11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8

General

Target

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
Size

277KB
MD5

8c1b36b24a67666740ebed501c1280c5
SHA1

180af0ea1cd6c180ae5dcf91fbe13c585af40282
SHA256

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8
SHA512

fb58aa4aef8e0c4f239884ca229405934de696c36d5a44cf36bb4b91a60ef3b0428b70cbaedc3a8f735771ea049f9631a06b5860473c49f008108e3d47935dab

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

gaag.exe

pid process

1620 gaag.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Edtiep\gaag.exe	upx
\Users\Admin\AppData\Roaming\Edtiep\gaag.exe	upx
C:\Users\Admin\AppData\Roaming\Edtiep\gaag.exe	upx
C:\Users\Admin\AppData\Roaming\Edtiep\gaag.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

516 cmd.exe

pid	process
516	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

pid	process
1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gaag.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\Currentversion\Run	gaag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5C1D8168-E93A-AD4C-05EB-D0573E9CF34A} = "C:\\Users\\Admin\\AppData\\Roaming\\Edtiep\\gaag.exe"	gaag.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

description pid process target process

PID 1992 set thread context of 516 1992 11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe cmd.exe

description	pid	process	target process
PID 1992 set thread context of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

gaag.exe

pid	process
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe
1620	gaag.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

description	pid	process
Token: SeSecurityPrivilege	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
Token: SeSecurityPrivilege	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
Token: SeSecurityPrivilege	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exegaag.exe

description	pid	process	target process
PID 1992 wrote to memory of 1620	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	gaag.exe
PID 1992 wrote to memory of 1620	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	gaag.exe
PID 1992 wrote to memory of 1620	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	gaag.exe
PID 1992 wrote to memory of 1620	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	gaag.exe
PID 1620 wrote to memory of 1136	1620	gaag.exe	taskhost.exe
PID 1620 wrote to memory of 1136	1620	gaag.exe	taskhost.exe
PID 1620 wrote to memory of 1136	1620	gaag.exe	taskhost.exe
PID 1620 wrote to memory of 1136	1620	gaag.exe	taskhost.exe
PID 1620 wrote to memory of 1136	1620	gaag.exe	taskhost.exe
PID 1620 wrote to memory of 1240	1620	gaag.exe	Dwm.exe
PID 1620 wrote to memory of 1240	1620	gaag.exe	Dwm.exe
PID 1620 wrote to memory of 1240	1620	gaag.exe	Dwm.exe
PID 1620 wrote to memory of 1240	1620	gaag.exe	Dwm.exe
PID 1620 wrote to memory of 1240	1620	gaag.exe	Dwm.exe
PID 1620 wrote to memory of 1288	1620	gaag.exe	Explorer.EXE
PID 1620 wrote to memory of 1288	1620	gaag.exe	Explorer.EXE
PID 1620 wrote to memory of 1288	1620	gaag.exe	Explorer.EXE
PID 1620 wrote to memory of 1288	1620	gaag.exe	Explorer.EXE
PID 1620 wrote to memory of 1288	1620	gaag.exe	Explorer.EXE
PID 1620 wrote to memory of 1992	1620	gaag.exe	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
PID 1620 wrote to memory of 1992	1620	gaag.exe	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
PID 1620 wrote to memory of 1992	1620	gaag.exe	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
PID 1620 wrote to memory of 1992	1620	gaag.exe	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
PID 1620 wrote to memory of 1992	1620	gaag.exe	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe
PID 1992 wrote to memory of 516	1992	11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe
"C:\Users\Admin\AppData\Local\Temp\11771a6754c1edb3b5a3afd972716f49222a69e6e6caa94c4cd6933ab50ca9e8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Roaming\Edtiep\gaag.exe
"C:\Users\Admin\AppData\Roaming\Edtiep\gaag.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa3330336.bat"
3⤵
- Deletes itself
PID:516

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa3330336.bat
Filesize
307B

MD5
07fd9e1d1273ac24798020affe399f28

SHA1
90216acb2154f6eca4e79ba040826ca1bad714a7

SHA256
f272dd8820e1d0d4516f106e7a27757552b7304c0a44d96d4f2e188aea71522b

SHA512
8057f7b983f064d425162be907ffc4d0b4ec016fd7b6db5ea3c147de8c77d6c2b66d284f989c24a8b8e6008489facffbeb33d2743b55eaf580fa5259240b0525

