Analysis
-
max time kernel
256s -
max time network
332s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
Resource
win7-20221111-en
General
-
Target
48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe
-
Size
1.1MB
-
MD5
d08fcb46e2993eeb3cb8bd05cf4992ec
-
SHA1
c7c5799dc9cd19e25c99ea964ac2a6b3906e0c26
-
SHA256
48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439
-
SHA512
2c2932a0516de70f58942828210fd75519ac2d374e9f18f7cb4e4aa9618610ef128f0f44501f34a38dda9355c211ef38eefa660d352c1bfc58e5ea50bb018739
-
SSDEEP
24576:mjqAi9L/Qb8ogj7XYK+46TdvErsfpIlRKT+:m2Ai9LYPgjzV90fse+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
~GMC6AA.exepid process 1044 ~GMC6AA.exe -
Loads dropped DLL 2 IoCs
Processes:
48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exepid process 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
~GMC6AA.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main ~GMC6AA.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ~GMC6AA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ~GMC6AA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exedescription pid process Token: SeDebugPrivilege 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
~GMC6AA.exepid process 1044 ~GMC6AA.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
~GMC6AA.exepid process 1044 ~GMC6AA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
~GMC6AA.exepid process 1044 ~GMC6AA.exe 1044 ~GMC6AA.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exedescription pid process target process PID 368 wrote to memory of 1044 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe ~GMC6AA.exe PID 368 wrote to memory of 1044 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe ~GMC6AA.exe PID 368 wrote to memory of 1044 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe ~GMC6AA.exe PID 368 wrote to memory of 1044 368 48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe ~GMC6AA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe"C:\Users\Admin\AppData\Local\Temp\48ace9ebbfaca0488cf670d825350163e46b3f046fbc6b2be4a4388d2cc46439.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exe"C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exeFilesize
772KB
MD5ddaf2a6f69fb833093145e57cc3f1e31
SHA18e26dca2a0681e36f4ca5de8456484ad18bf576c
SHA256a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76
SHA5127c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0
-
C:\Users\Admin\AppData\Local\Temp\~GMC6AA.exeFilesize
772KB
MD5ddaf2a6f69fb833093145e57cc3f1e31
SHA18e26dca2a0681e36f4ca5de8456484ad18bf576c
SHA256a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76
SHA5127c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0
-
\Users\Admin\AppData\Local\Temp\~GMC6AA.exeFilesize
772KB
MD5ddaf2a6f69fb833093145e57cc3f1e31
SHA18e26dca2a0681e36f4ca5de8456484ad18bf576c
SHA256a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76
SHA5127c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0
-
\Users\Admin\AppData\Local\Temp\~GMC6AA.exeFilesize
772KB
MD5ddaf2a6f69fb833093145e57cc3f1e31
SHA18e26dca2a0681e36f4ca5de8456484ad18bf576c
SHA256a53bee3988ece590d6f220c0e2951fd5bd7c0a4729c60a4c2093fd9cfa9f8f76
SHA5127c535375b26bffd240ac88fd3618f882b4ea5cb1421bbe68e0959151b446b65a11d1c8fe282cb14a3ea72747bfe4c10d956152e4ecf1cc09ce6a8dd24b5417a0
-
memory/368-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1044-57-0x0000000000000000-mapping.dmp
-
memory/1044-60-0x0000000010000000-0x000000001002A000-memory.dmpFilesize
168KB