Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
18-02-2020 20:06
Static task
static1
Behavioral task
behavioral1
Sample
444444.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
General
-
Target
444444.exe
-
Size
340KB
-
MD5
36af3d937d99c46cd829957af7f37886
-
SHA1
6901f63c7339374c0c1b499f593b0a7520c2e266
-
SHA256
871371ff7eb668d8281e8a01af78e4f037f5204311e996b7a133e0d5c51a612e
-
SHA512
2cf1464e7fe0645dbc2b9b6e0b158c512ffc8fa9d3b1ba5f10fdefdd3674d69a5a36c7be74b9468d6af9a62972728b13f62e43c3ccb7386e5c415d5d05608e5d
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
444444.exegmabuyou.exetaskeng.exe444444.exedescription pid process target process PID 1856 wrote to memory of 1868 1856 444444.exe 444444.exe PID 1856 wrote to memory of 1868 1856 444444.exe 444444.exe PID 1856 wrote to memory of 1868 1856 444444.exe 444444.exe PID 1856 wrote to memory of 1868 1856 444444.exe 444444.exe PID 1856 wrote to memory of 1884 1856 444444.exe gmabuyou.exe PID 1856 wrote to memory of 1884 1856 444444.exe gmabuyou.exe PID 1856 wrote to memory of 1884 1856 444444.exe gmabuyou.exe PID 1856 wrote to memory of 1884 1856 444444.exe gmabuyou.exe PID 1856 wrote to memory of 1912 1856 444444.exe schtasks.exe PID 1856 wrote to memory of 1912 1856 444444.exe schtasks.exe PID 1856 wrote to memory of 1912 1856 444444.exe schtasks.exe PID 1856 wrote to memory of 1912 1856 444444.exe schtasks.exe PID 1884 wrote to memory of 1940 1884 gmabuyou.exe gmabuyou.exe PID 1884 wrote to memory of 1940 1884 gmabuyou.exe gmabuyou.exe PID 1884 wrote to memory of 1940 1884 gmabuyou.exe gmabuyou.exe PID 1884 wrote to memory of 1940 1884 gmabuyou.exe gmabuyou.exe PID 1884 wrote to memory of 1964 1884 gmabuyou.exe explorer.exe PID 1884 wrote to memory of 1964 1884 gmabuyou.exe explorer.exe PID 1884 wrote to memory of 1964 1884 gmabuyou.exe explorer.exe PID 1884 wrote to memory of 1964 1884 gmabuyou.exe explorer.exe PID 1884 wrote to memory of 1964 1884 gmabuyou.exe explorer.exe PID 1360 wrote to memory of 336 1360 taskeng.exe 444444.exe PID 1360 wrote to memory of 336 1360 taskeng.exe 444444.exe PID 1360 wrote to memory of 336 1360 taskeng.exe 444444.exe PID 1360 wrote to memory of 336 1360 taskeng.exe 444444.exe PID 336 wrote to memory of 1564 336 444444.exe reg.exe PID 336 wrote to memory of 1564 336 444444.exe reg.exe PID 336 wrote to memory of 1564 336 444444.exe reg.exe PID 336 wrote to memory of 1564 336 444444.exe reg.exe PID 336 wrote to memory of 108 336 444444.exe reg.exe PID 336 wrote to memory of 108 336 444444.exe reg.exe PID 336 wrote to memory of 108 336 444444.exe reg.exe PID 336 wrote to memory of 108 336 444444.exe reg.exe PID 336 wrote to memory of 788 336 444444.exe reg.exe PID 336 wrote to memory of 788 336 444444.exe reg.exe PID 336 wrote to memory of 788 336 444444.exe reg.exe PID 336 wrote to memory of 788 336 444444.exe reg.exe PID 336 wrote to memory of 748 336 444444.exe reg.exe PID 336 wrote to memory of 748 336 444444.exe reg.exe PID 336 wrote to memory of 748 336 444444.exe reg.exe PID 336 wrote to memory of 748 336 444444.exe reg.exe PID 336 wrote to memory of 1596 336 444444.exe reg.exe PID 336 wrote to memory of 1596 336 444444.exe reg.exe PID 336 wrote to memory of 1596 336 444444.exe reg.exe PID 336 wrote to memory of 1596 336 444444.exe reg.exe PID 336 wrote to memory of 1484 336 444444.exe reg.exe PID 336 wrote to memory of 1484 336 444444.exe reg.exe PID 336 wrote to memory of 1484 336 444444.exe reg.exe PID 336 wrote to memory of 1484 336 444444.exe reg.exe PID 336 wrote to memory of 1656 336 444444.exe reg.exe PID 336 wrote to memory of 1656 336 444444.exe reg.exe PID 336 wrote to memory of 1656 336 444444.exe reg.exe PID 336 wrote to memory of 1656 336 444444.exe reg.exe PID 336 wrote to memory of 1632 336 444444.exe reg.exe PID 336 wrote to memory of 1632 336 444444.exe reg.exe PID 336 wrote to memory of 1632 336 444444.exe reg.exe PID 336 wrote to memory of 1632 336 444444.exe reg.exe PID 336 wrote to memory of 1612 336 444444.exe reg.exe PID 336 wrote to memory of 1612 336 444444.exe reg.exe PID 336 wrote to memory of 1612 336 444444.exe reg.exe PID 336 wrote to memory of 1612 336 444444.exe reg.exe PID 336 wrote to memory of 1672 336 444444.exe gmabuyou.exe PID 336 wrote to memory of 1672 336 444444.exe gmabuyou.exe PID 336 wrote to memory of 1672 336 444444.exe gmabuyou.exe -
Loads dropped DLL 3 IoCs
Processes:
444444.exe444444.exepid process 1856 444444.exe 1856 444444.exe 336 444444.exe -
Turns off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\obbxuwnp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Dfadj\\gmabuyou.exe\"" explorer.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
444444.exe444444.exegmabuyou.exegmabuyou.exeexplorer.exe444444.exegmabuyou.exegmabuyou.exepid process 1856 444444.exe 1868 444444.exe 1868 444444.exe 1884 gmabuyou.exe 1940 gmabuyou.exe 1940 gmabuyou.exe 1964 explorer.exe 1964 explorer.exe 336 444444.exe 1672 gmabuyou.exe 744 gmabuyou.exe 744 gmabuyou.exe -
Executes dropped EXE 4 IoCs
Processes:
gmabuyou.exegmabuyou.exegmabuyou.exegmabuyou.exepid process 1884 gmabuyou.exe 1940 gmabuyou.exe 1672 gmabuyou.exe 744 gmabuyou.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gmabuyou.exepid process 1884 gmabuyou.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj = "0" reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\444444.exe"C:\Users\Admin\AppData\Local\Temp\444444.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exeC:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exeC:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fldlrvvp /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I fldlrvvp" /SC ONCE /Z /ST 21:09 /ET 21:212⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {17DF42A8-F9BF-413B-9D14-DB3C67EC9567} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\444444.exeC:\Users\Admin\AppData\Local\Temp\444444.exe /I fldlrvvp2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj" /d "0"3⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exeC:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exeC:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN fldlrvvp3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Dfadj\gmabuyou.exe
-
memory/744-12-0x0000000002650000-0x0000000002661000-memory.dmpFilesize
68KB
-
memory/1868-0-0x0000000002430000-0x0000000002441000-memory.dmpFilesize
68KB
-
memory/1884-7-0x00000000006D0000-0x000000000070B000-memory.dmpFilesize
236KB
-
memory/1940-6-0x00000000025F0000-0x0000000002601000-memory.dmpFilesize
68KB