a99617fe1fcbdad576a2fc91a990b99d0b4c48bbe2b2ccf7965293b7c96091e3

General

Target

google_64.exe
Size

21.9MB
MD5

7f0d1df1b223a4fc990a4700ece2cc4e
SHA1

db3ad54de7a0aee48aa253a2a3aa1953b3717886
SHA256

a99617fe1fcbdad576a2fc91a990b99d0b4c48bbe2b2ccf7965293b7c96091e3
SHA512

fa50696c4aaba304724252c021e409dddc989045a96cc726a94281321c955f78b152789ae3045efaa07f2b1f7c9255d1332f69d7bcada752ad62964aa27e1bc7
SSDEEP

393216:nEzKufCTmBlwejWc9AVftZwwUUu/eWNyT55ybi5o2TXnH/SE9f3Wt8797mmwAB26:afCKlwOW68pxWNK5H5okXnH/SMf3uqmo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
1588	google_64.tmp
2944	aslces.exe
568	svortvx8.exe
1416	svortvx8.exe
2820	svortvx8.exe
2280	svortvx8.exe
852	svortvx8.exe
1944	svortvx8.exe
1896	svortvx8.exe

Loads dropped DLL 10 IoCs

pid	Process
2792	google_64.exe
1588	google_64.tmp
1988	taskeng.exe
568	svortvx8.exe
1416	svortvx8.exe
2820	svortvx8.exe
2280	svortvx8.exe
852	svortvx8.exe
1944	svortvx8.exe
1896	svortvx8.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\svortvx8\svortvx8.exe	svortvx8.exe
File opened for modification	C:\Windows\svortvx8\svortvx8.exe	svortvx8.exe
File created	C:\Windows\svortvx8\app-0.82.1\svortvx8.exe	svortvx8.exe
File opened for modification	C:\Windows\svortvx8\app-0.82.1\svortvx8.exe	svortvx8.exe
File created	C:\Windows\svortvx8\app-0.82.1\b5c24d98e1d8c41e9	svortvx8.exe
File opened for modification	C:\Windows\svortvx8\app-0.82.1\b5c24d98e1d8c41e9	svortvx8.exe
File created	C:\Windows\svortvx8\app-0.82.1\sqlite3.dll	svortvx8.exe
File opened for modification	C:\Windows\svortvx8\app-0.82.1\sqlite3.dll	svortvx8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	google_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	google_64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svortvx8.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	svortvx8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "svortvx8.exe"	svortvx8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "svortvx8.exe"	svortvx8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	svortvx8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "svortvx8.exe"	svortvx8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "svortvx8.exe"	svortvx8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	svortvx8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	svortvx8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "svortvx8.exe"	svortvx8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	svortvx8.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1588	google_64.tmp
1588	google_64.tmp
852	svortvx8.exe
852	svortvx8.exe
852	svortvx8.exe
852	svortvx8.exe
852	svortvx8.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1588	google_64.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 2792 wrote to memory of 1588	2792	google_64.exe	28
PID 1988 wrote to memory of 568	1988	taskeng.exe	33
PID 1988 wrote to memory of 568	1988	taskeng.exe	33
PID 1988 wrote to memory of 568	1988	taskeng.exe	33
PID 568 wrote to memory of 1416	568	svortvx8.exe	34
PID 568 wrote to memory of 1416	568	svortvx8.exe	34
PID 568 wrote to memory of 1416	568	svortvx8.exe	34
PID 2816 wrote to memory of 2820	2816	cmd.exe	36
PID 2816 wrote to memory of 2820	2816	cmd.exe	36
PID 2816 wrote to memory of 2820	2816	cmd.exe	36
PID 2280 wrote to memory of 852	2280	svortvx8.exe	38
PID 2280 wrote to memory of 852	2280	svortvx8.exe	38
PID 2280 wrote to memory of 852	2280	svortvx8.exe	38
PID 2280 wrote to memory of 852	2280	svortvx8.exe	38
PID 852 wrote to memory of 1944	852	svortvx8.exe	39
PID 852 wrote to memory of 1944	852	svortvx8.exe	39
PID 852 wrote to memory of 1944	852	svortvx8.exe	39
PID 2820 wrote to memory of 1896	2820	svortvx8.exe	40
PID 2820 wrote to memory of 1896	2820	svortvx8.exe	40
PID 2820 wrote to memory of 1896	2820	svortvx8.exe	40

