b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0

Analysis

max time kernel
147s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe
Size

1.6MB
MD5

973ec7ff3901b151167e4ee8b5ed4b0b
SHA1

fb3f4dff88ba8219b28eb62781e000fcfb87fbdc
SHA256

b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0
SHA512

a6cd0a69748bb3e1f9d20154a795686f6562a4f718b71b521a9724854e35fdbe0ffff6c445307e09f078f0a78d01a3c54524e58c19ee431359453abae48587b7
SSDEEP

49152:o2AiKh3yS6bQFgboVxuf3nf47kRTUKazHyL:o2A44goxu47kRoKazSL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

~GMF680.exe

pid process

1008 ~GMF680.exe

Loads dropped DLL 7 IoCs

Processes:

b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe~GMF680.exe

pid	process
1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe
1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

~GMF680.exe

description	ioc	process
File opened (read-only)	\??\A:	~GMF680.exe
File opened (read-only)	\??\J:	~GMF680.exe
File opened (read-only)	\??\K:	~GMF680.exe
File opened (read-only)	\??\R:	~GMF680.exe
File opened (read-only)	\??\S:	~GMF680.exe
File opened (read-only)	\??\V:	~GMF680.exe
File opened (read-only)	\??\B:	~GMF680.exe
File opened (read-only)	\??\E:	~GMF680.exe
File opened (read-only)	\??\F:	~GMF680.exe
File opened (read-only)	\??\G:	~GMF680.exe
File opened (read-only)	\??\P:	~GMF680.exe
File opened (read-only)	\??\M:	~GMF680.exe
File opened (read-only)	\??\O:	~GMF680.exe
File opened (read-only)	\??\U:	~GMF680.exe
File opened (read-only)	\??\W:	~GMF680.exe
File opened (read-only)	\??\X:	~GMF680.exe
File opened (read-only)	\??\Y:	~GMF680.exe
File opened (read-only)	\??\Z:	~GMF680.exe
File opened (read-only)	\??\H:	~GMF680.exe
File opened (read-only)	\??\I:	~GMF680.exe
File opened (read-only)	\??\L:	~GMF680.exe
File opened (read-only)	\??\N:	~GMF680.exe
File opened (read-only)	\??\Q:	~GMF680.exe
File opened (read-only)	\??\T:	~GMF680.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe~GMF680.exe

description	pid	process
Token: SeDebugPrivilege	1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe
Token: 33	1008	~GMF680.exe
Token: SeIncBasePriorityPrivilege	1008	~GMF680.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

~GMF680.exe

pid process

1008 ~GMF680.exe
1008 ~GMF680.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

~GMF680.exe

pid process

1008 ~GMF680.exe
1008 ~GMF680.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

~GMF680.exe

pid	process
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe
1008	~GMF680.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe

description	pid	process	target process
PID 1752 wrote to memory of 1008	1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe	~GMF680.exe
PID 1752 wrote to memory of 1008	1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe	~GMF680.exe
PID 1752 wrote to memory of 1008	1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe	~GMF680.exe
PID 1752 wrote to memory of 1008	1752	b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe	~GMF680.exe

C:\Users\Admin\AppData\Local\Temp\b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe
"C:\Users\Admin\AppData\Local\Temp\b0069344c3217c93a7161f6972df8677d9cc245daafdb9a501eccd674fa607b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\~GMF680.exe
  "C:\Users\Admin\AppData\Local\Temp\~GMF680.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~GMF680.exe

Filesize
1.3MB

MD5
9810c84c4d22abf232937f92efb2ec3a

SHA1
7ad5581779d6603c4225241adf3e47018d42d9c0

SHA256
5eaec70a46fd20bb21e72aed93644859bd179ead33874d04f0692b9cc5e203d7

SHA512
f52cb5c7d1e32b9fd801fac51b0a571ec3f895588ac0ced22f6b42b161f47e4b27b4b787d7fce8b57ab2aa84a12523438760c673d8dfe964a52a8d68c033fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GMF680.exe

