30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

4.1MB
MD5

4dd7bd5bc7ad5494b39c033290136207
SHA1

aeac40777f86c172d8872643c9c537f53cdf1f5d
SHA256

30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852
SHA512

483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37
SSDEEP

98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa

Score

7^/10

discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000800000002349b-10.dat	upx
behavioral3/memory/2964-11-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral3/memory/2964-111-0x0000000000400000-0x000000000225E000-memory.dmp	upx
behavioral3/memory/2964-117-0x0000000000400000-0x000000000225E000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSIBE21.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	g2ax_installer_customer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Modifies WinLogon 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Startup = "Startup"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logon = "Logon"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\DLLName = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_winlogonx64.dll"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Logoff = "Logoff"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Asynchronous = "0"	g2ax_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Impersonate = "0"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer\Shutdown = "Shutdown"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer	g2ax_service.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\g2ax_credential_provider64_1575.dll	g2ax_service.exe
File opened for modification	C:\Windows\system32\g2ax_credential_provider64_1575.dll	g2ax_service.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_es.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_installer_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_de.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogonx64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_combined_customer.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_pt.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider.dll	g2ax_installer_customer.exe
File opened for modification	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_high_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_en_US.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_it.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\uninshlp.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_credential_provider64.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_customer_resource_win32_x86_fr.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\shortcuts.txt	g2ax_service.exe
File created	C:\Program Files (x86)\_x_CInstB+TEST_x_0\_x_CInstB+TEST_x_0	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_winlogon.dll	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_medium_customer.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_processfactory.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_host_service.exe	g2ax_installer_customer.exe
File created	C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_uninstaller_customer.exe	g2ax_installer_customer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBE21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bd35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDD2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8986461A-C5B9-4E8B-827A-FA68F3411575}	msiexec.exe
File created	C:\Windows\Installer\e57bd39.msi	msiexec.exe
File created	C:\Windows\Installer\e57bd35.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
2964	MSIBE21.tmp
2800	g2ax_installer_customer.exe
2932	g2ax_service.exe
4404	g2ax_service.exe
1896	g2ax_service.exe
1416	g2ax_comm_customer.exe
2424	g2ax_system_customer.exe
1908	g2ax_user_customer.exe

