91cd8bfbe714acc43beff32856c3d56ded48706d3c92c492a1acb994b606003b

Analysis

max time kernel
1554s
max time network
1742s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-02-2022 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

all/gcs/Client_Loader.exe
Size

1.1MB
MD5

4d533e9bf473bffa223d08375406e354
SHA1

a476be755207b0a789a7ea291980ddc53318ff1d
SHA256

84b42521803e83e1d6633bec4099f443a46898297c2588a04dd4b97797311795
SHA512

e20230aa5091e8ff762d7b81c0edde8ab476aa03ed83c2a2bc75b06e3dfebb0aacfde26562c2684368cce72595672f6efa9ca0b489cb09e0394a602564a89980

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Client_Loader.exe

pid process

3332 Client_Loader.exe

pid	process
3332	Client_Loader.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	752	svchost.exe
Token: SeCreatePagefilePrivilege	752	svchost.exe
Token: SeShutdownPrivilege	752	svchost.exe
Token: SeCreatePagefilePrivilege	752	svchost.exe
Token: SeShutdownPrivilege	752	svchost.exe
Token: SeCreatePagefilePrivilege	752	svchost.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe
Token: SeRestorePrivilege	2612	TiWorker.exe
Token: SeSecurityPrivilege	2612	TiWorker.exe
Token: SeBackupPrivilege	2612	TiWorker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client_Loader.exe

pid process

3332 Client_Loader.exe
3332 Client_Loader.exe

pid	process
3332	Client_Loader.exe
3332	Client_Loader.exe

C:\Users\Admin\AppData\Local\Temp\all\gcs\Client_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\all\gcs\Client_Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/752-157-0x000002100D9C0000-0x000002100D9C1000-memory.dmp

Filesize
4KB

Download
memory/752-155-0x000002100DA00000-0x000002100DA01000-memory.dmp

Filesize
4KB

Download
memory/752-154-0x000002100DAC0000-0x000002100DAC4000-memory.dmp

Filesize
16KB

Download
memory/752-147-0x000002100DAA0000-0x000002100DAA4000-memory.dmp

Filesize
16KB

Download
memory/3036-150-0x000002B1CDBB0000-0x000002B1CDBB4000-memory.dmp

Filesize
16KB

Download
memory/3036-148-0x000002B1D0030000-0x000002B1D0034000-memory.dmp

Filesize
16KB

Download
memory/3036-153-0x000002B1CDAA0000-0x000002B1CDAA1000-memory.dmp

Filesize
4KB

Download
memory/3036-152-0x000002B1CDBA0000-0x000002B1CDBA4000-memory.dmp

Filesize
16KB

Download
memory/3036-139-0x000002B1CD760000-0x000002B1CD770000-memory.dmp

Filesize
64KB

Download
memory/3036-140-0x000002B1CD7C0000-0x000002B1CD7D0000-memory.dmp

Filesize
64KB

Download
memory/3036-141-0x000002B1CDB80000-0x000002B1CDB84000-memory.dmp

Filesize
16KB

Download
memory/3036-151-0x000002B1CDBA0000-0x000002B1CDBA1000-memory.dmp

Filesize
4KB

Download
memory/3036-149-0x000002B1D0010000-0x000002B1D0011000-memory.dmp

Filesize
4KB

Download
memory/3332-144-0x0000000005635000-0x0000000005637000-memory.dmp

Filesize
8KB

Download
memory/3332-134-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/3332-135-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/3332-143-0x0000000005632000-0x0000000005633000-memory.dmp

Filesize
4KB

Download
memory/3332-130-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/3332-142-0x0000000005631000-0x0000000005632000-memory.dmp

Filesize
4KB

Download
memory/3332-138-0x0000000006710000-0x00000000067AC000-memory.dmp

Filesize
624KB

Download
memory/3332-137-0x0000000073830000-0x00000000738B9000-memory.dmp

Filesize
548KB

Download
memory/3332-133-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/3332-132-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/3332-131-0x0000000000C90000-0x0000000000DB2000-memory.dmp

Filesize
1.1MB

Download