Analysis
-
max time kernel
103s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-03-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
GdtBpFKY.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
GdtBpFKY.exe
-
Size
140KB
-
MD5
bfac768f9ad7d29ec91a0288f4b5f479
-
SHA1
ff3240c04aa6778dfc4fa2c2eec505c0fb52acac
-
SHA256
950da158619b3a37e4c0f0be34c39482afdce6d8aa92703ea9cf5ddd487049e9
-
SHA512
6fa181b5aa88216d49e24576cff35cd5ce4f1ed11d3ec3d6539125d699c421f79dc755b4383e6d6ccf1657d21ee4aa9364f6785ef870e2863b93fa3885f07289
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
GdtBpFKY.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List GdtBpFKY.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile GdtBpFKY.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications GdtBpFKY.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GdtBpFKY.exe:*:enabled:@shell32.dll,-1" GdtBpFKY.exe -
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
-
Processes:
resource yara_rule behavioral2/memory/2896-135-0x0000000000400000-0x0000000000444000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GdtBpFKY.exedescription ioc process File opened (read-only) \??\X: GdtBpFKY.exe File opened (read-only) \??\Y: GdtBpFKY.exe File opened (read-only) \??\F: GdtBpFKY.exe File opened (read-only) \??\G: GdtBpFKY.exe File opened (read-only) \??\I: GdtBpFKY.exe File opened (read-only) \??\L: GdtBpFKY.exe File opened (read-only) \??\V: GdtBpFKY.exe File opened (read-only) \??\W: GdtBpFKY.exe File opened (read-only) \??\E: GdtBpFKY.exe File opened (read-only) \??\K: GdtBpFKY.exe File opened (read-only) \??\O: GdtBpFKY.exe File opened (read-only) \??\R: GdtBpFKY.exe File opened (read-only) \??\S: GdtBpFKY.exe File opened (read-only) \??\T: GdtBpFKY.exe File opened (read-only) \??\H: GdtBpFKY.exe File opened (read-only) \??\J: GdtBpFKY.exe File opened (read-only) \??\P: GdtBpFKY.exe File opened (read-only) \??\Z: GdtBpFKY.exe File opened (read-only) \??\M: GdtBpFKY.exe File opened (read-only) \??\N: GdtBpFKY.exe File opened (read-only) \??\Q: GdtBpFKY.exe File opened (read-only) \??\U: GdtBpFKY.exe -
Drops file in Program Files directory 3 IoCs
Processes:
GdtBpFKY.exedescription ioc process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe GdtBpFKY.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe GdtBpFKY.exe File opened for modification C:\Program Files (x86)\Microsoft\px5414.tmp GdtBpFKY.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3808 2896 WerFault.exe GdtBpFKY.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
GdtBpFKY.exepid process 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe -
Suspicious behavior: MapViewOfSection 42 IoCs
Processes:
GdtBpFKY.exepid process 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe 2896 GdtBpFKY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GdtBpFKY.exedescription pid process Token: SeDebugPrivilege 2896 GdtBpFKY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
GdtBpFKY.exedescription pid process target process PID 2896 wrote to memory of 608 2896 GdtBpFKY.exe winlogon.exe PID 2896 wrote to memory of 608 2896 GdtBpFKY.exe winlogon.exe PID 2896 wrote to memory of 608 2896 GdtBpFKY.exe winlogon.exe PID 2896 wrote to memory of 608 2896 GdtBpFKY.exe winlogon.exe PID 2896 wrote to memory of 608 2896 GdtBpFKY.exe winlogon.exe PID 2896 wrote to memory of 608 2896 GdtBpFKY.exe winlogon.exe PID 2896 wrote to memory of 668 2896 GdtBpFKY.exe lsass.exe PID 2896 wrote to memory of 668 2896 GdtBpFKY.exe lsass.exe PID 2896 wrote to memory of 668 2896 GdtBpFKY.exe lsass.exe PID 2896 wrote to memory of 668 2896 GdtBpFKY.exe lsass.exe PID 2896 wrote to memory of 668 2896 GdtBpFKY.exe lsass.exe PID 2896 wrote to memory of 668 2896 GdtBpFKY.exe lsass.exe PID 2896 wrote to memory of 776 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 776 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 776 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 776 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 776 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 776 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 780 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 780 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 780 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 780 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 780 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 780 2896 GdtBpFKY.exe fontdrvhost.exe PID 2896 wrote to memory of 792 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 792 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 792 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 792 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 792 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 792 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 900 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 900 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 900 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 900 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 900 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 900 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 988 2896 GdtBpFKY.exe dwm.exe PID 2896 wrote to memory of 988 2896 GdtBpFKY.exe dwm.exe PID 2896 wrote to memory of 988 2896 GdtBpFKY.exe dwm.exe PID 2896 wrote to memory of 988 2896 GdtBpFKY.exe dwm.exe PID 2896 wrote to memory of 988 2896 GdtBpFKY.exe dwm.exe PID 2896 wrote to memory of 988 2896 GdtBpFKY.exe dwm.exe PID 2896 wrote to memory of 736 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 736 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 736 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 736 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 736 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 736 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 732 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 732 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 732 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 732 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 732 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 732 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 652 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 652 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 652 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 652 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 652 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 652 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 1028 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 1028 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 1028 2896 GdtBpFKY.exe svchost.exe PID 2896 wrote to memory of 1028 2896 GdtBpFKY.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p1⤵PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p1⤵PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:976
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:2544
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:3388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵PID:2472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:832
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3488
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3132
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2936
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2760
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe"C:\Users\Admin\AppData\Local\Temp\GdtBpFKY.exe"2⤵
- Modifies firewall policy service
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 4883⤵
- Program crash
PID:3808
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2256
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2236
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p1⤵PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:1832
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵PID:1356
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p1⤵PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p1⤵PID:736
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:792
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵PID:772
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:3840
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2896 -ip 28961⤵PID:548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2896 -ip 28961⤵PID:2332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2896-130-0x0000000077660000-0x0000000077803000-memory.dmpFilesize
1.6MB
-
memory/2896-131-0x00000000021A0000-0x00000000021AF000-memory.dmpFilesize
60KB
-
memory/2896-132-0x0000000077660000-0x0000000077803000-memory.dmpFilesize
1.6MB
-
memory/2896-133-0x0000000077660000-0x0000000077803000-memory.dmpFilesize
1.6MB
-
memory/2896-134-0x0000000077660000-0x0000000077803000-memory.dmpFilesize
1.6MB
-
memory/2896-135-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB