Analysis
-
max time kernel
136s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
gpa_cal.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
gpa_cal.exe
Resource
win10v2004-20220812-en
General
-
Target
gpa_cal.exe
-
Size
43KB
-
MD5
4e05534f1b1a17eea6e372ef1abd735e
-
SHA1
5a93caa8a184b56afd6d7569b1b049d908ea7c17
-
SHA256
976f0eab8e1394dcecd01ab989d26ccf9fc383c1c91acc0a7530348d5c5b759a
-
SHA512
262b6e6d2fd58302fcbc54ae51ef3d78d118cd74ab4bd783c5af063df04a672160fe0e5d8e274fe0a4e9a17aa0c4fd301203e1303c2c0ae51aa25e2ffcd37824
-
SSDEEP
768:XAyNMrbxn9kXhFVzrzkOUIAewWxk8VhTqDgCqo:QymgFxkExTVhoq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Avastlt.exepid process 1684 Avastlt.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Avastlt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f2b25bdc1662b44aed8777af0c3c8f7.exe Avastlt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f2b25bdc1662b44aed8777af0c3c8f7.exe Avastlt.exe -
Loads dropped DLL 1 IoCs
Processes:
gpa_cal.exepid process 1492 gpa_cal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Avastlt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2f2b25bdc1662b44aed8777af0c3c8f7 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Avastlt.exe\" .." Avastlt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2f2b25bdc1662b44aed8777af0c3c8f7 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Avastlt.exe\" .." Avastlt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Avastlt.exepid process 1684 Avastlt.exe 1684 Avastlt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Avastlt.exedescription pid process Token: SeDebugPrivilege 1684 Avastlt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
gpa_cal.exeAvastlt.exedescription pid process target process PID 1492 wrote to memory of 1684 1492 gpa_cal.exe Avastlt.exe PID 1492 wrote to memory of 1684 1492 gpa_cal.exe Avastlt.exe PID 1492 wrote to memory of 1684 1492 gpa_cal.exe Avastlt.exe PID 1492 wrote to memory of 1684 1492 gpa_cal.exe Avastlt.exe PID 1684 wrote to memory of 332 1684 Avastlt.exe netsh.exe PID 1684 wrote to memory of 332 1684 Avastlt.exe netsh.exe PID 1684 wrote to memory of 332 1684 Avastlt.exe netsh.exe PID 1684 wrote to memory of 332 1684 Avastlt.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gpa_cal.exe"C:\Users\Admin\AppData\Local\Temp\gpa_cal.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\Avastlt.exe"C:\Users\Admin\AppData\Roaming\Avastlt.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Avastlt.exe" "Avastlt.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD54e05534f1b1a17eea6e372ef1abd735e
SHA15a93caa8a184b56afd6d7569b1b049d908ea7c17
SHA256976f0eab8e1394dcecd01ab989d26ccf9fc383c1c91acc0a7530348d5c5b759a
SHA512262b6e6d2fd58302fcbc54ae51ef3d78d118cd74ab4bd783c5af063df04a672160fe0e5d8e274fe0a4e9a17aa0c4fd301203e1303c2c0ae51aa25e2ffcd37824
-
Filesize
43KB
MD54e05534f1b1a17eea6e372ef1abd735e
SHA15a93caa8a184b56afd6d7569b1b049d908ea7c17
SHA256976f0eab8e1394dcecd01ab989d26ccf9fc383c1c91acc0a7530348d5c5b759a
SHA512262b6e6d2fd58302fcbc54ae51ef3d78d118cd74ab4bd783c5af063df04a672160fe0e5d8e274fe0a4e9a17aa0c4fd301203e1303c2c0ae51aa25e2ffcd37824
-
Filesize
43KB
MD54e05534f1b1a17eea6e372ef1abd735e
SHA15a93caa8a184b56afd6d7569b1b049d908ea7c17
SHA256976f0eab8e1394dcecd01ab989d26ccf9fc383c1c91acc0a7530348d5c5b759a
SHA512262b6e6d2fd58302fcbc54ae51ef3d78d118cd74ab4bd783c5af063df04a672160fe0e5d8e274fe0a4e9a17aa0c4fd301203e1303c2c0ae51aa25e2ffcd37824