80b356f7593cc7e430e927a9fbe02218066681ce6bbf3dbb81337613431b0d88

Analysis

max time kernel
25s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 20:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a011d1a473db00efbf32ea8ea9e944ae.exe
Size

1.8MB
MD5

a011d1a473db00efbf32ea8ea9e944ae
SHA1

c5446f7d144bad4d55cd917e2be059dae4635285
SHA256

80b356f7593cc7e430e927a9fbe02218066681ce6bbf3dbb81337613431b0d88
SHA512

cac3a75baa4f5558013363397b35031a5df04fff16efa2f1bdb7fb020bb8b281fadb744e9c6373207f4fb9bb5689a4162b4c570fe90e04c81271548829c4447b
SSDEEP

49152:ZKqAsadP0QiPzEz0AVISNT1JtMyBe30jaNf1TWbdz:ZKI+P0PQQAVIxMU023W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4304	alg.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4808	fxssvc.exe
2152	elevation_service.exe
1676	elevation_service.exe
4748	maintenanceservice.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Windows\System32\alg.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a288169e04146c8.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a011d1a473db00efbf32ea8ea9e944ae.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdateOnDemand.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_kn.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_hr.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_en-GB.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_es.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_et.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_mr.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_te.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdateCore.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_am.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_de.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_th.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_nl.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_pl.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdateBroker.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\psuser_64.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_hi.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_bn.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_sl.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_fil.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_id.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_it.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ms.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ur.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUTFF9F.tmp	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\psuser.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_es-419.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_zh-TW.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_fr.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_lv.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_pt-PT.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdate.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_bg.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_el.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_da.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ko.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdateSetup.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_fa.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_is.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ja.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_sr.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_sv.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ar.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ca.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_cs.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_sw.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_uk.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_vi.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdate.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_en.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_ro.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_fi.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_gu.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_sk.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_tr.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_zh-CN.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdateComRegisterShell64.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\psmachine_64.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\goopdateres_hu.dll	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleUpdateSetup.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	a011d1a473db00efbf32ea8ea9e944ae.exe
File created	C:\Program Files (x86)\Google\Temp\GUMFF9E.tmp\GoogleCrashHandler.exe	a011d1a473db00efbf32ea8ea9e944ae.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a011d1a473db00efbf32ea8ea9e944ae.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	412	a011d1a473db00efbf32ea8ea9e944ae.exe
Token: SeAuditPrivilege	4808	fxssvc.exe

C:\Users\Admin\AppData\Local\Temp\a011d1a473db00efbf32ea8ea9e944ae.exe
"C:\Users\Admin\AppData\Local\Temp\a011d1a473db00efbf32ea8ea9e944ae.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:4792

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d7bf4cc4f448ae8dcea4d8d68cc04af1

SHA1
e31c053dfc12397160b8713709e6c381b624d3da

SHA256
f28d4b02b087357ef5aec44725e70232dd52809af58ebf815206a4f2f6685b8d

SHA512
23b52c4f9f5fdf4ee5d631f31487a1746dd466cf10bf8d97e82c0c017f623586986f597d7d1ab59d97d56d16d593c1cd1fa583ff15f3b56f0d9abaa4bc26907b

Download Submit
memory/412-131-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/412-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/412-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/412-233-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/412-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1676-420-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1676-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1676-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1676-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2052-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2052-241-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2052-422-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2052-257-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2152-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2152-126-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2152-119-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2152-414-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4304-18-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4304-12-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4304-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4304-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4748-145-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4748-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4748-154-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4748-227-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4748-151-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4792-234-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4792-236-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4792-255-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4792-421-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4808-112-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4808-105-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4808-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4808-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4808-115-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4872-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4872-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4872-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download