48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439

General

Target

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
Size

1.1MB
MD5

d08fcb46e2993eeb3cb8bd05cf4992ec
SHA1

c7c5799dc9cd19e25c99ea964ac2a6b3906e0c26
SHA256

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439
SHA512

2c2932a0516de70f58942828210fd75519ac2d374e9f18f7cb4e4aa9618610ef128f0f44501f34a38dda9355c211ef38eefa660d352c1bfc58e5ea50bb018739
SSDEEP

24576:mjqAi9L/Qb8ogj7XYK+46TdvErsfpIlRKT+:m2Ai9LYPgjzV90fse+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

~GMC6AA.exe

pid process

1044 ~GMC6AA.exe

pid	process
1044	~GMC6AA.exe

Loads dropped DLL 2 IoCs

Processes:

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

pid	process
368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

~GMC6AA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	~GMC6AA.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	~GMC6AA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	~GMC6AA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

description pid process

Token: SeDebugPrivilege 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

~GMC6AA.exe

pid process

1044 ~GMC6AA.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

~GMC6AA.exe

pid process

1044 ~GMC6AA.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

~GMC6AA.exe

pid process

1044 ~GMC6AA.exe
1044 ~GMC6AA.exe

description	pid	process
Token: SeDebugPrivilege	368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

pid	process
1044	~GMC6AA.exe

pid	process
1044	~GMC6AA.exe

pid	process
1044	~GMC6AA.exe
1044	~GMC6AA.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe

description	pid	process	target process
PID 368 wrote to memory of 1044	368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMC6AA.exe
PID 368 wrote to memory of 1044	368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMC6AA.exe
PID 368 wrote to memory of 1044	368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMC6AA.exe
PID 368 wrote to memory of 1044	368	48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe	~GMC6AA.exe

C:\Users\Admin\AppData\Local\Temp\48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
"C:\Users\Admin\AppData\Local\Temp\48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exe
"C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exe
Filesize
772KB

MD5
ddaf2a6f69fb833093145e57cc3f1e31

SHA1
8e26dca2a0681e36f4ca5de8456484ad18bf576c

SHA256
a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76

SHA512
7c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exe
Filesize
772KB

MD5
ddaf2a6f69fb833093145e57cc3f1e31

SHA1
8e26dca2a0681e36f4ca5de8456484ad18bf576c

SHA256
a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76

SHA512
7c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0

Download Submit
\Users\Admin\AppData\Local\Temp\~GMC6AA.exe
Filesize
772KB

MD5
ddaf2a6f69fb833093145e57cc3f1e31

SHA1
8e26dca2a0681e36f4ca5de8456484ad18bf576c

SHA256
a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76

SHA512
7c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0

Download Submit
\Users\Admin\AppData\Local\Temp\~GMC6AA.exe
Filesize
772KB

MD5
ddaf2a6f69fb833093145e57cc3f1e31

SHA1
8e26dca2a0681e36f4ca5de8456484ad18bf576c

SHA256
a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76

SHA512
7c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0

Download Submit
memory/368-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1044-57-0x0000000000000000-mapping.dmp

Download
memory/1044-60-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads