222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe
Size

4.2MB
MD5

133a1985c9245e363dc3f1e67f01c12e
SHA1

e63b1293244252dcc4cf45f54357c171407ded4b
SHA256

222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e
SHA512

b80df7e6db4850ae8b72ae4544c186bc7e42b49eff242ef2da6078a18f8c8660fa6a3a3714a357dd5f37f2b9c9bad5fa2c459d999f827de7fcdbf95ebcd14084
SSDEEP

98304:Zi1YKYTuBZMTNyi24y35v+RCBlsDxCrfetefq2BzdHoYK:fKYSITN24yJv+oBlMxC7etey2BWYK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

~GMC3D2.exe~GMC3D2.tmp

pid process

2920 ~GMC3D2.exe
3264 ~GMC3D2.tmp

pid	process
2920	~GMC3D2.exe
3264	~GMC3D2.tmp

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

~GMC3D2.tmp

description	ioc	process
File opened (read-only)	\??\R:	~GMC3D2.tmp
File opened (read-only)	\??\V:	~GMC3D2.tmp
File opened (read-only)	\??\X:	~GMC3D2.tmp
File opened (read-only)	\??\Z:	~GMC3D2.tmp
File opened (read-only)	\??\K:	~GMC3D2.tmp
File opened (read-only)	\??\P:	~GMC3D2.tmp
File opened (read-only)	\??\Q:	~GMC3D2.tmp
File opened (read-only)	\??\S:	~GMC3D2.tmp
File opened (read-only)	\??\J:	~GMC3D2.tmp
File opened (read-only)	\??\L:	~GMC3D2.tmp
File opened (read-only)	\??\O:	~GMC3D2.tmp
File opened (read-only)	\??\T:	~GMC3D2.tmp
File opened (read-only)	\??\U:	~GMC3D2.tmp
File opened (read-only)	\??\Y:	~GMC3D2.tmp
File opened (read-only)	\??\E:	~GMC3D2.tmp
File opened (read-only)	\??\F:	~GMC3D2.tmp
File opened (read-only)	\??\I:	~GMC3D2.tmp
File opened (read-only)	\??\M:	~GMC3D2.tmp
File opened (read-only)	\??\N:	~GMC3D2.tmp
File opened (read-only)	\??\W:	~GMC3D2.tmp
File opened (read-only)	\??\G:	~GMC3D2.tmp
File opened (read-only)	\??\H:	~GMC3D2.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe

description pid process

Token: SeDebugPrivilege 4836 222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe

description	pid	process
Token: SeDebugPrivilege	4836	222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe~GMC3D2.exe

description	pid	process	target process
PID 4836 wrote to memory of 2920	4836	222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe	~GMC3D2.exe
PID 4836 wrote to memory of 2920	4836	222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe	~GMC3D2.exe
PID 4836 wrote to memory of 2920	4836	222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe	~GMC3D2.exe
PID 2920 wrote to memory of 3264	2920	~GMC3D2.exe	~GMC3D2.tmp
PID 2920 wrote to memory of 3264	2920	~GMC3D2.exe	~GMC3D2.tmp
PID 2920 wrote to memory of 3264	2920	~GMC3D2.exe	~GMC3D2.tmp

C:\Users\Admin\AppData\Local\Temp\222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe
"C:\Users\Admin\AppData\Local\Temp\222a177ffd9a2d908e4c41f10c87123159f841550aa659c5f0e6b0d10febf32e.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\~GMC3D2.exe
"C:\Users\Admin\AppData\Local\Temp\~GMC3D2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\is-RNEHQ.tmp\~GMC3D2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RNEHQ.tmp\~GMC3D2.tmp" /SL5="$9004E,3751313,57344,C:\Users\Admin\AppData\Local\Temp\~GMC3D2.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:3264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-RNEHQ.tmp\~GMC3D2.tmp

Filesize
703KB

MD5
8c79eb6b5599344f83dd05c96fbdbe3d

SHA1
6bac86cdd25e0b4fd5885d0f74d2029a7c7b70bc

SHA256
89b4d61fa1ab4b2ff5b8db0f1bd4845eaf33bcf9fea91760bc36514f85f452e3

SHA512
6667703686f01b74230a5b70ca26b1b15d043551d4abb812f3df03914f97a196b1fd32d118807e56bb1c95c0f85e81bde147290429df1dea7e0bffca5b4292aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RNEHQ.tmp\~GMC3D2.tmp

Filesize
703KB

MD5
8c79eb6b5599344f83dd05c96fbdbe3d

SHA1
6bac86cdd25e0b4fd5885d0f74d2029a7c7b70bc

SHA256
89b4d61fa1ab4b2ff5b8db0f1bd4845eaf33bcf9fea91760bc36514f85f452e3

SHA512
6667703686f01b74230a5b70ca26b1b15d043551d4abb812f3df03914f97a196b1fd32d118807e56bb1c95c0f85e81bde147290429df1dea7e0bffca5b4292aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GMC3D2.exe

Filesize
3.9MB

MD5
1de5b2abbd68ccbae15b6fb2263544c5

SHA1
154457df6d678894cfe273a5d2576ba1673c0da5

SHA256
66c564575b31e9f9a736535a06d678711c713dbe3b53fa1d4f892c4152a5b77e

SHA512
cc649d182a30aeeb4006f41f9df4ac5ed888bde317126ac25444f7eb4c2a2b2050b6f05e4be31849f95b816fec62d002bc5a6fc1e803fa254cf622d635bc13cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GMC3D2.exe

Filesize
3.9MB

MD5
1de5b2abbd68ccbae15b6fb2263544c5

SHA1
154457df6d678894cfe273a5d2576ba1673c0da5

SHA256
66c564575b31e9f9a736535a06d678711c713dbe3b53fa1d4f892c4152a5b77e

SHA512
cc649d182a30aeeb4006f41f9df4ac5ed888bde317126ac25444f7eb4c2a2b2050b6f05e4be31849f95b816fec62d002bc5a6fc1e803fa254cf622d635bc13cc

Download Submit
memory/2920-132-0x0000000000000000-mapping.dmp

Download
memory/2920-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2920-140-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3264-137-0x0000000000000000-mapping.dmp

Download