ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f

Analysis

max time kernel
80s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe
Size

1.3MB
MD5

9726b9488337ec1d6f204fe05a22f343
SHA1

46b07beed909e1bf83452996a5bdb56c0d126aa3
SHA256

ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f
SHA512

09be96933ceb87e9be5d0f436c9f0e81f7489e81cea99d1f656a24d39b17a7f7a5a989ddc86a1694d466382b9e22b5e892b41e1cd115cf87bd43ec9c1551ef55
SSDEEP

24576:nODjvzy+idefY9ZC5w4P8iJeQzjYaHH83pAGawLozvyM/Ki1/1RKd5Z4eM9:GF8ZCRDJ9jYg83p8oov/tZ6doeM9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2260	ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe
4668	ConfigUpdate.exe
368	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe
2508	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2108	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4668	ConfigUpdate.exe
4668	ConfigUpdate.exe
368	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe
2508	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 5020	2940	ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe	82
PID 2940 wrote to memory of 5020	2940	ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe	82
PID 2940 wrote to memory of 5020	2940	ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe	82
PID 5020 wrote to memory of 2108	5020	cmd.exe	85
PID 5020 wrote to memory of 2108	5020	cmd.exe	85
PID 5020 wrote to memory of 2108	5020	cmd.exe	85
PID 5020 wrote to memory of 2260	5020	cmd.exe	86
PID 5020 wrote to memory of 2260	5020	cmd.exe	86
PID 5020 wrote to memory of 2260	5020	cmd.exe	86
PID 2260 wrote to memory of 4668	2260	ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe	87
PID 2260 wrote to memory of 4668	2260	ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe	87
PID 2260 wrote to memory of 4668	2260	ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe	87
PID 4668 wrote to memory of 368	4668	ConfigUpdate.exe	88
PID 4668 wrote to memory of 368	4668	ConfigUpdate.exe	88
PID 4668 wrote to memory of 368	4668	ConfigUpdate.exe	88
PID 368 wrote to memory of 2508	368	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe	91
PID 368 wrote to memory of 2508	368	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe	91
PID 368 wrote to memory of 2508	368	grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe	91

C:\Users\Admin\AppData\Local\Temp\ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe
"C:\Users\Admin\AppData\Local\Temp\ffd69434348e7891d93c45996102a88a7831567ff89613a19e7a5327739b301f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\GrgBanking\SPUpdate\Install.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Grg* /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\GrgBanking\SPUpdate\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe
    "C:\GrgBanking\SPUpdate\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\ConfigUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\ConfigUpdate.exe" "grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe
        
        "grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Users\Admin\AppData\Local\Temp\is-JJR58.tmp\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JJR58.tmp\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.tmp" /SL5="$201F8,849000,53248,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GrgBanking\SPUpdate\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe

Filesize
1.2MB

MD5
762d1cebd470e7afdf556a6a6c99e14c

SHA1
8e983e49c940e6c4af2eb32107b64b67a4a70dab

SHA256
bda6c390d82689c2120499b1e65071447b804f4630847443fbcdff1c808ad935

SHA512
9b036d155625b9094e167e0a195e202147c4dabc7f4a9231cf4c477db11691756e238a50b595a9c73e46ca097523863eb09b4e8e5d00fff7d19b8be6456863db

Download Submit
C:\GrgBanking\SPUpdate\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch.exe

Filesize
1.2MB

MD5
762d1cebd470e7afdf556a6a6c99e14c

SHA1
8e983e49c940e6c4af2eb32107b64b67a4a70dab

SHA256
bda6c390d82689c2120499b1e65071447b804f4630847443fbcdff1c808ad935

SHA512
9b036d155625b9094e167e0a195e202147c4dabc7f4a9231cf4c477db11691756e238a50b595a9c73e46ca097523863eb09b4e8e5d00fff7d19b8be6456863db

Download Submit
C:\GrgBanking\SPUpdate\Install.bat

Filesize
549B

MD5
06de5c4b7c517fe55816596d1a51b403

SHA1
d4fd229635299c62e11f0c81a5115a3dd7a3898e

SHA256
ba9d1c4ae03c0a574fbc43eb2c991ff0551301f2ecb6fb75a38479dea1782670

SHA512
484f26e9e124761ca03af32704a9b29f5f271e35246ca687f45399093caf97d470042fa58ea60f9c9155b581e887278b6dfd562a037137e2e26088aeffbc55ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\ConfigUpdate.exe

