d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe
Size

3.0MB
MD5

c1e49203d8c2e401f3cffa82d0ae1e3b
SHA1

1e2e5d710339ad2f8ebe85e60fa9dd5e797b64b6
SHA256

d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff
SHA512

45768a75113b53b1e9ae9aa9ae2b46e7d6ddc8392d61b81fe6382aa2f11d88b91efdf17577bbaf2d66a9db9b1d04666d9483e96d30e16eecec493e964591c4dd
SSDEEP

49152:vzhvfkii5PlG4y/AAe8jmsbazWYVoLtfMEC2SfN8RrHrKBST1WLvlX:bRMiitlG4y4ALSseybtbGNVOWLN

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2960	GrfCL.exe
2848	GrfCL.exe

Loads dropped DLL 4 IoCs

pid	Process
2904	cmd.exe
2740	cmd.exe
2848	GrfCL.exe
2848	GrfCL.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe
2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe
2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe
2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe
2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2904	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	31
PID 2792 wrote to memory of 2904	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	31
PID 2792 wrote to memory of 2904	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	31
PID 2792 wrote to memory of 2904	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	31
PID 2904 wrote to memory of 2960	2904	cmd.exe	33
PID 2904 wrote to memory of 2960	2904	cmd.exe	33
PID 2904 wrote to memory of 2960	2904	cmd.exe	33
PID 2904 wrote to memory of 2960	2904	cmd.exe	33
PID 2792 wrote to memory of 2740	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	34
PID 2792 wrote to memory of 2740	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	34
PID 2792 wrote to memory of 2740	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	34
PID 2792 wrote to memory of 2740	2792	d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe	34
PID 2740 wrote to memory of 2848	2740	cmd.exe	36
PID 2740 wrote to memory of 2848	2740	cmd.exe	36
PID 2740 wrote to memory of 2848	2740	cmd.exe	36
PID 2740 wrote to memory of 2848	2740	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe
"C:\Users\Admin\AppData\Local\Temp\d2d1c1a7813ed6b2569a233bbbd94a62b7924afbb872b646a36e54900e4b22ff.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c GrfCL.exe -new -save mhgd.grf>C:\Users\Admin\AppData\Local\Temp\BetterRA_Update\GrfCL.log
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\GrfCL.exe
    GrfCL.exe -new -save mhgd.grf
    3⤵
    - Executes dropped EXE
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c GrfCL.exe -merge mhgd.grf 0827_up.gpf>C:\Users\Admin\AppData\Local\Temp\BetterRA_Update\GrfCL.log
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\GrfCL.exe
    GrfCL.exe -merge mhgd.grf 0827_up.gpf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0827_up.gpf

Filesize
23KB

MD5
2811cfc2d2ba8e260b6ea0537e9ad228

SHA1
f3406cfe4ac95cbebb5c895614a0d30c07152bd1

SHA256
d16bd373f5107bd4aaa091ae9c2ffc8c9842714dae76ac8a1e1ea0369bcd0b13

SHA512
0f6e943198dab1a395507b21fcb22242fa4491a12b2ea46019a94f46180b6e8f63f9a4d80fe137956f2907bcc86e8f56a44ec7c5464deedf067f4048cdbfe3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BetterRA_Update\GrfCL.log

Filesize
146B

MD5
db6cdb0885b27044878fbe0c77802467

SHA1
649c54eea9a5c54297f737baa34981a73d89de33

SHA256
80afef9539e9f15a78436455f69215e19c4869916e976524a7b5454d6c8ede6c

SHA512
416dccf1b924189c84b00b58d521bead6bf78ce067003cb35f60a8e58a0be23f1097921b778e42e85527a06b07fe34dd1fc71fbaa52c31af28a40a0e8ac04932

Download Submit
C:\Users\Admin\AppData\Local\Temp\BetterRA_Update\GrfCL.log

Filesize
767B

MD5
16de84fedb2d028b9801e43db05391f9

SHA1
c47dde252da44c36caa449d2c672c37c140936b7

SHA256
8ea70f86fde38c19239108b4596c755c7aa73adae9e4aa2cebbb56836a4a0e69

SHA512
58b39d42b0dcb181e4f1072d4ac87f44c33a8afeed355be735f46de0261473aa1f00584fc589a21c1387e1f81ace4d73c505108ef3b197a89f508717a9b22fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfCL.exe

Filesize
2.7MB

MD5
6e367308f625126d19e6d313bb98fe7c

SHA1
83635fec6dcab0bda18e8d547496c52bc0645e1a

SHA256
180aea617689e41a0ff4f5bbd9182823b3bfd88f8e19c1ca071fdb761e30f32a

SHA512
c6ba50a74e36e2b352fbfdfbbc80fef09fb48bfccc3120322a784eeeff35d7f282958f64c4c2e9e77ef961d022bb27a43bc5e4337622698e3ded3e3ed5a66566

