2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf

Analysis

max time kernel
157s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
Size

2.5MB
MD5

c67979c54ed1193e84fc034171a605a4
SHA1

ba9b16191d2b27457b1e4e6c5f4280a729b6e4b9
SHA256

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf
SHA512

977d4df49119c73e2e99090e7ce29039ee4ab8e7875ed1245da3cbe6ab0f022f7c7809285228a6e9d7e702cf7a75c70c620167f86689c3fc3b78fc8976409b0f

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 4 IoCs

Processes:

irsetup.exeGifRecord.exeGifRecord.exeGifRecord.exe

pid process

3708 irsetup.exe
3972 GifRecord.exe
216 GifRecord.exe
4440 GifRecord.exe

pid	process
3708	irsetup.exe
3972	GifRecord.exe
216	GifRecord.exe
4440	GifRecord.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exeirsetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	irsetup.exe

Loads dropped DLL 5 IoCs

Processes:

irsetup.exerundll32.exerundll32.exe

pid process

3708 irsetup.exe
3000 rundll32.exe
1856 rundll32.exe
1060
1060
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3708	irsetup.exe
3000	rundll32.exe
1856	rundll32.exe
1060
1060

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GifRecord.exeGifRecord.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GifRecord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

GifRecord.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GifRecord.exe = "11000"	GifRecord.exe

Modifies registry class 7 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\ = "GifRecord"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GifRecord\\GifRecord.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7B2FACB-BDD2-4D16-ADAB-C826A3ADDBE1}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GifRecord.exe

pid	process
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe
3972	GifRecord.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

irsetup.exeGifRecord.exeGifRecord.exerundll32.exe

pid process

3708 irsetup.exe
3708 irsetup.exe
3708 irsetup.exe
3972 GifRecord.exe
216 GifRecord.exe
1856 rundll32.exe

pid	process
3708	irsetup.exe
3708	irsetup.exe
3708	irsetup.exe
3972	GifRecord.exe
216	GifRecord.exe
1856	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exeirsetup.exerundll32.exe

description	pid	process	target process
PID 4224 wrote to memory of 3708	4224	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 4224 wrote to memory of 3708	4224	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 4224 wrote to memory of 3708	4224	2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe	irsetup.exe
PID 3708 wrote to memory of 3972	3708	irsetup.exe	GifRecord.exe
PID 3708 wrote to memory of 3972	3708	irsetup.exe	GifRecord.exe
PID 3708 wrote to memory of 3972	3708	irsetup.exe	GifRecord.exe
PID 3708 wrote to memory of 216	3708	irsetup.exe	GifRecord.exe
PID 3708 wrote to memory of 216	3708	irsetup.exe	GifRecord.exe
PID 3708 wrote to memory of 216	3708	irsetup.exe	GifRecord.exe
PID 3708 wrote to memory of 3000	3708	irsetup.exe	rundll32.exe
PID 3708 wrote to memory of 3000	3708	irsetup.exe	rundll32.exe
PID 3708 wrote to memory of 3000	3708	irsetup.exe	rundll32.exe
PID 3000 wrote to memory of 1856	3000	rundll32.exe	rundll32.exe
PID 3000 wrote to memory of 1856	3000	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe
"C:\Users\Admin\AppData\Local\Temp\2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1828898 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2abc9d37a7e1037571ef0cef2de252af617b89fa7b4500991a3f53b6b87a9abf.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2632097139-1792035885-811742494-1000"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -setup
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
"C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe" -run
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" /s GifRecord.dll DllGetClassObjectEx
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
-run
1⤵
- Executes dropped EXE
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\masm71.dat
Filesize
27B

MD5
07a140c7b9625cd352671573f72c0e10

SHA1
2a83a5c9908937cd675e887e16516c78bc05f156

SHA256
ede41fc73c940c9419cc2ef62a9bce5c8215da1d02c97314a44d15eb82b96fe4

SHA512
80e0ae186e2648a5809926f71605b8953573a7913dc185618d8d5af46d58415f69575bf8d0e66b1eabd2d6763a12aa3f8027adc9ba132bff4a772186599a9960

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
113B

MD5
fe794baf1f42ddfbee4485742f8ddc51

SHA1
ae6d789a956e7167d19f63ba98feea56901522c3

SHA256
cb311b79f4758ac7fc88916893e5a34cc0c2c5c2741bccbafafc397a889be185

SHA512
970b956ffd33aad7612efca64ed9bcb9da2da9abcc8fbf8a6f6cf5e634287255bdb128a07a6cb03ed342e82046e933bf4ab45544e61188f54efb41530d9ccbbf

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
161B

MD5
785416376fb37c17c3c63cdf05372265

SHA1
fbb86025d44b1d043902806141f6ce79a1725ab1

SHA256
51024f20640e90898c4150cb12f7f93b5c52fdf0ded1a0981aa7708b41b838ee

SHA512
324d3c41b9de3323fd9bb3c4e9eb56c26dc88ecfdc6acebf5054573c7aadbfb01a8d8b7f1c47b45154f2d1660eeddb6a2ab30e633842f53c8a4db33af5eb74d8

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.cfg
Filesize
210B

MD5
081cebef88ebadead649fb78a2bb75f4

SHA1
68f5277904738b9a9aa5c167dc44acc82be1b131

SHA256
afd5dcb4df1a090e6ed0322d28072ab38389da9205c4442f39500f57940962d5

SHA512
48a91d2672cee2d56910c9bf8ecec1f2912eaf491bf97395e93cd2763c3f660f53f72e31d42f9a2016210cad99bc4cb5f34d2bfbade22a29b01fc094e258fcfe

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.dll
Filesize
354KB

MD5
caaac2e6c057948d8921e5d1c0e1c167

SHA1
96079bb53b3572bf212a4e9e460dba77c1dc4650

SHA256
1a39e609f5b3f2f03d8868f36dd4d36c06c2db4932c71e60625a50db31ecf1c5

SHA512
f8c32f060e3ae653421f9d50e521c55f5198599303f767b4738e007e84e76af028e737f0cb3c6b5b1b0d1f1e7125dbc1bf050143abc47c517579169c3fa924c3

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
C:\Users\Admin\AppData\Roaming\GifRecord\GifRecord.exe
Filesize
954KB

MD5
1eb82dc9cb9202fcf4209fecdfe56f18

SHA1
d99bc05baf7807c215dd5fa2e545c1faef900922

SHA256
e8121ee01b811508631d6c64ea831dd1436443dc44a70cb0abc3f30cf4a80743

SHA512
e3debb68e3b72525fde8743469fb1d4bba571927e11c530a1328ab7d905daf7823f27887e55d520a5bc12dd0285167be338dc4110a2674c64de0fbf8f28558f2

Download Submit
memory/216-139-0x0000000000000000-mapping.dmp

Download
memory/1856-144-0x0000000000000000-mapping.dmp

Download
memory/3000-141-0x0000000000000000-mapping.dmp

Download
memory/3708-130-0x0000000000000000-mapping.dmp

Download
memory/3972-135-0x0000000000000000-mapping.dmp

Download