352\GoogleUpdaterInstallMgr.exe
                            "C:\Program Files (x86)\Google\Google Updater\2.4.1739.5352\GoogleUpdaterInstallMgr.exe" -Embedding
                            1⤵
                              PID:1312
                            • C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
                              "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" /install /appid=swg
                              1⤵
                                PID:2300
                              • C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                                "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" /RegServer "/dll=C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\gtn.dll"
                                1⤵
                                  PID:1548
                                • C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
                                  "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
                                  1⤵
                                    PID:1592
                                  • C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
                                    "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" /Service
                                    1⤵
                                      PID:2964

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\GoogleUpdaterSetup.exe
                                      Filesize

                                      174KB

                                      MD5

                                      4ec3b0aa9591469684d0b86822819397

                                      SHA1

                                      cbb0aa8886764192fe28f6d6c0b564111ad5e43f

                                      SHA256

                                      726e8033b90212798c17f439cff2cd939e4878255e3261a951d42d2b6b8a3f3b

                                      SHA512

                                      d30e1bb701aa46c686a052532e12a0e768fa911f7993ca53caa1308818124fe24ae53096d7da3e7901a84c4015d8727cdfe353aa46c1389d7d5c3ae6ba604097

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\ci.dll
                                      Filesize

                                      94KB

                                      MD5

                                      b8ede45340c0ee9003fe16b9e6e3f7cc

                                      SHA1

                                      989a81fc8760b6e330eb53492993971a17441ec4

                                      SHA256

                                      cd40238a77738d5bbb2c25c7bab47c369bf59d0f67e60a95709008cd495f954c

                                      SHA512

                                      027be8d5e4792e5b820e2726d66958f7e5d36f3427559fa4608a633cf2f92ae91f488d3f372cba43bbe1fc0c42ecb06759e2db5b5c817d033095e7c311bf6d53

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\en\cires.dll.mui
                                      Filesize

                                      51KB

                                      MD5

                                      90fbd8ba323d7faafc5857bf773f31b8

                                      SHA1

                                      c399f8ad8b21a9ab2dbf8f532cc555345448051f

                                      SHA256

                                      e1bf851d4cab84683aaf945c312d3ba0ad5ca3111ef0a4f63e91d6d34d0b339b

                                      SHA512

                                      5fef6c9886fe7df86d56180bc18287038bad3f8703a531d286abd39c7b13ac81574e394fef1e72446a3ce06463ef641a0c1bb93df38fa510630349558627f729

                                      Download Submit

                                    • \Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\ci.dll
                                      Filesize

                                      92KB

                                      MD5

                                      696eb90293f96c86e7e727f1de4cd29a

                                      SHA1

                                      54030fe057940630438943b11963b2313291341e

                                      SHA256

                                      d954e1b750f5cdeab55f4f9fa7eaa38b037433b91bfaf2531075a5702f71b5c2

                                      SHA512

                                      755dcb430be4ee9dc3bade9e787297ca65857451c4b2b72c428046460e2dc608b5a3743499183c670fdf364a15a5eade4c32dd8b0f5c8a1aa39ddddf0065d60a

                                      Download Submit

                                    • \Users\Admin\AppData\Local\Temp\gisf761890\2.4.1739.5352\cires.dll
                                      Filesize

                                      98KB

                                      MD5

                                      a8ddf82cef6d22dae692bf24f3f0a55a

                                      SHA1

                                      5825c4d5d0d65e9b9aa60a6a529c29be92ca56c4

                                      SHA256

                                      8abd2e58a2898ba5443438687d43f8822a1c0620566ed58dcdb1af746f0a7304

                                      SHA512

                                      5aadb0479df9cffab9ae4dbf83dc20c0338518578f2df3ed220de420ee484a2e9b61d5f497b7c60d38ff53807521e849dc5f2b0bd8da7ed9df31b3c1fb7cecb6

                                      Download Submit

                                    • memory/1548-238-0x0000000000410000-0x00000000004CF000-memory.dmp

                                      Filesize

                                      764KB

                                      Download

                                    • memory/1788-230-0x0000000000860000-0x0000000000861000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1936-252-0x0000000002040000-0x00000000020FF000-memory.dmp

                                      Filesize

                                      764KB

                                      Download

                                    • memory/1936-254-0x00000000002C0000-0x00000000002C1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1940-269-0x0000000002A00000-0x0000000002ABF000-memory.dmp

                                      Filesize

                                      764KB

                                      Download

                                    • memory/1940-271-0x00000000003F0000-0x00000000003F1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/1948-255-0x0000000000400000-0x0000000000960000-memory.dmp

                                      Filesize

                                      5.4MB

                                      Download

                                    • memory/1948-0-0x0000000000400000-0x0000000000960000-memory.dmp

                                      Filesize

                                      5.4MB

                                      Download

                                    • memory/1948-1-0x0000000000020000-0x0000000000022000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2144-250-0x0000000000330000-0x0000000000331000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2144-249-0x0000000002EB0000-0x0000000002F6F000-memory.dmp

                                      Filesize

                                      764KB

                                      Download

                                    • memory/2144-282-0x0000000000330000-0x0000000000331000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2184-248-0x0000000000820000-0x0000000000821000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2184-246-0x0000000002E60000-0x0000000002F1F000-memory.dmp

                                      Filesize

                                      764KB

                                      Download

                                    • memory/2220-215-0x0000000003280000-0x00000000033AE000-memory.dmp

                                      Filesize

                                      1.2MB

                                      Download

                                    • memory/2220-84-0x0000000000340000-0x0000000000341000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2772-268-0x0000000000330000-0x0000000000331000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2772-266-0x0000000001570000-0x000000000162F000-memory.dmp

                                      Filesize

                                      764KB

                                      Download

                                    • memory/2808-258-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2808-256-0x0000000002E30000-0x0000000002EEF000-memory.dmp

                                      Filesize

                                      764KB

                                      Download