C:\Users\Admin\AppData\Local\Temp\google_64.exe
"C:\Users\Admin\AppData\Local\Temp\google_64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\is-RQUD3.tmp\google_64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RQUD3.tmp\google_64.tmp" /SL5="$40150,21967330,775168,C:\Users\Admin\AppData\Local\Temp\google_64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {D2F16519-F779-4F90-A38D-D4BAF903E724} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:2924
- C:\Users\Admin\AppData\Roaming\8A5F63D6\ebaf2690\e80b16dd\aslces.exe
  C:\Users\Admin\AppData\Roaming\8A5F63D6\ebaf2690\e80b16dd\aslces.exe
  2⤵
  - Executes dropped EXE
  PID:2944

C:\Windows\system32\taskeng.exe
taskeng.exe {813E5F48-7500-46AE-86CD-4C8C6DAB1C9A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe
  C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe
    "C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe" 237f37c29 568 C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    PID:1416

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe" "8ac956b81" 1416 "C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe
  "C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe" "8ac956b81" 1416 "C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\svortvx8\app-0.82.1\svortvx8.exe
    C:\Windows\svortvx8\app-0.82.1\svortvx8.exe fd6cd63fc7ca363d58948bdb26d0b 1416 "C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    PID:1896

C:\Windows\svortvx8\svortvx8.exe
"C:\Windows\svortvx8\svortvx8.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\svortvx8\app-0.82.1\svortvx8.exe
  "C:\Windows\svortvx8\app-0.82.1\svortvx8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\svortvx8\app-0.82.1\svortvx8.exe
    "C:\Windows\svortvx8\app-0.82.1\svortvx8.exe" "96975b1c6f97969bfc8bef"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\b5c24d98e1d8c41e9

Filesize
13.7MB

MD5
6e7073cf8b63c208b7b4f75497212720

SHA1
b2b1dd8dc37471b84a49d2f0fa560a5b00750a43

SHA256
3d5ac4b831edf0ce2fe1ddf9e1cf3a37dec6d3fd084b5ff3f097f7afdc00cec6

SHA512
9aeeab440f46f074cf52961da1022ebe7635c07d9556059239c16e92d640c685a97fe733d4b0b950912ea7b035a8f472aaca927bc26f1352d7d40c09b5548356

Download Submit
C:\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\sqlite3.dll

Filesize
2.9MB

MD5
1ad96797e4eb7d28f03f033d1f60a12c

SHA1
7a3ef33b7b2c16e2da916f7406cb2133de8ade48

SHA256
4290b7f2a36af1095fc8d69f7a635cb993b08f8842e4d920083b7c20f3115c0d

SHA512
06adda14bda8bf5868fea4d238654d52834522dc1e0ede6f513b9cd1e2fa3139b51dc73f9f533e28b03408eca034eea92e20885e762c9309ff59f0e8a4f90d76

Download Submit
C:\Windows\svortvx8\app-0.82.1\sqlite3.dll

Filesize
2.7MB

MD5
28c69723a9444abd989e4f5c0f344af1

SHA1
02557b8132ff68b6f7495e6f8bf9a136503dc9fd

SHA256
bba58214f07330f12f5122d28b160eac1c2a4948dbd3905dc53aa9bc7a83b427

SHA512
d924522b629454a6bd81f6843ba8248b8fb35c5e512223a83c82ad8f079f9c09059470ec7a3cbca2d6f0303c7e6335023365f883b64efd7ea6ef7a5da69e6fde

Download Submit
C:\Windows\svortvx8\svortvx8.exe

Filesize
691KB

MD5
d0cd80eda106fc87730d2034e8c2d632

SHA1
4e6a0454867097a1966c9d9bd1af366cfe640baf

SHA256
d53225a068e183b7c2bc3b48766551547ab0a679cfb9e2ddfd1602e041517fcb

SHA512
fe362285e4ee767876156cb63859d41ff06cef04153f67c01bd29b082966216171cf1683f6bccf78faf7c3b380ffc5e951ee24f856edfee2edada2e6301122e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-RQUD3.tmp\google_64.tmp

