b904e02b91486d5278de71da034ffa8a152637a5550d4f305fead4a08f5a45ea

Analysis

max time kernel
177s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gg.exe
Size

143KB
MD5

92912013e8cec32359e838b677ccb28a
SHA1

e43c931717e588f90e05884dfc20163d10249d7a
SHA256

1e8d06e0c415d599e84dce8ca6bc05b6c488749e56fc03e348ea348c4883af2d
SHA512

b0b89aa5dcdb5d330a8aebcb820c804ee0395713769aee355f243deabeb744a3cc3eb35b434e7b43dcc1a2d72b84b6d07cbcbf5a4d8bc5bc71545ab6ce4099c6
SSDEEP

3072:GzNWMKKRZYchObK91C8sV6Xmoo4LEpYcH8p1Qui3k73GWr:GZuuObR8sVImcyYcoQuGWr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
328	server.exe
1588	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	gg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 328 set thread context of 1588	328	server.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1588	server.exe
1588	server.exe
1588	server.exe
1588	server.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 328	916	gg.exe	86
PID 916 wrote to memory of 328	916	gg.exe	86
PID 916 wrote to memory of 328	916	gg.exe	86
PID 328 wrote to memory of 1588	328	server.exe	89
PID 328 wrote to memory of 1588	328	server.exe	89
PID 328 wrote to memory of 1588	328	server.exe	89
PID 328 wrote to memory of 1588	328	server.exe	89
PID 328 wrote to memory of 1588	328	server.exe	89
PID 328 wrote to memory of 1588	328	server.exe	89
PID 1588 wrote to memory of 2688	1588	server.exe	54
PID 1588 wrote to memory of 2688	1588	server.exe	54
PID 1588 wrote to memory of 2688	1588	server.exe	54
PID 1588 wrote to memory of 2688	1588	server.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2688
- C:\Users\Admin\AppData\Local\Temp\gg.exe
  "C:\Users\Admin\AppData\Local\Temp\gg.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\server.exe
    "C:\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\server.exe
      C:\server.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 328 -ip 328
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\server.exe

Filesize
56KB

MD5
c83dc9ddcb2bd50f0dae26f883bf33c0

SHA1
97e8900c1c5aa8237b8944b71f5593b5656dc28c

SHA256
ba5677aee60129bc99e0ee8fcc1443c5c938573c757b8cb66c2f0c786c0712a2

SHA512
7a7687377ad447895d64de8676c9dfdaf5b55345184fbe551c07baf933f823868585ff94c36147f238741cba3544fe050e0f83cdd5ec358c894502f6f7ce7161

Download Submit
C:\server.exe

Filesize
56KB

MD5
c83dc9ddcb2bd50f0dae26f883bf33c0

SHA1
97e8900c1c5aa8237b8944b71f5593b5656dc28c

SHA256
ba5677aee60129bc99e0ee8fcc1443c5c938573c757b8cb66c2f0c786c0712a2

SHA512
7a7687377ad447895d64de8676c9dfdaf5b55345184fbe551c07baf933f823868585ff94c36147f238741cba3544fe050e0f83cdd5ec358c894502f6f7ce7161

Download Submit
C:\server.exe

Filesize
56KB

MD5
c83dc9ddcb2bd50f0dae26f883bf33c0

SHA1
97e8900c1c5aa8237b8944b71f5593b5656dc28c

SHA256
ba5677aee60129bc99e0ee8fcc1443c5c938573c757b8cb66c2f0c786c0712a2

SHA512
7a7687377ad447895d64de8676c9dfdaf5b55345184fbe551c07baf933f823868585ff94c36147f238741cba3544fe050e0f83cdd5ec358c894502f6f7ce7161

Download Submit
memory/328-132-0x0000000000000000-mapping.dmp

Download
memory/1588-135-0x0000000000000000-mapping.dmp

Download
memory/1588-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1588-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1588-141-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1588-142-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2688-140-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download