Malware Analysis Report

2024-11-15 07:47

Sample ID 241111-dmk44a1jcx
Target e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
Tags
milleniumrat discovery persistence rat spyware stealer gurcu
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

Threat Level: Known bad

The file e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe was found to be: Known bad.

Malicious Activity Summary

milleniumrat discovery persistence rat spyware stealer gurcu

Gurcu family

MilleniumRat

Gurcu, WhiteSnake

Milleniumrat family

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Enumerates processes with tasklist

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Modifies registry key

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 03:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 03:07

Reported

2024-11-11 03:10

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe"

Signatures

MilleniumRat

rat stealer milleniumrat

Milleniumrat family

milleniumrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe C:\Windows\System32\cmd.exe
PID 2844 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe C:\Windows\System32\cmd.exe
PID 2844 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe C:\Windows\System32\cmd.exe
PID 1996 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1996 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1996 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1996 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1996 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1996 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1996 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1996 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1996 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 1996 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 1996 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 1996 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 2632 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 2568 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2568 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2568 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2632 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\system32\WerFault.exe
PID 2632 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\system32\WerFault.exe
PID 2632 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe

"C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2844"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2632 -s 1768

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2844-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

memory/2844-1-0x0000000000F90000-0x0000000001530000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

memory/2844-6-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2844-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB847.tmp.bat

MD5 209801139d95dd05d1549de59fd907aa
SHA1 bf9d6a0931c8e759ec90f454860fa4893ac28b24
SHA256 320f77a227485cbd6098c3713d41101b15f3c70c8029c7b1c650073612617a33
SHA512 a0c9d9b2301dc1d8c7ed5a9405a60bb78c5744f83d6eed7a7ca233c5c0210823984d934f649b0055764de555132fe96509147f238366b1bdb8318cfab750b551

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

MD5 3d3c49dd5d13a242b436e0a065cd6837
SHA1 e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512 dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

memory/2632-14-0x0000000000850000-0x0000000000DF0000-memory.dmp

memory/2632-17-0x000000001B530000-0x000000001B59A000-memory.dmp

memory/2632-20-0x00000000026F0000-0x0000000002715000-memory.dmp

memory/2632-21-0x000000001B710000-0x000000001B7C2000-memory.dmp

memory/2632-22-0x000000001E110000-0x000000001E43E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 03:07

Reported

2024-11-11 03:10

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe"

Signatures

Gurcu family

gurcu

Gurcu, WhiteSnake

stealer gurcu

MilleniumRat

rat stealer milleniumrat

Milleniumrat family

milleniumrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe C:\Windows\System32\cmd.exe
PID 3404 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe C:\Windows\System32\cmd.exe
PID 2244 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2244 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2244 wrote to memory of 4516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2244 wrote to memory of 4516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2244 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2244 wrote to memory of 2032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2244 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 2244 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
PID 3476 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 3476 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 3964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3164 wrote to memory of 3964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe

"C:\Users\Admin\AppData\Local\Temp\e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp980A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp980A.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 3404"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3404-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

memory/3404-1-0x0000020216F20000-0x00000202174C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

MD5 65ccd6ecb99899083d43f7c24eb8f869
SHA1 27037a9470cc5ed177c0b6688495f3a51996a023
SHA256 aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512 533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

memory/3404-6-0x0000020231950000-0x00000202319C6000-memory.dmp

memory/3404-7-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

memory/3404-8-0x00000202178F0000-0x000002021790E000-memory.dmp

memory/3404-12-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp980A.tmp.bat

MD5 52b2ca4d8dc9cc7eeb91c80018b61b92
SHA1 0242d9d09f20a8b7824eeb7435ce532db7e798de
SHA256 0dcc56ea956c725458ba0ce6f21e30ff963f8a260058de2b582aac123f2c28ba
SHA512 c7e6cfa04449a03cbe3ec44e05c8bdb2da1646fd0ce666d49d9bc5e2dc99f6ac1ee3d995bbe2d94431457a461dde0e5286660822026bf2084eb2906f88b5b93c

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

MD5 3d3c49dd5d13a242b436e0a065cd6837
SHA1 e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256 e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512 dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

memory/3476-19-0x0000023EBB990000-0x0000023EBB99A000-memory.dmp

memory/3476-20-0x0000023EBCBF0000-0x0000023EBCC5A000-memory.dmp

memory/3476-24-0x0000023EBB800000-0x0000023EBB826000-memory.dmp

memory/3476-23-0x0000023EBCCE0000-0x0000023EBCD1A000-memory.dmp

memory/3476-25-0x0000023EBD900000-0x0000023EBD9B2000-memory.dmp

memory/3476-26-0x0000023EBDA00000-0x0000023EBDA50000-memory.dmp

memory/3476-27-0x0000023EBD9B0000-0x0000023EBD9D2000-memory.dmp

memory/3476-28-0x0000023EBDC50000-0x0000023EBDF7E000-memory.dmp

memory/3476-47-0x0000023EBCCC0000-0x0000023EBCCD2000-memory.dmp