130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
Size

2.5MB
MD5

8bb9ed74829e5998537c4c3814e33cb6
SHA1

37971396d9599d31975100c16e8573ce9265b038
SHA256

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4
SHA512

6c90fd66280b2fbca79589c38c2c87a13defb7cadbe2ddb95af4bd58edbb9698cb3ba9da87a57ebe4ce36eca68cb88846f0a697ce24dbeba043a18f14cf5e107

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 4 IoCs

Processes:

irsetup.exeGifRecord.exeGifRecord.exeGifRecord.exe

pid process

4256 irsetup.exe
2000 GifRecord.exe
5080 GifRecord.exe
3924 GifRecord.exe

pid	process
4256	irsetup.exe
2000	GifRecord.exe
5080	GifRecord.exe
3924	GifRecord.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exeirsetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	irsetup.exe

Loads dropped DLL 5 IoCs

Processes:

irsetup.exerundll32.exerundll32.exe

pid process

4256 irsetup.exe
1928 rundll32.exe
4012 rundll32.exe
2032
2032
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4256	irsetup.exe
1928	rundll32.exe
4012	rundll32.exe
2032
2032

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GifRecord.exeGifRecord.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

GifRecord.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GifRecord.exe = "11000"	GifRecord.exe

Modifies registry class 7 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\ = "GifRecord"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GifRecord\\GifRecord.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GifRecord.exe

pid	process
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe
2000	GifRecord.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

irsetup.exeGifRecord.exeGifRecord.exerundll32.exe

pid process

4256 irsetup.exe
4256 irsetup.exe
4256 irsetup.exe
2000 GifRecord.exe
5080 GifRecord.exe
4012 rundll32.exe

pid	process
4256	irsetup.exe
4256	irsetup.exe
4256	irsetup.exe
2000	GifRecord.exe
5080	GifRecord.exe
4012	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exeirsetup.exerundll32.exe

description	pid	process	target process
PID 992 wrote to memory of 4256	992	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 992 wrote to memory of 4256	992	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 992 wrote to memory of 4256	992	130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe	irsetup.exe
PID 4256 wrote to memory of 2000	4256	irsetup.exe	GifRecord.exe
PID 4256 wrote to memory of 2000	4256	irsetup.exe	GifRecord.exe
PID 4256 wrote to memory of 2000	4256	irsetup.exe	GifRecord.exe
PID 4256 wrote to memory of 5080	4256	irsetup.exe	GifRecord.exe
PID 4256 wrote to memory of 5080	4256	irsetup.exe	GifRecord.exe
PID 4256 wrote to memory of 5080	4256	irsetup.exe	GifRecord.exe
PID 4256 wrote to memory of 1928	4256	irsetup.exe	rundll32.exe
PID 4256 wrote to memory of 1928	4256	irsetup.exe	rundll32.exe
PID 4256 wrote to memory of 1928	4256	irsetup.exe	rundll32.exe
PID 1928 wrote to memory of 4012	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 4012	1928	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe
"C:\Users\Admin\AppData\Local\Temp\130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1828898 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\130e0b1bea3fe7aa551e58de8bb50e83647de48194302ac777c62e200d4d8cd4.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2632097139-1792035885-811742494-1000"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -setup
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -run
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
-run
1⤵
- Executes dropped EXE
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\masm71.dat
Filesize
27B

MD5
07a140c7b9625cd352671573f72c0e10

SHA1
2a83a5c9908937cd675e887e16516c78bc05f156

SHA256
ede41fc73c940c9419cc2ef62a9bce5c8215da1d02c97314a44d15eb82b96fe4

SHA512
80e0ae186e2648a5809926f71605b8953573a7913dc185618d8d5af46d58415f69575bf8d0e66b1eabd2d6763a12aa3f8027adc9ba132bff4a772186599a9960

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
113B

MD5
fe794baf1f42ddfbee4485742f8ddc51

SHA1
ae6d789a956e7167d19f63ba98feea56901522c3

SHA256
cb311b79f4758ac7fc88916893e5a34cc0c2c5c2741bccbafafc397a889be185

SHA512
970b956ffd33aad7612efca64ed9bcb9da2da9abcc8fbf8a6f6cf5e634287255bdb128a07a6cb03ed342e82046e933bf4ab45544e61188f54efb41530d9ccbbf

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
161B

MD5
10c54cbd2106668e4bb4ed4123bcbc04

SHA1
59f86d730812896dc8ccd9b5124fcb3f35800b45

SHA256
5fd0fd986f92798d410be61845e1d723e73ab1d54301babc26bf4b0fd4c3de28

SHA512
aa2bcbd9f922e59e3faf5486a06cd5c29570a176a4719e727fb03e86d8e9eb5f86545ca9eb1c22f70274e70a2159fa28e8030124e8bf9ff417fdc42a636012d6

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
210B

MD5
be7ef2841a2137792d2e21fdc7c95587

SHA1
39ab41ad47864e2ee1759d9fe5779016bcfd92d6

SHA256
a7c6c13861355ec8fd25cd92df1745e9ebcfbffdee543b42f9a7324514168683

SHA512
76754452d7ae42884fa1f00b15775ea807f9abd3c9df3f389f38886623173d19ef7bba449bc192665f6cc2ebf16143c17156cbc0b68c1d067853dcbd3c77db81

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
42448fbdd7518ec2621a2be25e08f9a1

SHA1
4536e8cb9adda29834ec77100bf60dc60ccb0d9c

SHA256
4fc5d1be5dcb0eae871c91f932a016866cabb7e8bef62cd872a4038304d5b6b3

SHA512
3a5bec44c81de1b01ea70db218af23b282b9f7f37e648e9a12effd7e4b76d5108a6d03a5ba33a43c49a5ef5a900c76e75c38fddc8c806b24f0642bad2e378c3b

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
c7f4406ead0af29e975704af853054d1

SHA1
c0dbc136ea31d192972002b38a2e96fadc377d70

SHA256
5ea1eff6d23ce7675cb9814e05311106f6302925fa1e39ffbf5de8b740146ef9

SHA512
bc8f512ed40fa221d943663fd91b6fac8c3359145c00d934a7c8bdfd72984962f18848c2b9a1ff1b53833084c854b4b24f1e75107e8e58eb9376e299147b45d6

Download Submit
memory/1928-141-0x0000000000000000-mapping.dmp

Download
memory/2000-135-0x0000000000000000-mapping.dmp

Download
memory/4012-144-0x0000000000000000-mapping.dmp

Download
memory/4256-130-0x0000000000000000-mapping.dmp

Download
memory/5080-139-0x0000000000000000-mapping.dmp

Download