3a1724a631a645fe7ff897dd975ec13de7eb16569a9a8a1b88cb5862a53d271a

Analysis

max time kernel
314s
max time network
319s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoogleUpdate.zip
Size

1.3MB
MD5

240589bd414bc69c312ec09b8993e09f
SHA1

80dfad3e17b54258449a90dfe6551a31b8920d84
SHA256

3a1724a631a645fe7ff897dd975ec13de7eb16569a9a8a1b88cb5862a53d271a
SHA512

e35052be139394d75b8a2e027761320731626633a4b525225c034aa0e0d5c16874f584dfa50a47715053655fef086490684cf00d673e0b44c10552057696c943
SSDEEP

24576:tLREaY99WhjuiKLXR5+4HM8P46WqpR4DSC92XYTolkCBdDSJjrTha//q:HEaYSpF+XR55HM8P46bpRHC9U/VnIWi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1936	GoogleCrashHandler.exe
1988	GoogleUpdateOnDemand.exe

Loads dropped DLL 11 IoCs

pid	Process
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1988	GoogleUpdateOnDemand.exe
1988	GoogleUpdateOnDemand.exe
1988	GoogleUpdateOnDemand.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1712	1936	WerFault.exe	36
1920	1988	WerFault.exe	38

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2664	7zG.exe
Token: 35	2664	7zG.exe
Token: SeSecurityPrivilege	2664	7zG.exe
Token: SeSecurityPrivilege	2664	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2664	7zG.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1712	1936	GoogleCrashHandler.exe	37
PID 1936 wrote to memory of 1712	1936	GoogleCrashHandler.exe	37
PID 1936 wrote to memory of 1712	1936	GoogleCrashHandler.exe	37
PID 1936 wrote to memory of 1712	1936	GoogleCrashHandler.exe	37
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39
PID 1988 wrote to memory of 1920	1988	GoogleUpdateOnDemand.exe	39

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.zip
1⤵
PID:1296

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\" -spe -an -ai#7zMap17159:104:7zEvent27959
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2664

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 36
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1712

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateOnDemand.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateOnDemand.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 256
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1920

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\goopdate.dll
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe

Filesize
294KB

MD5
fb9ba651b4d3b79a24f1d0fe517b7e8b

SHA1
178a3e4faa0092562f0b76d49532fca97f70bbc2

SHA256
32aada8e9be5dda690a2f5c267957e515fd1b3c9ac31bd6ad6f139743a68d2fa

SHA512
9037e16f27d1c016b97f3727a25633c3a89bf3428851bb713fc4aad9ba8670ba5895f959d0b42b66c7c4d60434f31f0e485db85e3f2b98a34c3ae4e811d1281c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateOnDemand.exe

Filesize
105KB

MD5
3eea324d1b9470d15d7cafbbbe57d867

SHA1
2626facc53caefbfc322a29d9c66ece1bd22dc5d

SHA256
3148598c5ad2fe9d0f5676341385a7ad79660186e786afdf3e8f03e2c4246b04

SHA512
702b7949a5a8c06f6f5433feece97529280d0dc68d4474dd12df7354198afa692829c5e6bf09303fb331bcda9f2bc7678eaa09a6bd9ed6bc60676997c565f8a4

Download Submit