Loads dropped DLL 8 IoCs

pid	Process
2800	g2ax_installer_customer.exe
2932	g2ax_service.exe
4404	g2ax_service.exe
1896	g2ax_service.exe
1416	g2ax_comm_customer.exe
2424	g2ax_system_customer.exe
1908	g2ax_user_customer.exe
2980	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2368	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBE21.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_installer_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_comm_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_system_customer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g2ax_user_customer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Proto = "1"	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\AuthInfo	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo	g2ax_comm_customer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Method = "32"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\TargetPort = "80"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\Flags = "1"	g2ax_comm_customer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\LogMeInInc\GoToAssist\ConnectionInfo\LastGood\Proto1\OriginalDetector = "4"	g2ax_comm_customer.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\g2ax_service.exe	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\LocalService = "GoToAssist Remote Support Customer"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ServiceParameters = "-Service"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\ = "g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ = "C:\\Windows\\system32\\g2ax_credential_provider64_1575.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ = "g2ax_StartHereLoader"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\ProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\ = "CredentialProvider"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7222C15-96C7-40f1-97A7-EB3D057EA80C}\ = "GoToAssist Remote Support Customer"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CLSID	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\ = "g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\g2ax_service.exe\AppID = "{D7222C15-96C7-40f1-97A7-EB3D057EA80C}"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\LocalServer32\ = "C:\\Program Files (x86)\\GoToAssist Remote Support Customer\\1575\\g2ax_service.exe"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader.2\CLSID\ = "{45CB397D-781F-4B69-955E-7EB5F5BDC348}"	g2ax_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D025C57A-763E-4B14-B580-9B5B161F08BB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45CB397D-781F-4B69-955E-7EB5F5BDC348}\VersionIndependentProgID\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader"	g2ax_service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoToAssist Remote Support Customer.g2ax_StartHereLoader\CurVer\ = "GoToAssist Remote Support Customer.g2ax_StartHereLoader.2"	g2ax_service.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	g2ax_installer_customer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4784	msiexec.exe
4784	msiexec.exe
1416	g2ax_comm_customer.exe
1416	g2ax_comm_customer.exe
2424	g2ax_system_customer.exe
2424	g2ax_system_customer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	4784	msiexec.exe
Token: SeCreateTokenPrivilege	2368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2368	msiexec.exe
Token: SeLockMemoryPrivilege	2368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2368	msiexec.exe
Token: SeMachineAccountPrivilege	2368	msiexec.exe
Token: SeTcbPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	2368	msiexec.exe
Token: SeTakeOwnershipPrivilege	2368	msiexec.exe
Token: SeLoadDriverPrivilege	2368	msiexec.exe
Token: SeSystemProfilePrivilege	2368	msiexec.exe
Token: SeSystemtimePrivilege	2368	msiexec.exe
Token: SeProfSingleProcessPrivilege	2368	msiexec.exe
Token: SeIncBasePriorityPrivilege	2368	msiexec.exe
Token: SeCreatePagefilePrivilege	2368	msiexec.exe
Token: SeCreatePermanentPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	2368	msiexec.exe
Token: SeRestorePrivilege	2368	msiexec.exe
Token: SeShutdownPrivilege	2368	msiexec.exe
Token: SeDebugPrivilege	2368	msiexec.exe
Token: SeAuditPrivilege	2368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2368	msiexec.exe
Token: SeChangeNotifyPrivilege	2368	msiexec.exe
Token: SeRemoteShutdownPrivilege	2368	msiexec.exe
Token: SeUndockPrivilege	2368	msiexec.exe
Token: SeSyncAgentPrivilege	2368	msiexec.exe
Token: SeEnableDelegationPrivilege	2368	msiexec.exe
Token: SeManageVolumePrivilege	2368	msiexec.exe
Token: SeImpersonatePrivilege	2368	msiexec.exe
Token: SeCreateGlobalPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe
Token: SeBackupPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeTcbPrivilege	2424	g2ax_system_customer.exe
Token: SeTcbPrivilege	1416	g2ax_comm_customer.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe
Token: SeTakeOwnershipPrivilege	4784	msiexec.exe
Token: SeRestorePrivilege	4784	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2368	msiexec.exe
2964	MSIBE21.tmp
2368	msiexec.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe
1908	g2ax_user_customer.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 2128	4784	msiexec.exe	93
PID 4784 wrote to memory of 2128	4784	msiexec.exe	93
PID 4784 wrote to memory of 2964	4784	msiexec.exe	95
PID 4784 wrote to memory of 2964	4784	msiexec.exe	95
PID 4784 wrote to memory of 2964	4784	msiexec.exe	95
PID 2964 wrote to memory of 2800	2964	MSIBE21.tmp	96
PID 2964 wrote to memory of 2800	2964	MSIBE21.tmp	96
PID 2964 wrote to memory of 2800	2964	MSIBE21.tmp	96
PID 2800 wrote to memory of 2932	2800	g2ax_installer_customer.exe	97
PID 2800 wrote to memory of 2932	2800	g2ax_installer_customer.exe	97
PID 2800 wrote to memory of 2932	2800	g2ax_installer_customer.exe	97
PID 2800 wrote to memory of 4404	2800	g2ax_installer_customer.exe	98
PID 2800 wrote to memory of 4404	2800	g2ax_installer_customer.exe	98
PID 2800 wrote to memory of 4404	2800	g2ax_installer_customer.exe	98
PID 1896 wrote to memory of 1416	1896	g2ax_service.exe	100
PID 1896 wrote to memory of 1416	1896	g2ax_service.exe	100
PID 1896 wrote to memory of 1416	1896	g2ax_service.exe	100
PID 1416 wrote to memory of 2424	1416	g2ax_comm_customer.exe	103
PID 1416 wrote to memory of 2424	1416	g2ax_comm_customer.exe	103
PID 1416 wrote to memory of 2424	1416	g2ax_comm_customer.exe	103
PID 1416 wrote to memory of 1908	1416	g2ax_comm_customer.exe	105
PID 1416 wrote to memory of 1908	1416	g2ax_comm_customer.exe	105
PID 1416 wrote to memory of 1908	1416	g2ax_comm_customer.exe	105
PID 1896 wrote to memory of 2980	1896	g2ax_service.exe	112
PID 1896 wrote to memory of 2980	1896	g2ax_service.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2128
- C:\Windows\Installer\MSIBE21.tmp
  "C:\Windows\Installer\MSIBE21.tmp" /FromMSI
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe
    "C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSIBE21.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"
    3⤵
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Modifies WinLogon
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2932
  - - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
"C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe
  "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=1896&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={6EFAC87B-3BB8-4940-8458-5B2133ED1C4A}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe
    "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1908
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\g2ax_credential_provider64_1575.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bd38.rbs

Filesize
8KB

MD5
57f28c949cc49a5db1b2aa31b0d3e266

SHA1
fb685368ea423acb0dc5517662795b25db819006

SHA256
712b055ffbb4d68d9095578cb6051552e69c0fce75b942c711badd0b47eceef5

SHA512
711a426e11208e022b0e3a6df7881c2aca5f0c4213c49babc0972ae11a85f12ef4cf912d9d96d750db726b3d2ae9e0bc23d24e2e28457805adc8d1e1449786bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_combined_customer.dll

Filesize
9.0MB

MD5
b281109807f069ee71ad44a5c2ed4638

SHA1
88d58db2ea9d8ab72504ad3933acedd69c919cf7

SHA256
3d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8

SHA512
11fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_credential_provider.dll

