3a1724a631a645fe7ff897dd975ec13de7eb16569a9a8a1b88cb5862a53d271a

Analysis

max time kernel
313s
max time network
322s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/04/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoogleUpdate.zip
Size

1.3MB
MD5

240589bd414bc69c312ec09b8993e09f
SHA1

80dfad3e17b54258449a90dfe6551a31b8920d84
SHA256

3a1724a631a645fe7ff897dd975ec13de7eb16569a9a8a1b88cb5862a53d271a
SHA512

e35052be139394d75b8a2e027761320731626633a4b525225c034aa0e0d5c16874f584dfa50a47715053655fef086490684cf00d673e0b44c10552057696c943
SSDEEP

24576:tLREaY99WhjuiKLXR5+4HM8P46WqpR4DSC92XYTolkCBdDSJjrTha//q:HEaYSpF+XR55HM8P46bpRHC9U/VnIWi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4636	GoogleCrashHandler.exe
3588	GoogleCrashHandler.exe
1764	GoogleUpdateOnDemand.exe
2340	GoogleCrashHandler.exe

Loads dropped DLL 6 IoCs

pid	Process
4292	regsvr32.exe
2360	regsvr32.exe
5064	regsvr32.exe
2956	regsvr32.exe
4588	regsvr32.exe
4196	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4212	4636	WerFault.exe	77
4504	3588	WerFault.exe	81
1576	1764	WerFault.exe	83
2772	2340	WerFault.exe	103

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	796	7zG.exe
Token: 35	796	7zG.exe
Token: SeSecurityPrivilege	796	7zG.exe
Token: SeSecurityPrivilege	796	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
796	7zG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4372	cmd.exe
4372	cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 1868	4372	cmd.exe	88
PID 4372 wrote to memory of 1868	4372	cmd.exe	88
PID 1868 wrote to memory of 1888	1868	regsvr32.exe	89
PID 1868 wrote to memory of 1888	1868	regsvr32.exe	89
PID 1868 wrote to memory of 1888	1868	regsvr32.exe	89
PID 4372 wrote to memory of 1612	4372	cmd.exe	90
PID 4372 wrote to memory of 1612	4372	cmd.exe	90
PID 1612 wrote to memory of 4292	1612	regsvr32.exe	91
PID 1612 wrote to memory of 4292	1612	regsvr32.exe	91
PID 1612 wrote to memory of 4292	1612	regsvr32.exe	91
PID 4372 wrote to memory of 4004	4372	cmd.exe	92
PID 4372 wrote to memory of 4004	4372	cmd.exe	92
PID 4004 wrote to memory of 2360	4004	regsvr32.exe	93
PID 4004 wrote to memory of 2360	4004	regsvr32.exe	93
PID 4004 wrote to memory of 2360	4004	regsvr32.exe	93
PID 4372 wrote to memory of 3876	4372	cmd.exe	94
PID 4372 wrote to memory of 3876	4372	cmd.exe	94
PID 3876 wrote to memory of 5064	3876	regsvr32.exe	95
PID 3876 wrote to memory of 5064	3876	regsvr32.exe	95
PID 3876 wrote to memory of 5064	3876	regsvr32.exe	95
PID 4372 wrote to memory of 2956	4372	cmd.exe	96
PID 4372 wrote to memory of 2956	4372	cmd.exe	96
PID 4372 wrote to memory of 4824	4372	cmd.exe	99
PID 4372 wrote to memory of 4824	4372	cmd.exe	99
PID 4824 wrote to memory of 4588	4824	regsvr32.exe	100
PID 4824 wrote to memory of 4588	4824	regsvr32.exe	100
PID 4824 wrote to memory of 4588	4824	regsvr32.exe	100
PID 4372 wrote to memory of 4196	4372	cmd.exe	101
PID 4372 wrote to memory of 4196	4372	cmd.exe	101
PID 4372 wrote to memory of 2340	4372	cmd.exe	103
PID 4372 wrote to memory of 2340	4372	cmd.exe	103
PID 4372 wrote to memory of 2340	4372	cmd.exe	103