Filesize
3.2MB

MD5
dfcc3036dcb08cc6263be6b050ebf7f8

SHA1
46cb4ad17c4e2fc115b257dee31571c7ea7ff8d3

SHA256
4dfd9825be93d672d011d1cdf2f6733721e0d30fed32d5ebbc0cf2ba8f42f248

SHA512
c6e99dda493f71bf1ff001fe953867919ebbe794bd49e3e76293dbf470c3c995c91c7e8f5f8567f6ec43fc2362bb74cc9f4ff52aa2af91c8ad77115820acb082

Download Submit
\Users\Admin\AppData\Roaming\8A5F63D6\8eb0ae0a3a3c\c1d6fe862d\svortvx8.exe

Filesize
7.8MB

MD5
35a062855e514ce9121d9c30d57d2199

SHA1
7a74853b61b453febe66a77709850c12affccb4e

SHA256
1732bd979accc746689600fafe3636b856be0568e9fa1f8fb40d1b60b15f8a90

SHA512
e1bb4b9dee32f31598033dd0cd1dae81e0f5d62fdebe9932d38ed824de22a7812cd631c8bca6828cf94dbc2e78accb68ff88195faae710b2aa1e850b1e5e5569

Download Submit
\Users\Admin\AppData\Roaming\8A5F63D6\ebaf2690\e80b16dd\aslces.exe

Filesize
8.5MB

MD5
f37c52156f0782a8396b5e95c3960363

SHA1
6e1f3d27aac555edbe5c83cfcdb6050e911bf937

SHA256
a6c7d50a959dca5684d84c700c9a74591db7bef08f516ee15df4c05a9f675f5b

SHA512
25cc70a70aee6e8e041a6d1dfb1cfae7796a6c86f5a29b250c4342b51ebcfd2724120cc33cc7e6bfe60ee4e7f91a8ba7b9eb2b95c0ffd87c4df875c76c74c980

Download Submit
memory/568-39-0x0000000004210000-0x0000000005BA8000-memory.dmp

Filesize
25.6MB

Download
memory/568-42-0x0000000004210000-0x0000000005BA8000-memory.dmp

Filesize
25.6MB

Download
memory/568-45-0x0000000000400000-0x0000000000C4B000-memory.dmp

Filesize
8.3MB

Download
memory/568-34-0x000007FEF6480000-0x000007FEF697A000-memory.dmp

Filesize
5.0MB

Download
memory/568-38-0x00000000018D0000-0x000000000267A000-memory.dmp

Filesize
13.7MB

Download
memory/852-88-0x000007FEF5690000-0x000007FEF5B52000-memory.dmp

Filesize
4.8MB

Download
memory/852-96-0x0000000004430000-0x0000000005DC8000-memory.dmp

Filesize
25.6MB

Download
memory/852-93-0x0000000004430000-0x0000000005DC8000-memory.dmp

Filesize
25.6MB

Download
memory/1416-48-0x000007FEF5B60000-0x000007FEF605A000-memory.dmp

Filesize
5.0MB

Download
memory/1416-52-0x0000000004350000-0x0000000005CE8000-memory.dmp

Filesize
25.6MB

Download
memory/1416-55-0x0000000004350000-0x0000000005CE8000-memory.dmp

Filesize
25.6MB

Download
memory/1416-61-0x0000000000400000-0x0000000000C4B000-memory.dmp

Filesize
8.3MB

Download
memory/1588-8-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1588-23-0x00000000011B0000-0x00000000014EB000-memory.dmp

Filesize
3.2MB

Download
memory/1944-105-0x0000000005640000-0x0000000006FD8000-memory.dmp

Filesize
25.6MB

Download
memory/1944-101-0x000007FEF5690000-0x000007FEF5B52000-memory.dmp

Filesize
4.8MB

Download
memory/1944-113-0x0000000007FB0000-0x00000000084A4000-memory.dmp

Filesize
5.0MB

Download
memory/1944-111-0x0000000005640000-0x0000000006FD8000-memory.dmp

Filesize
25.6MB

Download
memory/1944-107-0x0000000005640000-0x0000000006FD8000-memory.dmp

Filesize
25.6MB

Download
memory/1944-115-0x0000000007FB0000-0x00000000084A4000-memory.dmp

Filesize
5.0MB

Download
memory/2792-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2792-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2792-25-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2820-70-0x0000000004320000-0x0000000005CB8000-memory.dmp

Filesize
25.6MB

Download
memory/2820-66-0x0000000004320000-0x0000000005CB8000-memory.dmp

Filesize
25.6MB

Download
memory/2820-62-0x000007FEF5B60000-0x000007FEF605A000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing