Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
24-11-2021 14:07
Static task
static1
Behavioral task
behavioral1
Sample
GST-48B3.cmd.exe
Resource
win7-en-20211014
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
GST-48B3.cmd.exe
Resource
win10-en-20211104
0 signatures
0 seconds
General
-
Target
GST-48B3.cmd.exe
-
Size
1.4MB
-
MD5
032f4480781e0ed708241d92d8b6c718
-
SHA1
1b1e6009b1d1f76ce17197bbda33fedd6e0e1175
-
SHA256
064fe665dce5b2cf6d824290c2fdebea593f26b0c4b05efbdd3e300ab926900f
-
SHA512
6ad6d3f4e8c84f50f1931917da9027a3bbb7302caa923483888bf3c6cc073f82b649666b16d28a3ac3e154fdaea9d3d2a42a3b875ea4831f15ca14e0b74c071f
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 3348 mspaint.exe 3348 mspaint.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
GST-48B3.cmd.exemspaint.exepid Process 2436 GST-48B3.cmd.exe 2436 GST-48B3.cmd.exe 2436 GST-48B3.cmd.exe 3348 mspaint.exe 3348 mspaint.exe 3348 mspaint.exe 3348 mspaint.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
GST-48B3.cmd.execmd.exedescription pid Process procid_target PID 2436 wrote to memory of 3476 2436 GST-48B3.cmd.exe 68 PID 2436 wrote to memory of 3476 2436 GST-48B3.cmd.exe 68 PID 2436 wrote to memory of 3476 2436 GST-48B3.cmd.exe 68 PID 3476 wrote to memory of 3348 3476 cmd.exe 70 PID 3476 wrote to memory of 3348 3476 cmd.exe 70 PID 3476 wrote to memory of 3348 3476 cmd.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\GST-48B3.cmd.exe"C:\Users\Admin\AppData\Local\Temp\GST-48B3.cmd.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Receipt.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3348
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:1136