Overview

overview

10

Static

static

3

GoogleUpdatesw.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GoogleUpdatesw.exe

  • Size

    193KB

  • MD5

    eceafd1f4ea2330cace3e01abadb5708

  • SHA1

    812026d0f7f651d9dad1663e3c4c30a36d48a9bb

  • SHA256

    b116fb54a2c9348c77db4cb1007703d7c442064e576736145ee1888b54fe560b

  • SHA512

    ddad572f43452627b65156a2ea3f552cfa3f321663ab392b1ad6b9d746b5a2c81748b54009fbd00baeaadd5b6b551ba7ec2229c66e574f9e075f74fef7970ab6

  • SSDEEP

    3072:9KXYRI3KBms7dwpXOAoRLPr8XUk5Ysr5L0kN8zJ2AfVVBbOm2btPc:PcEPWOAoRLPkUctgh2UHi6

Score
10/10
asyncratgdfjbxc9asdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

GDFjbxc9as

Mutex

Gx0edRwRzsDs0gzwQ

Attributes
  • delay

    1

  • install

    true

  • install_file

    GoogleUpdates.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/QLnQD5yh

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GoogleUpdatesw.exe
    "C:\Users\Admin\AppData\Local\Temp\GoogleUpdatesw.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEFl0DED-35SE-4e06-938l-9B24D7F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
      C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEFl0DED-35SE-4e06-938l-9B24D7F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
      2⤵
      • Executes dropped EXE
      PID:3092
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:828
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4236
    • C:\Users\Admin\AppData\Local\Temp\GoogleUpdatesw.exe
      "C:\Users\Admin\AppData\Local\Temp\GoogleUpdatesw.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEFl0DED-355E-4e06-93Bl-9B24D7F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
        C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEFl0DED-355E-4e06-93Bl-9B24D7F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
        2⤵
        • Executes dropped EXE
        PID:4356
    • C:\Users\Admin\AppData\Local\Temp\GoogleUpdatesw.exe
      "C:\Users\Admin\AppData\Local\Temp\GoogleUpdatesw.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEF10DED-355E-4e06-938l-9B2407F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
        C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEF10DED-355E-4e06-938l-9B2407F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
        2⤵
        • Executes dropped EXE
        PID:3628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEFl0DED-355E-4e06-93Bl-9B24D7F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
      Filesize

      101KB

      MD5

      d7fe63ee6cc77ca031e9e70b24577497

      SHA1

      940b1cb7b634620f7af2920ab589b818f49ab705

      SHA256

      1815cc4a209b11255c2d1491cc166ed6fe1241ad76b8962b95609ee260977ba3

      SHA512

      86eaf68feb4c3b6637cd09133bfe51f386bc03e3ce05dcfe5da0b1b22f74da12d06873ad7a80ed98a27ad1160f5312f7d2bf92325ecee43f554461aebdccdd81

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Security\{FEFl0DED-35SE-4e06-938l-9B24D7F7CC88}.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}\GoogleUpdatesw.exe
      Filesize

      101KB

      MD5

      b84d269dfe8d0d34a56ddd58101f8356

      SHA1

      4db8bbcaf8710c8d8f2765b25e9ee8defea8df36

      SHA256

      a4f14efa09ffd1089aff6686c43af8d7d47c4c52408f27d18771562f3e59002c

      SHA512

      8b63bf18da4ddcb8adaaf13425c9d051786dccf313b0c0f37dbf75ebf5da738dcb45abff71e98da441d0491d5f744ce7320ce612afa0303c0613b790d317ec52

      Download Submit

    • memory/828-69-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-64-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-65-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-67-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-58-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-60-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-59-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-68-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-66-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-70-0x0000022512590000-0x0000022512591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3092-33-0x00007FFD0AF03000-0x00007FFD0AF05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3092-34-0x00000000003A0000-0x00000000003C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3092-36-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3092-35-0x00007FFD0AF00000-0x00007FFD0B9C1000-memory.dmp

      Filesize

      10.8MB

      Download