b8af4588875e697e49db4e1ff5833ef8f89ffde327ab9dc9fad101551d6aec28

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-ja
resource tags

arch:x64arch:x86image:win10v2004-20240508-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
09/05/2024, 07:34

Target

updater.exe
Size

4.6MB
MD5

95222faeeab2cebe9502f2e123d5dd2a
SHA1

dac0e46c7b0bc998bee826538a3128fbe396e638
SHA256

b8af4588875e697e49db4e1ff5833ef8f89ffde327ab9dc9fad101551d6aec28
SHA512

aaec6212bb69d7dbf4b7d09dfa6ccfca803835c19a5974f534f7db2d6235e741bb404969b2695ff9487ee2c7ac2ab1f740a436332b740b45fbaf579c6e13bf4f
SSDEEP

98304:IyENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfR:bEN2tm5pOuU3TcLWGO7djZkrC5R

Score

6^/10

evasion trojan

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1212	4672	updater.exe	82
PID 4672 wrote to memory of 1212	4672	updater.exe	82
PID 4672 wrote to memory of 1212	4672	updater.exe	82

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  C:\Users\Admin\AppData\Local\Temp\updater.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\126.0.6462.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0xb5965c,0xb59668,0xb59674
  2⤵
  PID:1212

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
829acf93356f3345882530ef461072c6

SHA1
562701bc37fe15813dfbb9cdd2a00e8193fed351

SHA256
b91322fddf9c0895ff63451b0af32aa03def4bd6cf9bdbb2326757177312c397

SHA512
b728203f99702f7aafea2055441674193726e11f59e0ca192f02e1deefe6e04586589885d62718c47a5b85dc32eea69ea455cfc17933d1d8bfaed09570e706e2

Download Submit