Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 20:06

General

  • Target

    593239d8f2e5e4915868caefd8479e87fd2d12a624aaffb816dc502baa0b772e.exe

  • Size

    256KB

  • MD5

    920381bd0eb7ae3ec91c37c95713a008

  • SHA1

    75eadb20c4ed4d9a5b7de85fd895b8e84975d2c8

  • SHA256

    593239d8f2e5e4915868caefd8479e87fd2d12a624aaffb816dc502baa0b772e

  • SHA512

    38d3f39be30762ff89b60997671509676bcd7e486c697cd5985270a3f46a2e99b8f249a6ef1dac75f9473913a7d6dcf55eba2ae0a423cd469c7b85aaf2bbedda

  • SSDEEP

    3072:k3ZVoe+Plp/nskpCUv5T79fzCC/M7BFsqMabeYiUDoZG/33ygot:yf2PlptNvl9fm0UBFsqMabeYiUDogvFg

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\593239d8f2e5e4915868caefd8479e87fd2d12a624aaffb816dc502baa0b772e.exe
    "C:\Users\Admin\AppData\Local\Temp\593239d8f2e5e4915868caefd8479e87fd2d12a624aaffb816dc502baa0b772e.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\gaibio.exe
      "C:\Users\Admin\gaibio.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3064

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\gaibio.exe

    Filesize

    256KB

    MD5

    dde2871111354794c5f2fec74cfb1268

    SHA1

    e23655a147dc367b23d43ff83a83911ae2726d6c

    SHA256

    aa1eb68d4c879a9ad112009bfaf483a614a06cd17f3727d33865901d7ad64a86

    SHA512

    9ce3c9b962835290be72317ef589324402aee8bc5a77ba28756af87038cfa4436d5ae5927ce9e8c3e3b111478ee1b61499deda9912e0797a1decf7d47aa04ddb

  • C:\Users\Admin\gaibio.exe

    Filesize

    256KB

    MD5

    dde2871111354794c5f2fec74cfb1268

    SHA1

    e23655a147dc367b23d43ff83a83911ae2726d6c

    SHA256

    aa1eb68d4c879a9ad112009bfaf483a614a06cd17f3727d33865901d7ad64a86

    SHA512

    9ce3c9b962835290be72317ef589324402aee8bc5a77ba28756af87038cfa4436d5ae5927ce9e8c3e3b111478ee1b61499deda9912e0797a1decf7d47aa04ddb