Overview
overview
6Static
static
1GWYF_Fix_R...ic.rar
windows7-x64
3GWYF_Fix_R...ic.rar
windows10-2004-x64
3GWYF_Fix_R...64.dll
windows7-x64
3GWYF_Fix_R...64.dll
windows10-2004-x64
3GWYF_Fix_R...er.exe
windows7-x64
1GWYF_Fix_R...er.exe
windows10-2004-x64
1GWYF_Fix_R...ix.ini
windows7-x64
1GWYF_Fix_R...ix.ini
windows10-2004-x64
1GWYF_Fix_R...x.json
windows7-x64
3GWYF_Fix_R...x.json
windows10-2004-x64
3GWYF_Fix_R...ix.url
windows7-x64
6GWYF_Fix_R...ix.url
windows10-2004-x64
6GWYF_Fix_R...64.dll
windows7-x64
1GWYF_Fix_R...64.dll
windows10-2004-x64
1GWYF_Fix_R...ge.dll
windows7-x64
1GWYF_Fix_R...ge.dll
windows10-2004-x64
1GWYF_Fix_R...64.dll
windows7-x64
1GWYF_Fix_R...64.dll
windows10-2004-x64
3GWYF_Fix_R...64.dll
windows7-x64
1GWYF_Fix_R...64.dll
windows10-2004-x64
1GWYF_Fix_R...st.txt
windows7-x64
1GWYF_Fix_R...st.txt
windows10-2004-x64
1GWYF_Fix_R...64.dll
windows7-x64
1GWYF_Fix_R...64.dll
windows10-2004-x64
3GWYF_Fix_R...mm.dll
windows7-x64
1GWYF_Fix_R...mm.dll
windows10-2004-x64
3MrPcGamer.com.url
windows7-x64
6MrPcGamer.com.url
windows10-2004-x64
4README !!!.txt
windows7-x64
1README !!!.txt
windows10-2004-x64
1[Game3rb.com].url
windows7-x64
6[Game3rb.com].url
windows10-2004-x64
6Analysis
-
max time kernel
150s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/04/2023, 06:37
Static task
static1
Behavioral task
behavioral1
Sample
GWYF_Fix_Repair_Steam_V6_Generic.rar
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
GWYF_Fix_Repair_Steam_V6_Generic.rar
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
GWYF_Fix_Repair_Steam_V6_Generic/Golf With Your Friends_Data/Plugins/x86_64/steam_api64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
GWYF_Fix_Repair_Steam_V6_Generic/Golf With Your Friends_Data/Plugins/x86_64/steam_api64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
GWYF_Fix_Repair_Steam_V6_Generic/Launcher.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
GWYF_Fix_Repair_Steam_V6_Generic/Launcher.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.ini
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.ini
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.json
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.json
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.url
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.url
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix64.dll
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
GWYF_Fix_Repair_Steam_V6_Generic/PhotonBridge.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
GWYF_Fix_Repair_Steam_V6_Generic/PhotonBridge.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
GWYF_Fix_Repair_Steam_V6_Generic/SteamOverlay64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
GWYF_Fix_Repair_Steam_V6_Generic/SteamOverlay64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
GWYF_Fix_Repair_Steam_V6_Generic/StubDRM64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
GWYF_Fix_Repair_Steam_V6_Generic/StubDRM64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
GWYF_Fix_Repair_Steam_V6_Generic/dlllist.txt
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
GWYF_Fix_Repair_Steam_V6_Generic/dlllist.txt
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
GWYF_Fix_Repair_Steam_V6_Generic/steam_api64.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
GWYF_Fix_Repair_Steam_V6_Generic/steam_api64.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
GWYF_Fix_Repair_Steam_V6_Generic/winmm.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
GWYF_Fix_Repair_Steam_V6_Generic/winmm.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
MrPcGamer.com.url
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
MrPcGamer.com.url
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
README !!!.txt
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
README !!!.txt
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
[Game3rb.com].url
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
[Game3rb.com].url
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
GWYF_Fix_Repair_Steam_V6_Generic/OnlineFix.json
-
Size
65B
-
MD5
bfde3a4f64569a837a692e68b87e8987
-
SHA1
ec9c3b3639ff0fd097c45d07347c9982c695543b
-
SHA256
427d4d459e53c6c734081fc97b2d7e0f86668c6fe0a978ea7c35abd7bf811954
-
SHA512
3c5e94bcbbcd0095da5f65e705087f0560af1781ab4ea030bd5b1b87fb111d3e91d237283d6cc50ba279ecc50b36fed0d9c70cb088b514241115fa7c2197a0f4
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\json_auto_file\shell rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 564 AcroRd32.exe 564 AcroRd32.exe 564 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1304 wrote to memory of 672 1304 cmd.exe 29 PID 1304 wrote to memory of 672 1304 cmd.exe 29 PID 1304 wrote to memory of 672 1304 cmd.exe 29 PID 672 wrote to memory of 564 672 rundll32.exe 30 PID 672 wrote to memory of 564 672 rundll32.exe 30 PID 672 wrote to memory of 564 672 rundll32.exe 30 PID 672 wrote to memory of 564 672 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\GWYF_Fix_Repair_Steam_V6_Generic\OnlineFix.json1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GWYF_Fix_Repair_Steam_V6_Generic\OnlineFix.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GWYF_Fix_Repair_Steam_V6_Generic\OnlineFix.json"3⤵
- Suspicious use of SetWindowsHookEx
PID:564
-
-