af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe
Size

475KB
MD5

74b0d68077e1b458c18c2442d9446bb4
SHA1

ce8f20daafe079bf7058b1f5d3066e2eb1408abc
SHA256

af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6
SHA512

4911f49dce1890a2688342b9a91dc0761159322f7998408afd5e709f35bac8c1ef3ae71939344d84e4fc068c5dff34a1e3ad218b92b3ba194b75c66a8bde3ec1
SSDEEP

6144:K5fYH5EeQRFT7ZoizUP7mAbol4ol10WMJ1ELVyRjjJ0luhG1o6VyZWXyJnmYg:tQR17ZoiAbol9l1pawV6jj9uofQIq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	gssjucfwipgsbwk.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe
1964	af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	gssjucfwipgsbwk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	gssjucfwipgsbwk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1340	gssjucfwipgsbwk.exe
1340	gssjucfwipgsbwk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1340	1964	af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe	28
PID 1964 wrote to memory of 1340	1964	af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe	28
PID 1964 wrote to memory of 1340	1964	af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe	28
PID 1964 wrote to memory of 1340	1964	af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe	28

C:\Users\Admin\AppData\Local\Temp\af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe
"C:\Users\Admin\AppData\Local\Temp\af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\gssjucfwipgsbwk.exe
  "C:\Users\Admin\AppData\Local\Temp\\gssjucfwipgsbwk.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gssjucfwipgsbwk.exe

Filesize
23KB

MD5
30ba07fb0e93c863ee537e16ed1b3400

SHA1
a6e26a6c6ffe99a61f85a22ca01a6e8dd805ecba

SHA256
e48a9282667eef3dd5ddb2129e6a533dd59796b4423c20c16a50125d37c99562

SHA512
2047cd5cb1c036f9a2dbf4131c9e559109e4fa59ee240b837c88116a3c47b4a40eccc98a2fa5f5a0d411d3e72727866a0988132a6698d929b0801e1107ed8682

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssjucfwipgsbwk.exe

Filesize
23KB

MD5
30ba07fb0e93c863ee537e16ed1b3400

SHA1
a6e26a6c6ffe99a61f85a22ca01a6e8dd805ecba

SHA256
e48a9282667eef3dd5ddb2129e6a533dd59796b4423c20c16a50125d37c99562

SHA512
2047cd5cb1c036f9a2dbf4131c9e559109e4fa59ee240b837c88116a3c47b4a40eccc98a2fa5f5a0d411d3e72727866a0988132a6698d929b0801e1107ed8682

Download Submit
C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
475KB

MD5
74b0d68077e1b458c18c2442d9446bb4

SHA1
ce8f20daafe079bf7058b1f5d3066e2eb1408abc

SHA256
af326fe96e6fc4e362bec38c390f0ddf5d916f03c046c560b60ac9c22e285ef6

SHA512
4911f49dce1890a2688342b9a91dc0761159322f7998408afd5e709f35bac8c1ef3ae71939344d84e4fc068c5dff34a1e3ad218b92b3ba194b75c66a8bde3ec1

Download Submit
\Users\Admin\AppData\Local\Temp\gssjucfwipgsbwk.exe

Filesize
23KB

MD5
30ba07fb0e93c863ee537e16ed1b3400

SHA1
a6e26a6c6ffe99a61f85a22ca01a6e8dd805ecba

SHA256
e48a9282667eef3dd5ddb2129e6a533dd59796b4423c20c16a50125d37c99562

SHA512
2047cd5cb1c036f9a2dbf4131c9e559109e4fa59ee240b837c88116a3c47b4a40eccc98a2fa5f5a0d411d3e72727866a0988132a6698d929b0801e1107ed8682

Download Submit
\Users\Admin\AppData\Local\Temp\gssjucfwipgsbwk.exe

Filesize
23KB

MD5
30ba07fb0e93c863ee537e16ed1b3400

SHA1
a6e26a6c6ffe99a61f85a22ca01a6e8dd805ecba

SHA256
e48a9282667eef3dd5ddb2129e6a533dd59796b4423c20c16a50125d37c99562

SHA512
2047cd5cb1c036f9a2dbf4131c9e559109e4fa59ee240b837c88116a3c47b4a40eccc98a2fa5f5a0d411d3e72727866a0988132a6698d929b0801e1107ed8682

Download Submit
memory/1340-59-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1340-60-0x000007FEF3180000-0x000007FEF4216000-memory.dmp

Filesize
16.6MB

Download
memory/1340-62-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download