bbb3c3e310f681aa19b001f25927c48907235074543b3164915bfef64785f20a

General

Target

youtube-uploader-1.0.24.0.exe
Size

227KB
MD5

684faf37d21c3a3935047688c2a9743c
SHA1

629a9cc8439c634e0788376edea2c9eb8d239b99
SHA256

bbb3c3e310f681aa19b001f25927c48907235074543b3164915bfef64785f20a
SHA512

295e0539ee9cf6bfb402ad1c8e212b264d5782a6c209deeac6be8d3218822b1a29ee9d3b20b16907be0222313b096fb6b01ab0078fa22d9d7b6835acacba1316
SSDEEP

6144:Avb52tHaEQmneCDl5nSWhkKnMbBv2FoCzX3x+:MY6yB5YgnMbBOFbrh+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
244	GoogleUpdate.exe
4460	GoogleUpdate.exe

Loads dropped DLL 2 IoCs

pid	Process
244	GoogleUpdate.exe
4460	GoogleUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Update\\1.0.91.0\\GoogleUpdate.exe\""	GoogleUpdate.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	youtube-uploader-1.0.24.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
244	GoogleUpdate.exe
244	GoogleUpdate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	244	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 244	3620	youtube-uploader-1.0.24.0.exe	81
PID 3620 wrote to memory of 244	3620	youtube-uploader-1.0.24.0.exe	81
PID 3620 wrote to memory of 244	3620	youtube-uploader-1.0.24.0.exe	81
PID 244 wrote to memory of 4460	244	GoogleUpdate.exe	82
PID 244 wrote to memory of 4460	244	GoogleUpdate.exe	82
PID 244 wrote to memory of 4460	244	GoogleUpdate.exe	82

C:\Users\Admin\AppData\Local\Temp\youtube-uploader-1.0.24.0.exe
"C:\Users\Admin\AppData\Local\Temp\youtube-uploader-1.0.24.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\GUM9981.tmp\GoogleUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\GUM9981.tmp\GoogleUpdate.exe /extra "usagestats=1" /install C:\Users\Admin\AppData\Local\Temp\GUM9981.tmp\{A4F7B07B-B9BD-4a33-B136-96D2ADFB60CB}.gup
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Users\Admin\AppData\Local\Google\Update\1.0.91.0\GoogleUpdate.exe
    "C:\Users\Admin\AppData\Local\Google\Update\1.0.91.0\GoogleUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Update\Manifest\InProgress\{78A60BF3-78E8-4986-981D-414F2CF7F80E}.gup

Filesize
275B

MD5
382ca56607f7bbd52248ba3aac011f32

SHA1
d9bf9a89e983772c7cfae53f2aa360335293a42a

SHA256
6899f6daf252f26eeaf5d929a63112b2146a7ac3b41f6feec1004a30b254cb79

SHA512
2d2157f72abb046e5f58bd765aca9b82bb182177bf9f862d15e3a961b70b28c87da76bd8ab1e444c749c3a41194c2c12289b574d974cb2899ab0afff42d1b742

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM9981.tmp\GoogleUpdate.exe

Filesize
19KB

MD5
9bc30e3d84f78c393c1aa9adaa27158a

SHA1
a15c41c1305d577b05fae6ffc0ca95c1dfff3aaa

SHA256
0e3343e805a882bf763f8cb3a08872faeb436c5c77b8d780f2a4b0017db0f117

SHA512
30886a5dbe1b85636c1e5ccae394f1b6e333010dd7012d04e780e50c8f23618ea06c174d41485f980927d2beeff698705a7f4cce123d48bb914f796405ec6dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM9981.tmp\goopdate.dll

Filesize
408KB

MD5
35a22762d058af8f332b0fda101546d9

SHA1
3f838c81fe664df9b989d9d89d60abed8f90f3ef

SHA256
7f211012edc5a6ef66bd20ddd5eb99840100871205a49ce53d95ac0dbc86c4e0

SHA512
584a4b02c93c01572fa3327f6a92b139f888a810551ddbc630c966e420990b0c2bef4f28cab49177f738dfe477cf5eb78968cc1821c1ade99aa59f347e6f49dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM9981.tmp\{A4F7B07B-B9BD-4a33-B136-96D2ADFB60CB}.gup

Filesize
218B

MD5
a286435860f2e753a99d5e90bd9c1128

SHA1
e00c9535c3084b3233f4b0eddff70d001fb7f607

SHA256
90748ffb7ee18f8ce747c27e0f5117dc19912b5b3c9ac4bec5f5229be5eba500

SHA512
bd46b460aea9521edcbf649c65f983a2f11fde4cd3a36e2ba232cbc829a1354c27a2771044395a89bf7207f0f451626baea6bf2f1feaa91fb89693bc5777a8a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads