Overview
overview
10Static
static
10b2bd3de3e5...bb.exe
windows10-2004-x64
10cd9ccf8681...f7.exe
windows10-2004-x64
10cobaltstri...de.exe
windows10-2004-x64
10default.exe
windows10-2004-x64
10ec4f09f82d...d3.exe
windows10-2004-x64
10emotet_exe...04.exe
windows10-2004-x64
10emotet_exe...23.exe
windows10-2004-x64
10eupdate.exe
windows10-2004-x64
7f4f47c67be...3f.exe
windows10-2004-x64
10fb5d110ced...9c.exe
windows10-2004-x64
6fee15285c3...35.exe
windows10-2004-x64
10file(1).exe
windows10-2004-x64
1file.exe
windows10-2004-x64
7gjMEi6eG.exe
windows10-2004-x64
10good.exe
windows10-2004-x64
10hyundai st...1).exe
windows10-2004-x64
10hyundai st...10.exe
windows10-2004-x64
10infected d...er.exe
windows10-2004-x64
10inps_979.xls
windows10-2004-x64
1june9.dll
windows10-2004-x64
10mouse_2.exe
windows10-2004-x64
10oof.exe
windows10-2004-x64
10openme.exe
windows10-2004-x64
10ou55sg33s_1.exe
windows10-2004-x64
10senate.dll
windows10-2004-x64
10starticon3.exe
windows10-2004-x64
10update.exe
windows10-2004-x64
10vir1.xlsx
windows10-2004-x64
1wwf[1].exe
windows10-2004-x64
10xNet.dll
windows10-2004-x64
1전산 및...��.exe
windows10-2004-x64
10전산 및...�1.exe
windows10-2004-x64
10Resubmissions
15/04/2025, 17:34
250415-v5ylksypw9 1015/04/2025, 06:16
250415-g1p7ras1dw 1014/04/2025, 08:06
250414-jzpwpstxhx 1014/04/2025, 07:59
250414-jvg1assky4 1014/04/2025, 07:22
250414-h7g1dss1h1 1014/04/2025, 07:16
250414-h3xv2s1nv6 1011/04/2025, 21:39
250411-1h113szzaz 1001/04/2025, 21:24
250401-z8184awycs 10Analysis
-
max time kernel
102s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2025, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
b2bd3de3e5b0e35313263bef4b1ca49c5478d472f6d37d1070a57b1f6aa4f7bb.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
cd9ccf8681ed1a5380f8a27cd6dc927ab719b04baa6c6583a0c793a6dc00d5f7.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
cobaltstrike_shellcode.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
default.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
eupdate.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
Resource
win10v2004-20250313-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
file(1).exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
file.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
gjMEi6eG.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
good.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
hyundai steel-pipe- job 8010(1).exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
hyundai steel-pipe- job 8010.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
infected dot net installer.exe
Resource
win10v2004-20250313-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
inps_979.xls
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
june9.dll
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
mouse_2.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
oof.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
openme.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
ou55sg33s_1.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
senate.dll
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
starticon3.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
update.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
vir1.xlsx
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
wwf[1].exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
xNet.dll
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
General
-
Target
ou55sg33s_1.exe
-
Size
609KB
-
MD5
347d7700eb4a4537df6bb7492ca21702
-
SHA1
983189dab4b523e19f8efd35eee4d7d43d84aca2
-
SHA256
a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
-
SHA512
5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9
-
SSDEEP
12288:Y71ezsKspcx7aSekHeX/BoVrWyrl/XYUx58wT7tRw:IYzsDyAS/HeyWql/XYUz8wTDw
Malware Config
Signatures
-
Betabot family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Modiloader family
