Overview

overview

7

Static

static

3

goggle.com trojan.exe

windows7-x64

7

goggle.com trojan.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    goggle.com trojan.exe

  • Size

    18.1MB

  • MD5

    cde9ef7ddb7296fcfb8e1212b91c2eb0

  • SHA1

    ff642c027aaf198356d5878db24ec9d0aec03118

  • SHA256

    361c5ca1db8ea24f3a773cddcddbcbaebd845432dcd12e180bfd975114366f28

  • SHA512

    45bdf680fab9883c8d42e7258efdfdb74e2a0502a999055f5f4c8fbac87b0f4666ade841d5aab7cbccff10897de75b0cbc33fef4f3f1963d5c1c30704119d616

  • SSDEEP

    393216:9SiyEBhx7QN5oXE45QhcrOXHdHiLCgfWwI:9SibhxU545Qj3sLCgfBI

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Blaster.bat" "
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe
        "anr0129.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Blaster.bat
    Filesize

    50B

    MD5

    6a83b03054f53cb002fdca262b76b102

    SHA1

    1bbafe19ae5bcdd4f3710f13d06332128a5d54f7

    SHA256

    7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e

    SHA512

    fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe
    Filesize

    16KB

    MD5

    eb790be93afb8481cfc43515b00976ab

    SHA1

    3e2a4c1393f7c09e5c1ae989aea0eb1d3b8c1e6d

    SHA256

    f6dec10d8bc56fc09673e544007654553c99848c8a211c64dbee0758ec9ddbd2

    SHA512

    6604a81c584bba8fcd4b96b895f29d43b311c99bcfb5065300d1f3f423b1857ce9faacea6d54e0e7b624c3c5aed1b4037ddae130e8b3499e9aca5ae4b8dcd99a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (1).exe
    Filesize

    116KB

    MD5

    8a84d8b3c4044c3f4eca7127d1cad349

    SHA1

    e3c9335b805c858bae6d64d176fcc259fa4f12ee

    SHA256

    7f27eac0d3e5ce33ba5dea3a0dcd07e33e7ba9b9f5783abe99d20eba9f783bd3

    SHA512

    fc019f613c9167ca3832e5ab4a798f8d441930f1bba246d5901a12ad36e410bab2be1b467b82aaacb57250b0eb887dc6d26265f6f4b783c937f951a3548f8879

    Download Submit
  • memory/3508-318-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/3508-321-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download