bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e

General

Target

bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe
Size

255KB
MD5

f5e2fa0dffc3a1243a722ead483bcd62
SHA1

72fa77ff03d8ceb6eb1f576214cbd4ca88064d62
SHA256

bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e
SHA512

a1025f7707e272fa60c4d0374cd56fa68c27e675b17a0b0d1ce0b02a8dee79ea7de38dac6af5a3381cf57a1ba048a876734bba535f39b51a2a7968b5b53db5dc
SSDEEP

6144:WoNd7FGge1j67zCBPx2gkCc7fskdSq39Rj:W+7nMqCXFLuf/Sm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1128	gdnnoyfx.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe
1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\84639553 = "C:\\ProgramData\\gdnnoyfx.exe"	gdnnoyfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gdnnoyfx.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	gdnnoyfx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe
Token: SeDebugPrivilege	1128	gdnnoyfx.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1128	1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe	26
PID 1184 wrote to memory of 1128	1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe	26
PID 1184 wrote to memory of 1128	1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe	26
PID 1184 wrote to memory of 1128	1184	bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe	26

C:\Users\Admin\AppData\Local\Temp\bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe
"C:\Users\Admin\AppData\Local\Temp\bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\ProgramData\gdnnoyfx.exe
  "C:\ProgramData\gdnnoyfx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gdnnoyfx.exe

Filesize
255KB

MD5
f5e2fa0dffc3a1243a722ead483bcd62

SHA1
72fa77ff03d8ceb6eb1f576214cbd4ca88064d62

SHA256
bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e

SHA512
a1025f7707e272fa60c4d0374cd56fa68c27e675b17a0b0d1ce0b02a8dee79ea7de38dac6af5a3381cf57a1ba048a876734bba535f39b51a2a7968b5b53db5dc

Download Submit
C:\ProgramData\gdnnoyfx.exe

Filesize
255KB

MD5
f5e2fa0dffc3a1243a722ead483bcd62

SHA1
72fa77ff03d8ceb6eb1f576214cbd4ca88064d62

SHA256
bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e

SHA512
a1025f7707e272fa60c4d0374cd56fa68c27e675b17a0b0d1ce0b02a8dee79ea7de38dac6af5a3381cf57a1ba048a876734bba535f39b51a2a7968b5b53db5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\systeminterval.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\ProgramData\gdnnoyfx.exe

Filesize
255KB

MD5
f5e2fa0dffc3a1243a722ead483bcd62

SHA1
72fa77ff03d8ceb6eb1f576214cbd4ca88064d62

SHA256
bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e

SHA512
a1025f7707e272fa60c4d0374cd56fa68c27e675b17a0b0d1ce0b02a8dee79ea7de38dac6af5a3381cf57a1ba048a876734bba535f39b51a2a7968b5b53db5dc

Download Submit
\ProgramData\gdnnoyfx.exe

Filesize
255KB

MD5
f5e2fa0dffc3a1243a722ead483bcd62

SHA1
72fa77ff03d8ceb6eb1f576214cbd4ca88064d62

SHA256
bc7a737daa1c86a9abe55f24c38a01b8a6615015c59ed8f4201b1fa0d151147e

SHA512
a1025f7707e272fa60c4d0374cd56fa68c27e675b17a0b0d1ce0b02a8dee79ea7de38dac6af5a3381cf57a1ba048a876734bba535f39b51a2a7968b5b53db5dc

Download Submit
memory/1128-63-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-65-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-62-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing