Overview

overview

10

Static

static

GSecurity.exe

windows7-x64

10

GSecurity.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GSecurity.exe

  • Size

    851KB

  • Sample

    230119-n6bpwacg7s

  • MD5

    690eee0e48261b646ac54a1866c32510

  • SHA1

    ccd9ce1e952026508a233efba834b1de6b3c2490

  • SHA256

    82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7

  • SHA512

    e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1

  • SSDEEP

    24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI

Score
10/10
discoveryevasionexploitpersistencetrojan

Malware Config

Targets

    • Target

      GSecurity.exe

    • Size

      851KB

    • MD5

      690eee0e48261b646ac54a1866c32510

    • SHA1

      ccd9ce1e952026508a233efba834b1de6b3c2490

    • SHA256

      82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7

    • SHA512

      e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1

    • SSDEEP

      24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI

    Score
    10/10
    discoveryevasionexploitpersistencetrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Modifies system executable filetype association

      persistence

    • UAC bypass

      evasiontrojan

    • Disables taskbar notifications via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Sets file execution options in registry

      persistence

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies powershell logging option

      evasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

4
T1031

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

12
T1112

Disabling Security Tools

3
T1089

Bypass User Account Control

1
T1088

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Remote Desktop Protocol

1
T1076

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

1
T1490

Tasks