Filesize
1.3MB

MD5
9810c84c4d22abf232937f92efb2ec3a

SHA1
7ad5581779d6603c4225241adf3e47018d42d9c0

SHA256
5eaec70a46fd20bb21e72aed93644859bd179ead33874d04f0692b9cc5e203d7

SHA512
f52cb5c7d1e32b9fd801fac51b0a571ec3f895588ac0ced22f6b42b161f47e4b27b4b787d7fce8b57ab2aa84a12523438760c673d8dfe964a52a8d68c033fd09

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

Filesize
200KB

MD5
65b0e75944035c5c8812eabb0c269d6f

SHA1
2baf2dd9d8c1b1c8872b131ff59002e2a4b78e2f

SHA256
a4308bdc3b42ed3c93ab9aa7ed408cdb760dfc4bfacd93b2431e127478630511

SHA512
0dcce11d619a8b6955565502623ce677fcd2623f889c925c292ea68d6511df8a9a208a47f4e3066811ed74da0700a0445435c3b49df67b555c9bb7aadc46674f

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\iext2.fne

Filesize
460KB

MD5
6eb20bb6cafd6d31e871ed3abd65a59c

SHA1
ae6495ea4241bcde20e415f2940313785a4a10d2

SHA256
2b3fe250f07229eaa58d1bc0c4ac103ba69ad622c27410151ce1d6d46a174bae

SHA512
562edc1f058bc280333a6659fceb5a51b3a40bea7aca87db09b0cc1ca1966f26f2a7e4760b944e2502e20257544f85cf9c32f583f1dec06271a35dcfb8fa90f4

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
a29e506f90e66520d1b04ee19076a854

SHA1
1cb3b9b2735bb8b5e6c560d5375f1f01282558a7

SHA256
01acf389debf85e7c6c1699938b424e23fa38602923aca33063af3a422068715

SHA512
f5a03b4c5d1e88a0db7501affc6cad5fbfb7c66a596c13083fcfdea771d242b6dd2da9f9ba9fb85f1aabc7223c1b81735bf0386eeb26924293efed83be3895ff

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
3fe72f93ab5f24a0ea2d753013a41c4b

SHA1
9206cd206c0b2782a2b1ad1d19ace97bae6e491e

SHA256
db32e8ea1d91009ca25b79d7e863a08be56632641a7a145326fbfbf0931b6c79

SHA512
24ce75304e6b5508d9bbf425a68b1907bc51f30c168dd3b800f34e1f7fc1aee044818848d1fde40e7556af5f16f94ea02d19344bd9ffda1a6d011a624d6f46e9

Download Submit
\Users\Admin\AppData\Local\Temp\~GMF680.exe

Filesize
1.3MB

MD5
9810c84c4d22abf232937f92efb2ec3a

SHA1
7ad5581779d6603c4225241adf3e47018d42d9c0

SHA256
5eaec70a46fd20bb21e72aed93644859bd179ead33874d04f0692b9cc5e203d7

SHA512
f52cb5c7d1e32b9fd801fac51b0a571ec3f895588ac0ced22f6b42b161f47e4b27b4b787d7fce8b57ab2aa84a12523438760c673d8dfe964a52a8d68c033fd09

Download Submit
\Users\Admin\AppData\Local\Temp\~GMF680.exe

Filesize
1.3MB

MD5
9810c84c4d22abf232937f92efb2ec3a

SHA1
7ad5581779d6603c4225241adf3e47018d42d9c0

SHA256
5eaec70a46fd20bb21e72aed93644859bd179ead33874d04f0692b9cc5e203d7

SHA512
f52cb5c7d1e32b9fd801fac51b0a571ec3f895588ac0ced22f6b42b161f47e4b27b4b787d7fce8b57ab2aa84a12523438760c673d8dfe964a52a8d68c033fd09

Download Submit
memory/1008-69-0x0000000001E00000-0x0000000001E83000-memory.dmp

Filesize
524KB

Download
memory/1008-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1008-66-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1008-72-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/1008-57-0x0000000000000000-mapping.dmp

Download
memory/1008-75-0x0000000003940000-0x000000000397F000-memory.dmp

Filesize
252KB

Download
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1752-63-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download
memory/1752-62-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download
memory/1752-77-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download
memory/1752-78-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download