f16d67d7d269f3476e3002aafaadac7a2c059c876e433bfb2a79776e4b20a9a1

Analysis

max time kernel
98s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/06/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

updater.exe
Size

4.4MB
MD5

512a822caed80f9fa3f0dfce20d4faa1
SHA1

16f470de73681ce7ec9b3251ac081879fb37798c
SHA256

8de9266347276d18fe49f84b86f09e6035df2c10e39f22d85bf33d43cf0f5f2c
SHA512

9fc3d74dddd28b325fe3b803c1217d7374b61ae6d7eecb46aa2dafb643b7a45387caba015421da524cc0416c9b3bdbb3d871120c1275e421f86e9d80a3781802
SSDEEP

98304:JvsNh6yQO/AFVdrylFFt5yQq8J4mrf0UbX1YmbWxAnwb1gQ:Fs+ndryl6xmrsUbX1YmbWxAnwv

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	updater.exe
1716	updater.exe
1716	updater.exe
1716	updater.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
1900	perfmon.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe
4312	taskmgr.exe
1900	perfmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1900	perfmon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	taskmgr.exe
Token: SeSystemProfilePrivilege	4312	taskmgr.exe
Token: SeCreateGlobalPrivilege	4312	taskmgr.exe
Token: SeDebugPrivilege	1900	perfmon.exe
Token: SeSystemProfilePrivilege	1900	perfmon.exe
Token: SeCreateGlobalPrivilege	1900	perfmon.exe
Token: 33	1900	perfmon.exe
Token: SeIncBasePriorityPrivilege	1900	perfmon.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe
4312	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 116	1716	updater.exe	83
PID 1716 wrote to memory of 116	1716	updater.exe	83
PID 1716 wrote to memory of 116	1716	updater.exe	83

C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\updater.exe
  C:\Users\Admin\AppData\Local\Temp\updater.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\128.0.6537.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=128.0.6537.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0x1312604,0x1312610,0x131261c
  2⤵
  PID:116

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312

C:\Windows\system32\perfmon.exe
"C:\Windows\system32\perfmon.exe" /res
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
67800fa42a174c52412cdc72914d9d35

SHA1
4323ec86b1eb77fccb01490dbadd48bda4f56fc5

SHA256
9333ff99ab69025c5eb01f4f52f1831ab6090d3908b8f923bd065802137cfd76

SHA512
1edce6b20ab03b78fe679ca2b773f1d9cb4598041e6f71d3e5f95c88357b895e8c9b26bbd9b855798c242e5ead03139af27b64f6f39690e6b6a6a32d5271a7eb

Download Submit
memory/4312-3-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-4-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-5-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-15-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-14-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-13-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-12-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-11-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-10-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download
memory/4312-9-0x0000022AF2910000-0x0000022AF2911000-memory.dmp

Filesize
4KB

Download