501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-01-2023 18:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe
Size

1.6MB
MD5

2f88d0256be177753120d1a77baa250f
SHA1

d59c715a82d91176468ad2f7afaa3b08e36b9c65
SHA256

501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6
SHA512

6ec23623d8ad6c7482b2c964a51133dfc0797cb7b40cae746ec132a5eca7f265b179284c0f437b3c1f112ae4a39b97911bd317f9e90efd93dc5f0c83b98578e0
SSDEEP

49152:nn8N3id0j9K3QoxV4OPWZZEKSykSzngmpoe0ls999COU8wq:nL29K3QoxV430KS08mWc9vUTq

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
2000	taskkill.exe
1948	taskkill.exe
1784	taskkill.exe
1512	taskkill.exe
1624	taskkill.exe
860	taskkill.exe
760	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1812	reg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeShutdownPrivilege	1876	shutdown.exe
Token: SeRemoteShutdownPrivilege	1876	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 1476 wrote to memory of 896	1476	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	28
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 1624	896	cmd.exe	30
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 860	896	cmd.exe	32
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 760	896	cmd.exe	33
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 2000	896	cmd.exe	34
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1948	896	cmd.exe	35
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1784	896	cmd.exe	36
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 1512	896	cmd.exe	37
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 896 wrote to memory of 2008	896	cmd.exe	38
PID 2008 wrote to memory of 1812	2008	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe
"C:\Users\Admin\AppData\Local\Temp\501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\GrgBanking\SPUpdate\Update.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Grg* /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im COLS.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHWatcher.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHAgent.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHAXODisplay.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHAXLog.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SOFTWARE\WOW6432Node\GrgBanking\GrgXFSSP /v SPVersion
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKLM\SOFTWARE\WOW6432Node\GrgBanking\GrgXFSSP /v SPVersion
      4⤵
      Modifies registry key
      PID:1812
- - C:\Windows\SysWOW64\shutdown.exe
    SHUTDOWN -R -T 10
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GrgBanking\SPUpdate\GrgSPCfg.exe

Filesize
32KB

MD5
85dc2b7ce70db319eb155314f88fb4f7

SHA1
bf504e86a0d896928518e8eb2f069dfe33733703

SHA256
5c992031c583491a3111fabe269bad2bb94f0b6d452eeee1932db648cb4f9c8b

SHA512
23982fdf4c2a812c928e5b87497200530a41acf445644e53cbaf4207813ff8e4decac8c7c4b185d5b2f82dcd658901f2a76d19b683586d57a0c20c7652347ddb

Download Submit
C:\GrgBanking\SPUpdate\SP50B3~1.EXE

Filesize
1.6MB

MD5
dbaf33d444e0a7bd7ce93ccac560ef2e

SHA1
30b9ddf77f3b480092385f0d75813c7543f2794d

SHA256
8bd67511b0b8dd5f7cdec37e41865526d0072af4293fbb9dd81a6d0cbe8b7154

SHA512
fa64cbe44fa97e404d933dd38f5de3236282082f78fc219a4fbc28dfb24f5e615f3eb5388f4365bd2bd3ef0434724c7035992321186ba0b47c450cbb7ddb0514

Download Submit
C:\GrgBanking\SPUpdate\SPVERS~1\SPVERS~1.INI

Filesize
39B

MD5
a23bc52d2ad4a7b8c89a18fd4e4e6c36

SHA1
5cbc5c8e4cc83e42c6710f912eead1574aa7a765

SHA256
2fb0ea5a8809e4a3b5fdf0867a12d8ade9b891aa7d1f149a31481b26410caae1

SHA512
9c71b1bd25c444313b1a1d307f3ad7480a8a9bcf1d3c47a987ec8dde1ae72f62a5f0ad54937c028b42feb6eb8926f3b633efc610f1160dbf4f3f8fbcbd315195

Download Submit
C:\GrgBanking\SPUpdate\Update.bat

Filesize
2KB

MD5
b4735175d61176720040563f2eff126b

SHA1
ef021a6da9fc82f37a684e080565db1e45df7d33

SHA256
ed4a9e0444122cc2f6051d909734bdc5bab2d454da17c89e4d37020af690bfbe

SHA512
9dc0ad46baddf4af6e6d61e3d6a892875cbfa0375f2de59fe90b48ebb8d99be4a140ce9e46d985c1f6dee3254ff6f42b800d8570b126f03a1aa34fd07ecb3074

Download Submit
C:\GrgBanking\SPUpdate\Update.reg

Filesize
244B

MD5
d467f7a8e9329e80d5e835382788c2b8

SHA1
b1f4a0b4b11941d41ab1267271c421f8790c5b46

SHA256
6c421bafa985b75e8e786b67a42e88a9f23c18228d2732bc8015c63b31744cb1

SHA512
64df3c7668ce239e247ad58bc7e9e7e0080d0001e3b146d521108891df85e05e38a7ce73a2905d58e436b1b2da55cadae03a790f21544ee9cfe9f0553dae2777

Download Submit
memory/760-62-0x0000000000000000-mapping.dmp

Download
memory/860-60-0x0000000000000000-mapping.dmp

Download
memory/896-55-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1512-70-0x0000000000000000-mapping.dmp

Download
memory/1624-58-0x0000000000000000-mapping.dmp

Download
memory/1784-68-0x0000000000000000-mapping.dmp

Download
memory/1812-74-0x0000000000000000-mapping.dmp

Download
memory/1868-82-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download
memory/1876-76-0x0000000000000000-mapping.dmp

Download
memory/1948-66-0x0000000000000000-mapping.dmp

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download
memory/2008-72-0x0000000000000000-mapping.dmp

Download