501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6

Analysis

max time kernel
19s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe
Size

1.6MB
MD5

2f88d0256be177753120d1a77baa250f
SHA1

d59c715a82d91176468ad2f7afaa3b08e36b9c65
SHA256

501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6
SHA512

6ec23623d8ad6c7482b2c964a51133dfc0797cb7b40cae746ec132a5eca7f265b179284c0f437b3c1f112ae4a39b97911bd317f9e90efd93dc5f0c83b98578e0
SSDEEP

49152:nn8N3id0j9K3QoxV4OPWZZEKSykSzngmpoe0ls999COU8wq:nL29K3QoxV430KS08mWc9vUTq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
488	taskkill.exe
4060	taskkill.exe
2056	taskkill.exe
4312	taskkill.exe
2304	taskkill.exe
1584	taskkill.exe
3452	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3540	reg.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	488	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeShutdownPrivilege	3360	shutdown.exe
Token: SeRemoteShutdownPrivilege	3360	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	LogonUI.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1780	4764	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	82
PID 4764 wrote to memory of 1780	4764	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	82
PID 4764 wrote to memory of 1780	4764	501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe	82
PID 1780 wrote to memory of 488	1780	cmd.exe	85
PID 1780 wrote to memory of 488	1780	cmd.exe	85
PID 1780 wrote to memory of 488	1780	cmd.exe	85
PID 1780 wrote to memory of 4060	1780	cmd.exe	87
PID 1780 wrote to memory of 4060	1780	cmd.exe	87
PID 1780 wrote to memory of 4060	1780	cmd.exe	87
PID 1780 wrote to memory of 2056	1780	cmd.exe	88
PID 1780 wrote to memory of 2056	1780	cmd.exe	88
PID 1780 wrote to memory of 2056	1780	cmd.exe	88
PID 1780 wrote to memory of 4312	1780	cmd.exe	89
PID 1780 wrote to memory of 4312	1780	cmd.exe	89
PID 1780 wrote to memory of 4312	1780	cmd.exe	89
PID 1780 wrote to memory of 2304	1780	cmd.exe	90
PID 1780 wrote to memory of 2304	1780	cmd.exe	90
PID 1780 wrote to memory of 2304	1780	cmd.exe	90
PID 1780 wrote to memory of 1584	1780	cmd.exe	91
PID 1780 wrote to memory of 1584	1780	cmd.exe	91
PID 1780 wrote to memory of 1584	1780	cmd.exe	91
PID 1780 wrote to memory of 3452	1780	cmd.exe	92
PID 1780 wrote to memory of 3452	1780	cmd.exe	92
PID 1780 wrote to memory of 3452	1780	cmd.exe	92
PID 1780 wrote to memory of 4824	1780	cmd.exe	93
PID 1780 wrote to memory of 4824	1780	cmd.exe	93
PID 1780 wrote to memory of 4824	1780	cmd.exe	93
PID 4824 wrote to memory of 3540	4824	cmd.exe	94
PID 4824 wrote to memory of 3540	4824	cmd.exe	94
PID 4824 wrote to memory of 3540	4824	cmd.exe	94
PID 1780 wrote to memory of 3360	1780	cmd.exe	95
PID 1780 wrote to memory of 3360	1780	cmd.exe	95
PID 1780 wrote to memory of 3360	1780	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe
"C:\Users\Admin\AppData\Local\Temp\501414090479e831061424dc9007a883a34b33ef061b72873eeb0ecb5ad98fb6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\GrgBanking\SPUpdate\Update.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Grg* /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im COLS.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHWatcher.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHAgent.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHAXODisplay.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im YHAXLog.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SOFTWARE\WOW6432Node\GrgBanking\GrgXFSSP /v SPVersion
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKLM\SOFTWARE\WOW6432Node\GrgBanking\GrgXFSSP /v SPVersion
      4⤵
      Modifies registry key
      PID:3540
- - C:\Windows\SysWOW64\shutdown.exe
    SHUTDOWN -R -T 10
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3982855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GrgBanking\SPUpdate\GrgSPCfg.exe

Filesize
32KB

MD5
85dc2b7ce70db319eb155314f88fb4f7

SHA1
bf504e86a0d896928518e8eb2f069dfe33733703

SHA256
5c992031c583491a3111fabe269bad2bb94f0b6d452eeee1932db648cb4f9c8b

SHA512
23982fdf4c2a812c928e5b87497200530a41acf445644e53cbaf4207813ff8e4decac8c7c4b185d5b2f82dcd658901f2a76d19b683586d57a0c20c7652347ddb

Download Submit
C:\GrgBanking\SPUpdate\SP50B3~1.EXE

Filesize
1.6MB

MD5
dbaf33d444e0a7bd7ce93ccac560ef2e

SHA1
30b9ddf77f3b480092385f0d75813c7543f2794d

SHA256
8bd67511b0b8dd5f7cdec37e41865526d0072af4293fbb9dd81a6d0cbe8b7154

SHA512
fa64cbe44fa97e404d933dd38f5de3236282082f78fc219a4fbc28dfb24f5e615f3eb5388f4365bd2bd3ef0434724c7035992321186ba0b47c450cbb7ddb0514

Download Submit
C:\GrgBanking\SPUpdate\SPVERS~1\SPVERS~1.INI

Filesize
39B

MD5
a23bc52d2ad4a7b8c89a18fd4e4e6c36

SHA1
5cbc5c8e4cc83e42c6710f912eead1574aa7a765

SHA256
2fb0ea5a8809e4a3b5fdf0867a12d8ade9b891aa7d1f149a31481b26410caae1

SHA512
9c71b1bd25c444313b1a1d307f3ad7480a8a9bcf1d3c47a987ec8dde1ae72f62a5f0ad54937c028b42feb6eb8926f3b633efc610f1160dbf4f3f8fbcbd315195

Download Submit
C:\GrgBanking\SPUpdate\Update.bat

Filesize
2KB

MD5
b4735175d61176720040563f2eff126b

SHA1
ef021a6da9fc82f37a684e080565db1e45df7d33

SHA256
ed4a9e0444122cc2f6051d909734bdc5bab2d454da17c89e4d37020af690bfbe

SHA512
9dc0ad46baddf4af6e6d61e3d6a892875cbfa0375f2de59fe90b48ebb8d99be4a140ce9e46d985c1f6dee3254ff6f42b800d8570b126f03a1aa34fd07ecb3074

Download Submit
C:\GrgBanking\SPUpdate\Update.reg

Filesize
244B

MD5
d467f7a8e9329e80d5e835382788c2b8

SHA1
b1f4a0b4b11941d41ab1267271c421f8790c5b46

SHA256
6c421bafa985b75e8e786b67a42e88a9f23c18228d2732bc8015c63b31744cb1

SHA512
64df3c7668ce239e247ad58bc7e9e7e0080d0001e3b146d521108891df85e05e38a7ce73a2905d58e436b1b2da55cadae03a790f21544ee9cfe9f0553dae2777

Download Submit