af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8

Analysis

max time kernel
104s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
Size

1.9MB
MD5

b4cd72174c0289ef4325b21fc2ed69bb
SHA1

338693e07c5be155eda1015f51fecd89f4daf494
SHA256

af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8
SHA512

8df9d9703acab62dbff3d3a4092462500867362eec649fafed3324f5176c3020b3fc128098295ccd9be4733d05fd45a82f8e71aa7d2b2be467c4bfb43609680e
SSDEEP

12288:SFgTOO9v19/MRYeWp9LqXnvhsnWZQzjFeM6DJOjB9sTTHyE29doniMcniz9MHKtw:npM1U9LqXnKnYQb6VOQaKiMc2Pq8V

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gefshrd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ihfslgo\\Gefshrd.exe\""	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
936	powershell.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
Token: SeDebugPrivilege	936	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 936	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	26
PID 784 wrote to memory of 936	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	26
PID 784 wrote to memory of 936	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	26
PID 784 wrote to memory of 936	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	26
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1980	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	28
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 1700	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	29
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 560	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	30
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 268	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	31
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 468	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	32
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1692	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	33
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1704	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	34
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1676	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	35
PID 784 wrote to memory of 1680	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	36
PID 784 wrote to memory of 1680	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	36
PID 784 wrote to memory of 1680	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	36
PID 784 wrote to memory of 1680	784	af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe	36

C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
"C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:560
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:468
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  C:\Users\Admin\AppData\Local\Temp\af9f6cd54f5630a9eb973c5869c4672f42ac03238531590f85a766dc0bf03ac8.exe
  2⤵
  PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000000380000-0x000000000056C000-memory.dmp

Filesize
1.9MB

Download
memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000005370000-0x0000000005466000-memory.dmp

Filesize
984KB

Download
memory/784-57-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/936-60-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/936-61-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download
memory/936-62-0x000000006E490000-0x000000006EA3B000-memory.dmp

Filesize
5.7MB

Download