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral24/memory/2452-4-0x0000000000400000-0x000000000049F000-memory.dmp modiloader_stage2 behavioral24/memory/4228-13-0x0000000000A10000-0x0000000000B12000-memory.dmp modiloader_stage2 behavioral24/files/0x00070000000241ed-19.dat modiloader_stage2 behavioral24/memory/3392-24-0x0000000000400000-0x000000000049F000-memory.dmp modiloader_stage2 behavioral24/memory/4736-32-0x0000000000400000-0x000000000049F000-memory.dmp modiloader_stage2 behavioral24/memory/4316-43-0x0000000000400000-0x000000000049F000-memory.dmp modiloader_stage2 -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nrj.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c91q3om5eq3.exe ou55sg33s_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c91q3om5eq3.exe\DisableExceptionChainValidation ou55sg33s_1.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Executes dropped EXE 6 IoCs
pid Process 3392 c91q3om5eq3.exe 3488 c91q3om5eq3.exe 4736 c91q3om5eq3.exe 4668 c91q3om5eq3.exe 4316 c91q3om5eq3.exe 4840 c91q3om5eq3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\c91q3om5eq3.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\c91q3om5eq3.exe\"" explorer.exe -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ou55sg33s_1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c91q3om5eq3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c91q3om5eq3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c91q3om5eq3.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c91q3om5eq3.exe\DisableExceptionChainValidation ou55sg33s_1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 3980 ou55sg33s_1.exe 4228 explorer.exe 4228 explorer.exe 4228 explorer.exe 3488 c91q3om5eq3.exe 4668 c91q3om5eq3.exe 4228 explorer.exe 4228 explorer.exe 4228 explorer.exe 4228 explorer.exe 4840 c91q3om5eq3.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2452 set thread context of 3980 2452 ou55sg33s_1.exe 84 PID 3392 set thread context of 3488 3392 c91q3om5eq3.exe 92 PID 4736 set thread context of 4668 4736 c91q3om5eq3.exe 99 PID 4316 set thread context of 4840 4316 c91q3om5eq3.exe 106 -
Program crash 1 IoCs
pid pid_target Process procid_target 320 4228 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ou55sg33s_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ou55sg33s_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c91q3om5eq3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c91q3om5eq3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c91q3om5eq3.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c91q3om5eq3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c91q3om5eq3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c91q3om5eq3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c91q3om5eq3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ou55sg33s_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ou55sg33s_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c91q3om5eq3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c91q3om5eq3.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4228 explorer.exe 4228 explorer.exe 4228 explorer.exe 4228 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3980 ou55sg33s_1.exe 3980 ou55sg33s_1.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3980 ou55sg33s_1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3980 ou55sg33s_1.exe Token: SeRestorePrivilege 3980 ou55sg33s_1.exe Token: SeBackupPrivilege 3980 ou55sg33s_1.exe Token: SeLoadDriverPrivilege 3980 ou55sg33s_1.exe Token: SeCreatePagefilePrivilege 3980 ou55sg33s_1.exe Token: SeShutdownPrivilege 3980 ou55sg33s_1.exe Token: SeTakeOwnershipPrivilege 3980 ou55sg33s_1.exe Token: SeChangeNotifyPrivilege 3980 ou55sg33s_1.exe Token: SeCreateTokenPrivilege 3980 ou55sg33s_1.exe Token: SeMachineAccountPrivilege 3980 ou55sg33s_1.exe Token: SeSecurityPrivilege 3980 ou55sg33s_1.exe Token: SeAssignPrimaryTokenPrivilege 3980 ou55sg33s_1.exe Token: SeCreateGlobalPrivilege 3980 ou55sg33s_1.exe Token: 33 3980 ou55sg33s_1.exe Token: SeDebugPrivilege 4228 explorer.exe Token: SeRestorePrivilege 4228 explorer.exe Token: SeBackupPrivilege 4228 explorer.exe Token: SeLoadDriverPrivilege 4228 explorer.exe Token: SeCreatePagefilePrivilege 4228 explorer.exe Token: SeShutdownPrivilege 4228 explorer.exe Token: SeTakeOwnershipPrivilege 4228 explorer.exe Token: SeChangeNotifyPrivilege 4228 explorer.exe Token: SeCreateTokenPrivilege 4228 explorer.exe Token: SeMachineAccountPrivilege 4228 explorer.exe Token: SeSecurityPrivilege 4228 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4228 explorer.exe Token: SeCreateGlobalPrivilege 4228 explorer.exe Token: 33 4228 explorer.exe Token: SeDebugPrivilege 3488 c91q3om5eq3.exe Token: SeRestorePrivilege 3488 c91q3om5eq3.exe Token: SeBackupPrivilege 3488 c91q3om5eq3.exe Token: SeLoadDriverPrivilege 3488 c91q3om5eq3.exe Token: SeCreatePagefilePrivilege 3488 c91q3om5eq3.exe Token: SeShutdownPrivilege 3488 c91q3om5eq3.exe Token: SeTakeOwnershipPrivilege 3488 c91q3om5eq3.exe Token: SeChangeNotifyPrivilege 3488 c91q3om5eq3.exe Token: SeCreateTokenPrivilege 3488 c91q3om5eq3.exe Token: SeMachineAccountPrivilege 3488 c91q3om5eq3.exe Token: SeSecurityPrivilege 3488 c91q3om5eq3.exe Token: SeAssignPrimaryTokenPrivilege 3488 c91q3om5eq3.exe Token: SeCreateGlobalPrivilege 3488 c91q3om5eq3.exe Token: 33 3488 c91q3om5eq3.exe Token: SeDebugPrivilege 4668 c91q3om5eq3.exe Token: SeRestorePrivilege 4668 c91q3om5eq3.exe Token: SeBackupPrivilege 4668 c91q3om5eq3.exe Token: SeLoadDriverPrivilege 4668 c91q3om5eq3.exe Token: SeCreatePagefilePrivilege 4668 c91q3om5eq3.exe Token: SeShutdownPrivilege 4668 c91q3om5eq3.exe Token: SeTakeOwnershipPrivilege 4668 c91q3om5eq3.exe Token: SeChangeNotifyPrivilege 4668 c91q3om5eq3.exe Token: SeCreateTokenPrivilege 4668 c91q3om5eq3.exe Token: SeMachineAccountPrivilege 4668 c91q3om5eq3.exe Token: SeSecurityPrivilege 4668 c91q3om5eq3.exe Token: SeAssignPrimaryTokenPrivilege 4668 c91q3om5eq3.exe Token: SeCreateGlobalPrivilege 4668 c91q3om5eq3.exe Token: 33 4668 c91q3om5eq3.exe Token: SeDebugPrivilege 4840 c91q3om5eq3.exe Token: SeRestorePrivilege 4840 c91q3om5eq3.exe Token: SeBackupPrivilege 4840 c91q3om5eq3.exe Token: SeLoadDriverPrivilege 4840 c91q3om5eq3.exe Token: SeCreatePagefilePrivilege 4840 c91q3om5eq3.exe Token: SeShutdownPrivilege 4840 c91q3om5eq3.exe Token: SeTakeOwnershipPrivilege 4840 c91q3om5eq3.exe Token: SeChangeNotifyPrivilege 4840 c91q3om5eq3.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2452 wrote to memory of 3980 2452 ou55sg33s_1.exe 84 PID 2452 wrote to memory of 3980 2452 ou55sg33s_1.exe 84 PID 2452 wrote to memory of 3980 2452 ou55sg33s_1.exe 84 PID 2452 wrote to memory of 3980 2452 ou55sg33s_1.exe 84 PID 2452 wrote to memory of 3980 2452 ou55sg33s_1.exe 84 PID 3980 wrote to memory of 4228 3980 ou55sg33s_1.exe 85 PID 3980 wrote to memory of 4228 3980 ou55sg33s_1.exe 85 PID 3980 wrote to memory of 4228 3980 ou55sg33s_1.exe 85 PID 4936 wrote to memory of 3392 4936 cmd.exe 91 PID 4936 wrote to memory of 3392 4936 cmd.exe 91 PID 4936 wrote to memory of 3392 4936 cmd.exe 91 PID 3392 wrote to memory of 3488 3392 c91q3om5eq3.exe 92 PID 3392 wrote to memory of 3488 3392 c91q3om5eq3.exe 92 PID 3392 wrote to memory of 3488 3392 c91q3om5eq3.exe 92 PID 3392 wrote to memory of 3488 3392 c91q3om5eq3.exe 92 PID 3392 wrote to memory of 3488 3392 c91q3om5eq3.exe 92 PID 4820 wrote to memory of 4736 4820 cmd.exe 98 PID 4820 wrote to memory of 4736 4820 cmd.exe 98 PID 4820 wrote to memory of 4736 4820 cmd.exe 98 PID 4736 wrote to memory of 4668 4736 c91q3om5eq3.exe 99 PID 4736 wrote to memory of 4668 4736 c91q3om5eq3.exe 99 PID 4736 wrote to memory of 4668 4736 c91q3om5eq3.exe 99 PID 4736 wrote to memory of 4668 4736 c91q3om5eq3.exe 99 PID 4736 wrote to memory of 4668 4736 c91q3om5eq3.exe 99 PID 4812 wrote to memory of 4316 4812 cmd.exe 105 PID 4812 wrote to memory of 4316 4812 cmd.exe 105 PID 4812 wrote to memory of 4316 4812 cmd.exe 105 PID 4316 wrote to memory of 4840 4316 c91q3om5eq3.exe 106 PID 4316 wrote to memory of 4840 4316 c91q3om5eq3.exe 106 PID 4316 wrote to memory of 4840 4316 c91q3om5eq3.exe 106 PID 4316 wrote to memory of 4840 4316 c91q3om5eq3.exe 106 PID 4316 wrote to memory of 4840 4316 c91q3om5eq3.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 11404⤵
- Program crash
PID:320
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe1⤵PID:3696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe1⤵PID:4800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"C:\ProgramData\Google Updater 5.0\c91q3om5eq3.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4228 -ip 42281⤵PID:5608
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
609KB
MD5347d7700eb4a4537df6bb7492ca21702
SHA1983189dab4b523e19f8efd35eee4d7d43d84aca2
SHA256a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8
SHA5125efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9