b684d7b94d15a92fc72447b87e2d95763dea4c0e091f696ddf6676c62d56fc36

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/g/PRFA-Chrome.exe
Size

563KB
MD5

9341392aef629d21f94be538830ed7ee
SHA1

c935f77dfb055deb5118a157fa526b4efc1cd3d3
SHA256

7dedf4ac72b35c13e5921c42adf46a8c3aafffe15768be4cf13bf30ae498f079
SHA512

b5cf73a5e976791312af5ceb1f718de03b0b003f6e0dd497e5cb970d781140a6056d283410edf94dbb6c951c85f0bf88df3d4b6d7ec1dd51f0c0c0f1c8a8963b
SSDEEP

12288:3mt6ciOkXAQjfbE2YCyz+/UcYyOk3jFZcngtv9e+z:Wt6NOIo2xy6MlTkuCle+z

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2936	googleupdatesetup.exe
864	GoogleUpdate.exe

Loads dropped DLL 5 IoCs

pid	Process
2720	PRFA-Chrome.exe
2936	googleupdatesetup.exe
864	GoogleUpdate.exe
864	GoogleUpdate.exe
864	GoogleUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRFA-Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googleupdatesetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
864	GoogleUpdate.exe
864	GoogleUpdate.exe
864	GoogleUpdate.exe
864	GoogleUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	GoogleUpdate.exe
Token: SeDebugPrivilege	864	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2720 wrote to memory of 2936	2720	PRFA-Chrome.exe	30
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31
PID 2936 wrote to memory of 864	2936	googleupdatesetup.exe	31

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\PRFA-Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\g\PRFA-Chrome.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\googleupdatesetup.exe
  googleupdatesetup.exe /silent /install "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&appname=Google%20Chrome&needsadmin=True&brand=PRFA&usagestats=0" /appargs "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&installerdata=%7B%22homepage%22%3A%22http%3A%2F%2Fwww.google.com%22%2C%22homepage_is_newtabpage%22%3Afalse%2C%22distribution%22%3A%7B%22skip_first_run_ui%22%3Atrue%2C%22show_welcome_page%22%3Atrue%2C%22import_search_engine%22%3Afalse%2C%22import_history%22%3Afalse%2C%22create_all_shortcuts%22%3Atrue%2C%22do_not_launch_chrome%22%3Atrue%2C%22make_chrome_default%22%3Afalse%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Afalse%7D%7D"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\GUM6374.tmp\GoogleUpdate.exe
    C:\Users\Admin\AppData\Local\Temp\GUM6374.tmp\GoogleUpdate.exe /silent /install "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&appname=Google%20Chrome&needsadmin=True&brand=PRFA&usagestats=0" /appargs "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&installerdata=%7B%22homepage%22%3A%22http%3A%2F%2Fwww.google.com%22%2C%22homepage_is_newtabpage%22%3Afalse%2C%22distribution%22%3A%7B%22skip_first_run_ui%22%3Atrue%2C%22show_welcome_page%22%3Atrue%2C%22import_search_engine%22%3Afalse%2C%22import_history%22%3Afalse%2C%22create_all_shortcuts%22%3Atrue%2C%22do_not_launch_chrome%22%3Atrue%2C%22make_chrome_default%22%3Afalse%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Afalse%7D%7D"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GUM6374.tmp\goopdate.dll

Filesize
665KB

MD5
6139833c1eff3eeeaacd9878c9a0c4b9

SHA1
d945fbe6565c7ab8a52d182e023d30f25fd8b72d

SHA256
79bf56e8c74e71a257466952c7c14d4cb5f82d88bc2b31583d35d0576a1cbaa6

SHA512
90b0b6256f216cd80d63435230096bc1c8da2d4bd4710dfddbfd726104dea1fa9e082d364c17c860dd0a74fb9a96a9a79d78ea25c5b6940b9606fd11515e4d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM6374.tmp\goopdateres_en.dll

Filesize
25KB

MD5
0b9fdab446864554b59a91c9cd3389cb

SHA1
7f7ad94aeb3637474c7ea94489e76abf474edbef

SHA256
cc7b40c670d54fc86c5370fe0888fa669c9ecb46f010a1765654d96ea4956c3f

SHA512
ae66abf8d5a189cad86cd3293de9db76d92381641d1658c172fd42bff064da82b51c18412b4e98a4e9c3e4865eab02bd0cd06b377b7ab88cdcdd40814279e0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\googleupdatesetup.exe

Filesize
549KB

MD5
01e1716a03b513f6538e022dd0ec6ea5

SHA1
9bbbf3b31340f4b049fd97ccfd34b2a03ac4ec39

SHA256
d31b7c8cf3207b19e18e899523a3d7caabf8fd1ac5cca38a4bada87516333091

SHA512
ccf065518cab5f34001f61f2e7f5350862c75b1b8cab7a8697712bbf4fb28789496229422a7cddaa68befb7d93afab3c37e799d4b267c300d56333f5a15cada6

Download Submit
\Users\Admin\AppData\Local\Temp\GUM6374.tmp\GoogleUpdate.exe

Filesize
132KB

MD5
f02a533f517eb38333cb12a9e8963773

SHA1
258810d71436c5157cd0752bd13ce1de20f27eb2

SHA256
1f72cd1cf660766fa8f912e40b7323a0192a300b376186c10f6803dc5efe28df

SHA512
1fd44fd4b6b73327a913dd85efe2d8125896e3dd4b5c7801d7d9afd594d6536f4e825a767fad4af13f03397783ff4dd448e0071037e72fd8fdf685825ee6b4fa

Download Submit