Overview

overview

8

Static

static

gg.exe

windows7-x64

8

gg.exe

windows10-2004-x64

8

k.exe

windows7-x64

1

k.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    9s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 00:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    gg.exe

  • Size

    143KB

  • MD5

    92912013e8cec32359e838b677ccb28a

  • SHA1

    e43c931717e588f90e05884dfc20163d10249d7a

  • SHA256

    1e8d06e0c415d599e84dce8ca6bc05b6c488749e56fc03e348ea348c4883af2d

  • SHA512

    b0b89aa5dcdb5d330a8aebcb820c804ee0395713769aee355f243deabeb744a3cc3eb35b434e7b43dcc1a2d72b84b6d07cbcbf5a4d8bc5bc71545ab6ce4099c6

  • SSDEEP

    3072:GzNWMKKRZYchObK91C8sV6Xmoo4LEpYcH8p1Qui3k73GWr:GZuuObR8sVImcyYcoQuGWr

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gg.exe
    "C:\Users\Admin\AppData\Local\Temp\gg.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\server.exe
      "C:\server.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 88
        3⤵
        • Program crash
        PID:1468

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\server.exe
          Filesize

          56KB

          MD5

          c83dc9ddcb2bd50f0dae26f883bf33c0

          SHA1

          97e8900c1c5aa8237b8944b71f5593b5656dc28c

          SHA256

          ba5677aee60129bc99e0ee8fcc1443c5c938573c757b8cb66c2f0c786c0712a2

          SHA512

          7a7687377ad447895d64de8676c9dfdaf5b55345184fbe551c07baf933f823868585ff94c36147f238741cba3544fe050e0f83cdd5ec358c894502f6f7ce7161

          Download Submit

        • memory/1976-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

          Filesize

          8KB

          Download