Download Submit
C:\Users\Admin\AppData\Roaming\Edtiep\gaag.exe
Filesize
277KB

MD5
47979805dc1e37a95dd95c859d41efd9

SHA1
fbf65b8482af5f226e2c5f87bd70ce9f4fb56982

SHA256
3f1640d0201a6927e880ebf115c3551ce82d61625019032c769c357111267466

SHA512
2a5d1e1a5b4e1311f92ef1d1dd13d024215fc47137c4a2a111fa3a8f08e272e19bdd50477e24333bfc0db0c0bc4b7a32526ebb992dedffeba238fd1a5dd9f617

Download Submit
C:\Users\Admin\AppData\Roaming\Edtiep\gaag.exe
Filesize
277KB

MD5
47979805dc1e37a95dd95c859d41efd9

SHA1
fbf65b8482af5f226e2c5f87bd70ce9f4fb56982

SHA256
3f1640d0201a6927e880ebf115c3551ce82d61625019032c769c357111267466

SHA512
2a5d1e1a5b4e1311f92ef1d1dd13d024215fc47137c4a2a111fa3a8f08e272e19bdd50477e24333bfc0db0c0bc4b7a32526ebb992dedffeba238fd1a5dd9f617

Download Submit
C:\Users\Admin\AppData\Roaming\Ygvik\wepo.ujm
Filesize
398B

MD5
fd11a746878aeb5a13dec4dbecdd05d1

SHA1
c09a0e42a786d6b9c90c3b665c2b987c46cc0fb6

SHA256
7858512c305f8c02a2a54acb9ff26a8b9240d385a48925c3814db60e7f848aeb

SHA512
b6b52e8826ebb4bfa763bff6dc5a41545afca8a16fecc410b7296433f1527490d4d8278892e5852d5cbbccacafaa4676ba5e25002401ad55018157fd75b51c1b

Download Submit
\Users\Admin\AppData\Roaming\Edtiep\gaag.exe
Filesize
277KB

MD5
47979805dc1e37a95dd95c859d41efd9

SHA1
fbf65b8482af5f226e2c5f87bd70ce9f4fb56982

SHA256
3f1640d0201a6927e880ebf115c3551ce82d61625019032c769c357111267466

SHA512
2a5d1e1a5b4e1311f92ef1d1dd13d024215fc47137c4a2a111fa3a8f08e272e19bdd50477e24333bfc0db0c0bc4b7a32526ebb992dedffeba238fd1a5dd9f617

Download Submit
\Users\Admin\AppData\Roaming\Edtiep\gaag.exe
Filesize
277KB

MD5
47979805dc1e37a95dd95c859d41efd9

SHA1
fbf65b8482af5f226e2c5f87bd70ce9f4fb56982

SHA256
3f1640d0201a6927e880ebf115c3551ce82d61625019032c769c357111267466

SHA512
2a5d1e1a5b4e1311f92ef1d1dd13d024215fc47137c4a2a111fa3a8f08e272e19bdd50477e24333bfc0db0c0bc4b7a32526ebb992dedffeba238fd1a5dd9f617

Download Submit
memory/516-89-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/516-100-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/516-93-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/516-95-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/516-96-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/516-97-0x0000000000066EC9-mapping.dmp

Download
memory/1136-63-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/1136-66-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/1136-65-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/1136-64-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/1136-61-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/1240-71-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/1240-72-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/1240-70-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/1240-69-0x00000000001B0000-0x00000000001ED000-memory.dmp

Filesize
244KB

Download
memory/1288-75-0x0000000002AA0000-0x0000000002ADD000-memory.dmp

Filesize
244KB

Download
memory/1288-76-0x0000000002AA0000-0x0000000002ADD000-memory.dmp

Filesize
244KB

Download
memory/1288-77-0x0000000002AA0000-0x0000000002ADD000-memory.dmp

Filesize
244KB

Download
memory/1288-78-0x0000000002AA0000-0x0000000002ADD000-memory.dmp

Filesize
244KB

Download
memory/1620-101-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/1620-57-0x0000000000000000-mapping.dmp

Download
memory/1620-92-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/1992-82-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1992-94-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1992-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1992-81-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1992-90-0x00000000026A0000-0x0000000002AC7000-memory.dmp

Filesize
4.2MB

Download
memory/1992-84-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1992-88-0x0000000000400000-0x0000000000827000-memory.dmp

Filesize
4.2MB

Download
memory/1992-83-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads