d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a

Analysis

max time kernel
193s
max time network
239s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 07:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe
Size

13.5MB
MD5

372e7f9b13679d4e84ad3777fc94ac7a
SHA1

79e888b805816339b7583368d7a4749e1de40ac2
SHA256

d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a
SHA512

89234debdeb8a8299b510e0b0f6238656d22cd5188553215225d62b871b4ab8563a8042a6c73beb04d2edbbe2b4c7fb6bbdf7112892639176710846b38b2ea5b
SSDEEP

393216:1x4EBHsgjGpcPRGkjj5WrKz0fj5Vk4xINlXdX9hgLe:1x4EBMgKpcwkvk00fjPk4WlTuS

Score

8^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022e45-133.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e45-134.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3296	~GMCFD3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	~GMCFD3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-1221-1221-00C04FB9603F}\06042wsyy9222236	~GMCFD3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	~GMCFD3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	~GMCFD3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-1221-1221-00C04FB9603F}\06042wsyy9222236\fristtime = "2022-12-10 17:49:14"	~GMCFD3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-1221-1221-00C04FB9603F}\06042wsyy9222236\usetime = "21"	~GMCFD3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536"	~GMCFD3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536"	~GMCFD3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536"	~GMCFD3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile	~GMCFD3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{942A8E4F-A261-1221-1221-00C04FB9603F}	~GMCFD3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8	~GMCFD3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3296	~GMCFD3.exe
3296	~GMCFD3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3296	3112	d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe	84
PID 3112 wrote to memory of 3296	3112	d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe	84
PID 3112 wrote to memory of 3296	3112	d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe	84

C:\Users\Admin\AppData\Local\Temp\d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe
"C:\Users\Admin\AppData\Local\Temp\d6eced78d3f2c6d6a18f1be4a60fda51239a6d75c87100521c3887c34976bb5a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\~GMCFD3.exe
  "C:\Users\Admin\AppData\Local\Temp\~GMCFD3.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~GMCFD3.exe

Filesize
13.2MB

MD5
b02dc529c91a1282bc364318c88781dd

SHA1
c46620024962c20c26c842861a784a62cf05dcb7

SHA256
568b7dec929934c19b169bd8bab181bc4c4e69a110e51820a3ec22982485f1f8

SHA512
ea52bb75110953b41db6e91a70b576b71fd8250ec983c226f01485367874dcb41adce482e6bca5619fed66b8cd836be5070b0653ae1e1b0a3350ac5b1abdccb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~GMCFD3.exe

Filesize
13.2MB

MD5
b02dc529c91a1282bc364318c88781dd

SHA1
c46620024962c20c26c842861a784a62cf05dcb7

SHA256
568b7dec929934c19b169bd8bab181bc4c4e69a110e51820a3ec22982485f1f8

SHA512
ea52bb75110953b41db6e91a70b576b71fd8250ec983c226f01485367874dcb41adce482e6bca5619fed66b8cd836be5070b0653ae1e1b0a3350ac5b1abdccb4

Download Submit