Filesize
60KB

MD5
894c09cd2159621630d6dffe50c9b334

SHA1
5b29b053b32ec3f549eb66ed96c643b5a26a136a

SHA256
b04b2cd8b898d812d0fcf75b9c53736329a0826efd412220cac029a8ab6596e5

SHA512
1f7cc60ba4b8220b48474beb989eb5b9091a1b1c6cc49bfb0db40e36161a54ddb6171ccf557db28b58355ea16e8abaad070caea3014c95cdff5dc07f1bc563d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\ConfigUpdate.exe

Filesize
60KB

MD5
894c09cd2159621630d6dffe50c9b334

SHA1
5b29b053b32ec3f549eb66ed96c643b5a26a136a

SHA256
b04b2cd8b898d812d0fcf75b9c53736329a0826efd412220cac029a8ab6596e5

SHA512
1f7cc60ba4b8220b48474beb989eb5b9091a1b1c6cc49bfb0db40e36161a54ddb6171ccf557db28b58355ea16e8abaad070caea3014c95cdff5dc07f1bc563d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\GRG_XFS_SP4.0_WITH_SP11-b4_HotFix7-b81-QuickPatch.exe

Filesize
1.0MB

MD5
c51b4840a435bdfac9419f745f8ace6b

SHA1
e174e48e9495e7458366c96b26ba070d3001895b

SHA256
5110ad67f79c81cf77236fe13429ef82d00a76d747b702b3e01a4172c52b0b56

SHA512
5d537f5a830ffc675f0d59b7a6506967a36f7face8553fe7271f8d1dba305b187c8e30cdfd5a14e2ddfec3557426361da3f54e5e489fd0f7cd6de0e64c36d669

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\GrgConfigUpdate.ini

Filesize
1KB

MD5
92d070b108f53edb690f4a72f763820f

SHA1
b11824746bb4f90ae3c406ffa4cc67896f19a455

SHA256
8ef15a61f817bb4f0a226503486a16642a1551139a48e9a27a495263de37f804

SHA512
db6d9dc55cd990193806d47324efffd525103ee3d85e491e742813b5a188d7d2a56f0afd684456f92d2b02ef8227e36cda27382fd40ffd02d0e0508726811893

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATM_GRG_SP_UPDATE_4.3.13.04.0781-QuickPatch\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.exe

Filesize
1.0MB

MD5
c51b4840a435bdfac9419f745f8ace6b

SHA1
e174e48e9495e7458366c96b26ba070d3001895b

SHA256
5110ad67f79c81cf77236fe13429ef82d00a76d747b702b3e01a4172c52b0b56

SHA512
5d537f5a830ffc675f0d59b7a6506967a36f7face8553fe7271f8d1dba305b187c8e30cdfd5a14e2ddfec3557426361da3f54e5e489fd0f7cd6de0e64c36d669

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJR58.tmp\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.tmp

Filesize
665KB

MD5
9e30ab5e3f6b43f69f928e6b4fcfd604

SHA1
b110f04114c52f2439715cbad3769250dbcdb1b3

SHA256
affbe7f0320f9602d8c51468ecb7bc7960df4f62ab1a36c05ac2fe2816d175ba

SHA512
8d751d8c8023bbd54ea2ea0969ad9f379d8bf1066980fdd58007e778bdf654e4e13264ac8917be91ac8583ea9ae5536ca600530f413cbd887c234ec60be5a45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJR58.tmp\grg_xfs_sp4.0_with_sp11-b4_hotfix7-b81-quickpatch.tmp

Filesize
665KB

MD5
9e30ab5e3f6b43f69f928e6b4fcfd604

SHA1
b110f04114c52f2439715cbad3769250dbcdb1b3

SHA256
affbe7f0320f9602d8c51468ecb7bc7960df4f62ab1a36c05ac2fe2816d175ba

SHA512
8d751d8c8023bbd54ea2ea0969ad9f379d8bf1066980fdd58007e778bdf654e4e13264ac8917be91ac8583ea9ae5536ca600530f413cbd887c234ec60be5a45d

Download Submit
memory/368-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/368-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/368-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download