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfCL.exe

Filesize
2.7MB

MD5
6e367308f625126d19e6d313bb98fe7c

SHA1
83635fec6dcab0bda18e8d547496c52bc0645e1a

SHA256
180aea617689e41a0ff4f5bbd9182823b3bfd88f8e19c1ca071fdb761e30f32a

SHA512
c6ba50a74e36e2b352fbfdfbbc80fef09fb48bfccc3120322a784eeeff35d7f282958f64c4c2e9e77ef961d022bb27a43bc5e4337622698e3ded3e3ed5a66566

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfCL.exe

Filesize
2.7MB

MD5
6e367308f625126d19e6d313bb98fe7c

SHA1
83635fec6dcab0bda18e8d547496c52bc0645e1a

SHA256
180aea617689e41a0ff4f5bbd9182823b3bfd88f8e19c1ca071fdb761e30f32a

SHA512
c6ba50a74e36e2b352fbfdfbbc80fef09fb48bfccc3120322a784eeeff35d7f282958f64c4c2e9e77ef961d022bb27a43bc5e4337622698e3ded3e3ed5a66566

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfCL.exe.config

Filesize
281B

MD5
bedcb4f86ce392dc37fec12ecdbf9a75

SHA1
1b675d9d4edefcf14c116c17b2a2821966be3675

SHA256
bf9bf50e3c785332e00ea991978b8f6513a20d6c09dfe8337c409db71537789b

SHA512
488278f5fdcdd6f712c0002424441f205efc2c81a41f89369f9da9dc4a6a6cfa00becfa3bd473e1fb6698fcdb78cc382fe77d171ffd2f13077f54c152373b00b

Download Submit
\Users\Admin\AppData\Local\Temp\GrfCL.exe

Filesize
2.7MB

MD5
6e367308f625126d19e6d313bb98fe7c

SHA1
83635fec6dcab0bda18e8d547496c52bc0645e1a

SHA256
180aea617689e41a0ff4f5bbd9182823b3bfd88f8e19c1ca071fdb761e30f32a

SHA512
c6ba50a74e36e2b352fbfdfbbc80fef09fb48bfccc3120322a784eeeff35d7f282958f64c4c2e9e77ef961d022bb27a43bc5e4337622698e3ded3e3ed5a66566

Download Submit
\Users\Admin\AppData\Local\Temp\GrfCL.exe

Filesize
2.7MB

MD5
6e367308f625126d19e6d313bb98fe7c

SHA1
83635fec6dcab0bda18e8d547496c52bc0645e1a

SHA256
180aea617689e41a0ff4f5bbd9182823b3bfd88f8e19c1ca071fdb761e30f32a

SHA512
c6ba50a74e36e2b352fbfdfbbc80fef09fb48bfccc3120322a784eeeff35d7f282958f64c4c2e9e77ef961d022bb27a43bc5e4337622698e3ded3e3ed5a66566

Download Submit
\Users\Admin\AppData\Local\Temp\Resources.cps.dll

Filesize
72KB

MD5
aa0af6f7cc27b34497fbf44118a50a43

SHA1
7309cfe429fa4d8090b922c24b1663f8c09c38c6

SHA256
0c02edb2952ce0e983de43b7f5919bfe63df1a20be6e151f72c6640e9f2b4d4b

SHA512
a4d92d5169f5a10110f26f841dc28283404145f89d52ca28d2ca80bab5b0873e946f431c5c563eac3ca519d94678a4a604d7cf802c7dfdfbeb664b409d008dea

Download Submit
\Users\Admin\AppData\Local\Temp\Resources.lzma.dll

Filesize
77KB

MD5
a8bd77e9fe1480c81a7f44b3734c6071

SHA1
81a6359d90622c4b63e57d872f98e45604e85f2d

SHA256
0f0fd127278e80f74832003518688859b5e4e17820206224ea145a6f17352a4e

SHA512
e75427360fbd8ece3aa427a298aa5958eca890bd5c5fcd3db7be8c26360293ee1cb96199e70f042a35e482c30c37df7d9eca7864999508bf9a4dfdd95d77dd3a

Download Submit
memory/2848-43-0x0000000071300000-0x00000000719EE000-memory.dmp

Filesize
6.9MB

Download
memory/2848-32-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/2848-31-0x0000000071300000-0x00000000719EE000-memory.dmp

Filesize
6.9MB

Download
memory/2848-30-0x0000000001060000-0x000000000131E000-memory.dmp

Filesize
2.7MB

Download
memory/2960-19-0x0000000001010000-0x0000000001050000-memory.dmp

Filesize
256KB

Download
memory/2960-25-0x0000000071310000-0x00000000719FE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-24-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2960-23-0x0000000000550000-0x0000000000572000-memory.dmp

Filesize
136KB

Download
memory/2960-22-0x0000000004CC0000-0x0000000004ED6000-memory.dmp

Filesize
2.1MB

Download
memory/2960-21-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2960-20-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2960-17-0x0000000071310000-0x00000000719FE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-18-0x0000000001060000-0x000000000131E000-memory.dmp

Filesize
2.7MB

Download