Filesize
113KB

MD5
6acbff3ffbf1d3b4ef2e590807b82a7f

SHA1
0f781965145db5d9c97e471b8bc7236dee81c71c

SHA256
e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22

SHA512
734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_credential_provider64.dll

Filesize
122KB

MD5
2f9bde855a7df5ab1a5d4bc549170064

SHA1
dab528bd0e4054926d4646d762f08d85e164c469

SHA256
ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5

SHA512
ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_de.dll

Filesize
2.7MB

MD5
95d28b0ae03c0e0dbebaac0354bd665d

SHA1
16ad8de089f85810678235cac2a332069e4a757e

SHA256
2e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd

SHA512
5ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_en_US.dll

Filesize
2.7MB

MD5
626dc7beea7eef7dbbad77b3f693eb49

SHA1
1e25d0ca6c7678bb3775728bdd631f2bfe79ebc0

SHA256
5bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9

SHA512
a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_es.dll

Filesize
2.7MB

MD5
d4b3e89862a5b2583b6da76aa12e225c

SHA1
2f158da475e5a20f8e7c9b7effa7295fc07e7fd9

SHA256
5bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2

SHA512
2e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_fr.dll

Filesize
2.7MB

MD5
cdb5345e298d427450fe244a2e1cd16c

SHA1
e2e3402696090998174f686128af6d5791dd725a

SHA256
a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817

SHA512
f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_it.dll

Filesize
2.7MB

MD5
4c6d97f5793a8806d1b07f7805c1290f

SHA1
6ed0ae206d5e3fd7cb19634aef5f0055f0832d83

SHA256
3798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323

SHA512
c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_pt.dll

Filesize
2.7MB

MD5
42accada99f11973893559eb80dbd7cc

SHA1
9ed76304bf4af87210044d9fcbcb62f2f6f49fce

SHA256
c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a

SHA512
24177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_exe_customer_adminui.exe

Filesize
599KB

MD5
139e140841795d1d3b31ca9f0d2a18f0

SHA1
c8348ffcc2792edf84c7d0a60af9fced0cee74d2

SHA256
814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba

SHA512
98bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe

Filesize
599KB

MD5
7c9b0bde69c16ece846a56106b11dbfa

SHA1
80c42eb9351f611a395256531c5ed4931be981cf

SHA256
02d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6

SHA512
7826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer_admin.exe

Filesize
599KB

MD5
d4ee9d0af2825048d4bfd48f48bd464b

SHA1
a3a25e68132a4288b6b394623fd206fbf8899092

SHA256
e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c

SHA512
ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_processfactory.exe

Filesize
680KB

MD5
63f225100403cd9d98e5c20a2f13c7f9

SHA1
e4152545009c0bcbdbb9bed52f2935d55ba7da01

SHA256
450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8

SHA512
58886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_winlogon.dll

Filesize
598KB

MD5
8b64004a064179c50ab204cb8baacdb1

SHA1
357fe1c8cc37ff7a7c064ed6f49360692a4a8254

SHA256
20b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781

SHA512
0ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_winlogonx64.dll

Filesize
599KB

MD5
234f00413858db80b4b51c1abede4152

SHA1
e2606f11691de55ac8f491050abbcbe71c0ad1ba

SHA256
c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d

SHA512
0a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\uninshlp.dll

Filesize
20KB

MD5
0868827e42db552e5427f277fedf1e6b

SHA1
9fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb

SHA256
f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a

SHA512
607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1

Download Submit
C:\Windows\Installer\MSIBE21.tmp

Filesize
3.6MB

MD5
10691eb99593e235b86d018ebaf7d4e6

SHA1
35e0444bb572f3890f327afc1feba32e9833d5b4

SHA256
4e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b

SHA512
10e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
390cdffdce1ec568d3a24ae516ce47d3

SHA1
2d1c318ac2e8e764197af84bf497a48c287a273a

SHA256
c67633d1cc6fb7c3d2b38a9cef750089b6863d9e890bddf11377a0e4a4fb0d81

SHA512
bea053363ebfee438ba9ff826a1b26a7d8084719a94fcc893ff765ca42d4f813323d1b6d9dadb5e7b4fba9524eb07cd2354e872ffa9c734878c3fe8edf0b1fc7

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0af9ce3c-45b7-4eba-8644-cf7b053b8c8d}_OnDiskSnapshotProp

Filesize
6KB

MD5
5e7a4ca9a1d572e1e35601918b83a1cf

SHA1
a81809daf229b3422575d90cd7b681ecac3a1227

SHA256
a25f72c48a50d60a7e6b2980adf3859c7a897a03552255b655ff72d30004a3e4

SHA512
0c27e233d0a0eaff8e6640ecce5a7e051e58d4672a781519b8c391ab1d31206aeef69a3e9e834c88563f3c2eed97bb8cd753e404522cd8b6a35d6a7c00157467

Download Submit
memory/2964-111-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/2964-117-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download
memory/2964-11-0x0000000000400000-0x000000000225E000-memory.dmp

Filesize
30.4MB

Download