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\GoogleUpdate.zip
1⤵
PID:4016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1760

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\" -spe -an -ai#7zMap24604:104:7zEvent17243
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:796

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe"
1⤵
- Executes dropped EXE
PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 208
  2⤵
  - Program crash
  PID:4212

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe"
1⤵
- Executes dropped EXE
PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 172
  2⤵
  - Program crash
  PID:4504

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateOnDemand.exe
"C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateOnDemand.exe"
1⤵
- Executes dropped EXE
PID:1764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 208
  2⤵
  - Program crash
  PID:1576

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s goopdate.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\regsvr32.exe
    /s goopdate.dll
    3⤵
    PID:1888
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s goopdateres_tr.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\regsvr32.exe
    /s goopdateres_tr.dll
    3⤵
    - Loads dropped DLL
    PID:4292
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s goopdateres_vi.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\regsvr32.exe
    /s goopdateres_vi.dll
    3⤵
    - Loads dropped DLL
    PID:2360
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s psmachine.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\regsvr32.exe
    /s psmachine.dll
    3⤵
    - Loads dropped DLL
    PID:5064
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s psmachine_64.dll
  2⤵
  - Loads dropped DLL
  PID:2956
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s psuser.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\regsvr32.exe
    /s psuser.dll
    3⤵
    - Loads dropped DLL
    PID:4588
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s psuser_64.dll
  2⤵
  - Loads dropped DLL
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe
  GoogleCrashHandler.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 188
    3⤵
    - Program crash
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleCrashHandler.exe

Filesize
294KB

MD5
fb9ba651b4d3b79a24f1d0fe517b7e8b

SHA1
178a3e4faa0092562f0b76d49532fca97f70bbc2

SHA256
32aada8e9be5dda690a2f5c267957e515fd1b3c9ac31bd6ad6f139743a68d2fa

SHA512
9037e16f27d1c016b97f3727a25633c3a89bf3428851bb713fc4aad9ba8670ba5895f959d0b42b66c7c4d60434f31f0e485db85e3f2b98a34c3ae4e811d1281c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdate.exe

Filesize
158KB

MD5
5f2d1fbd0bb7320a1f760221209b996a

SHA1
f2940953721b0f5220a0451e4690972a1869a961

SHA256
0d0f13a13e88dac1bd1ac11022612bd15467c18595013d46f871ea318ba7b8a8

SHA512
aa848bd7654de398bce3751c25c055b1ecc1e2de18c68f6cf209853e56e3065f17fec377bc8972f6e8d117e903d395b72f0f5e3ea78db8bffe550297d7daa382

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateBroker.exe

Filesize
105KB

MD5
83fff2b6179cf76b7273879eec084f7c

SHA1
f3b9bc659a4bf201e155218a8fc0c68877d50dbc

SHA256
95fc43248e0a29116f78f80df846a75e93ebac049cf3b125d0764a806a95f9e3

SHA512
40ddf141b294ea2a2ff40aabd1aec792ededd876e1a8363ee0d7304cdf4261b81b5768bdc1bdfa0a814c41a33343973e5e28922adfd0f3d51e72911da6fb2e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\GoogleUpdateOnDemand.exe

Filesize
105KB

MD5
3eea324d1b9470d15d7cafbbbe57d867

SHA1
2626facc53caefbfc322a29d9c66ece1bd22dc5d

SHA256
3148598c5ad2fe9d0f5676341385a7ad79660186e786afdf3e8f03e2c4246b04

SHA512
702b7949a5a8c06f6f5433feece97529280d0dc68d4474dd12df7354198afa692829c5e6bf09303fb331bcda9f2bc7678eaa09a6bd9ed6bc60676997c565f8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\goopdate.dll

Filesize
1.9MB

MD5
65632a3d087188a99dd19e46ef6bb76b

SHA1
125ff0386e99c7c98eb77435d77b0c63a55fb268

SHA256
b3793129d3d19d4f8d2393620f66736ef12b5ee9861d3da5779c5c4085604cc4

SHA512
1df572923729b011ac0d4d3e10f675bff9eb433a390aded996d00787be066c1d4dcdbe343187161dc5f71d287d0466fdf410c891661f3bfec22bb751d9accf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\goopdateres_tr.dll

Filesize
43KB

MD5
124eaf18935d231009ef20164a039d63

SHA1
181740df34a11686a93dabd9a1737c0abee9fb52

SHA256
958e514d26c4188b045b4a6419ac6a036056d02a7c695576006d2d8c0559840b

SHA512
76319947fe0ec2d95c1297eafdcae74c849a361f15aa84b92217538ba61cb0c7e1eccf1763294f3057158aacc51528f5baa20ae351f4ccba058ef6a84d728df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\goopdateres_vi.dll

Filesize
42KB

MD5
f9aa9ab095185982b8bc9f505a653857

SHA1
0ddf9081fefb91352a99bcb46bc42ed7ff11c9d4

SHA256
1763baabe0efc639ceb3a1d9b6389883d02c5e3debe6f0a44e630bfcb2d14d2e

SHA512
eeca2d1f6138994d98e6a4b85006ee05fd9200f15f70e2063ac23c64dbecfff10bbda71a8bfa91f3b645fbc879c7844fbddb708b81014de6be7be21e8e49413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\psmachine.dll

Filesize
272KB

MD5
56ce5ea9b0e877f45d27a959b11e8401

SHA1
76c02c63bff95d4ff78868b3db2dd2ada4a70eef

SHA256
b91ed7dca1b2d5c2c956ecdf9a7afd84911d1c31f5b3b3cb90db0a081ab32905

SHA512
78cfedc799f4bb01be404acf2de5ae27d157a037c2e68b3eb2d5a8b718e64e3ec3a7c46e245f39e41867503f47079556d9e22b178f9f0021055a819abfbeb98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\psmachine_64.dll

Filesize
347KB

MD5
cf16220332e02cc20ebbe3270087758a

SHA1
a3b25e077d76ede0f2763ced7f0fa383010f920d

SHA256
13adcc84d8aa12bc0392870510d81ba7f440f674508842112f3d9c848354906d

SHA512
87be0eff27a2b405d9153687226beb8b906fcd8943ba20804c6bf4258df8457ca0d622778f65094aaf9df98f646f0d6102427084878613421655caaf8a3fe0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoogleUpdate\psuser.dll

Filesize
272KB

MD5
90201c263cd79da7c81f411b30681c80

SHA1
38eddf6735734ec8f342fb81fd7d9726322ff885

SHA256
cbc268af8a5acf16d51357b1a96b982a5d7b0627ea59e0248043c6fcd4a741e9

SHA512
0d8ce465bd8092b312020bed1a550dc398f1f21e2887eca0a6afbbf2e09927a0a14d15dfa521392d42e1f13d981555b727e65e78a828bed55c9a03943a34cfb7

Download Submit
\Users\Admin\AppData\Local\Temp\GoogleUpdate\psuser_64.dll

Filesize
347KB

MD5
5081ae0b3b4e7cb6dc7c8969d9746118

SHA1
b9092ab2451720d49d5a2f3a866969ee1afad46b

SHA256
287ec4e6fc5920c44504ad6212dd817c06904e344a5c999d6443ae3e21cfb9d5

SHA512
4475aacaea7693a77bf0a5ff048e3e0b17020205bff1d3febe1a4f2cc3cd6fcd9b48aa587beea47762eb8b0390aac38ee3b2f7de3bff8af03aa794cabc1777c7

Download Submit