6a4df4cd81c1c7371a194dc94353cdeb8d69a50985c2cdedf72ea8b27d184c51

Analysis

max time kernel
190s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2023 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA_Toolbox.exe
Size

143.8MB
MD5

f1ec47f064390c85ebc151cbadc2b39d
SHA1

566e3f891a9291a7bea61d6e560487721acf7311
SHA256

6a4df4cd81c1c7371a194dc94353cdeb8d69a50985c2cdedf72ea8b27d184c51
SHA512

d61e2d3e1d79e9cec64e7369a8507fdfc30f87ec284258d51cbaf6dc701af987882fd264c6a1aa3d38f75a7b51d01043e6fd71be63ea9ead25467caa1afab6c1
SSDEEP

786432:TwNPt9OyJ4jSQqmvaDuB449Y7BPwxElNtka3JvjprTtLwSTRpf4P1wT1HaVTZq5z:TqPtbJhDuB4TB9RZ7xaVTE5z

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

GTA_Toolbox.exeGTA_Toolbox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	GTA_Toolbox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	GTA_Toolbox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	GTA_Toolbox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	GTA_Toolbox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	GTA_Toolbox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	GTA_Toolbox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GTA_Toolbox.exeGTA_Toolbox.exe

description pid process

Token: SeDebugPrivilege 4060 GTA_Toolbox.exe
Token: SeDebugPrivilege 5052 GTA_Toolbox.exe

description	pid	process
Token: SeDebugPrivilege	4060	GTA_Toolbox.exe
Token: SeDebugPrivilege	5052	GTA_Toolbox.exe

C:\Users\Admin\AppData\Local\Temp\GTA_Toolbox.exe
"C:\Users\Admin\AppData\Local\Temp\GTA_Toolbox.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\GTA_Toolbox.exe
"C:\Users\Admin\AppData\Local\Temp\GTA_Toolbox.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-0-0x0000000180000000-0x0000000180A23000-memory.dmp

Filesize
10.1MB

Download
memory/4060-3-0x0000022AFEF10000-0x0000022AFFBC1000-memory.dmp

Filesize
12.7MB

Download
memory/4060-5-0x00007FF7723F0000-0x00007FF772D1C000-memory.dmp

Filesize
9.2MB

Download
memory/4060-7-0x0000022ADDB80000-0x0000022ADDB92000-memory.dmp

Filesize
72KB

Download
memory/4060-10-0x0000022AFE250000-0x0000022AFE311000-memory.dmp

Filesize
772KB

Download
memory/4060-13-0x0000022ADDA60000-0x0000022ADDA6D000-memory.dmp

Filesize
52KB

Download
memory/4060-16-0x0000022ADDBD0000-0x0000022ADDBF0000-memory.dmp

Filesize
128KB

Download
memory/4060-19-0x0000022AFE0C0000-0x0000022AFE0D8000-memory.dmp

Filesize
96KB

Download
memory/4060-22-0x0000022AFE0E0000-0x0000022AFE0F3000-memory.dmp

Filesize
76KB

Download
memory/4060-28-0x0000022AFE130000-0x0000022AFE151000-memory.dmp

Filesize
132KB

Download
memory/4060-31-0x0000022AFE1B0000-0x0000022AFE1F0000-memory.dmp

Filesize
256KB

Download
memory/4060-34-0x0000022AFE430000-0x0000022AFE52E000-memory.dmp

Filesize
1016KB

Download
memory/4060-37-0x0000022AFE530000-0x0000022AFE624000-memory.dmp

Filesize
976KB

Download
memory/4060-40-0x0000022AFE100000-0x0000022AFE116000-memory.dmp

Filesize
88KB

Download
memory/4060-43-0x0000022ADDA50000-0x0000022ADDA58000-memory.dmp

Filesize
32KB

Download
memory/4060-46-0x0000022AFE1F0000-0x0000022AFE22E000-memory.dmp

Filesize
248KB

Download
memory/4060-49-0x0000022AFE160000-0x0000022AFE1A7000-memory.dmp

Filesize
284KB

Download
memory/4060-52-0x0000022ADDBC0000-0x0000022ADDBC7000-memory.dmp

Filesize
28KB

Download
memory/4060-55-0x0000022AFE350000-0x0000022AFE369000-memory.dmp

Filesize
100KB

Download
memory/4060-58-0x0000022AFE320000-0x0000022AFE34A000-memory.dmp

Filesize
168KB

Download
memory/4060-61-0x0000022AFE910000-0x0000022AFE9D4000-memory.dmp

Filesize
784KB

Download
memory/4060-64-0x0000022AFE3A0000-0x0000022AFE3C1000-memory.dmp

Filesize
132KB

Download
memory/4060-67-0x0000022AFED20000-0x0000022AFEDD5000-memory.dmp

Filesize
724KB

Download
memory/4060-151-0x00007FF7723F0000-0x00007FF772D1C000-memory.dmp

Filesize
9.2MB

Download
memory/4060-158-0x00007FF7723F0000-0x00007FF772D1C000-memory.dmp

Filesize
9.2MB

Download
memory/5052-163-0x00007FF7723F0000-0x00007FF772D1C000-memory.dmp

Filesize
9.2MB

Download
memory/5052-313-0x00007FF7723F0000-0x00007FF772D1C000-memory.dmp

Filesize
9.2MB

Download
memory/5052-314-0x00007FF7723F0000-0x00007FF772D1C000-memory.dmp

Filesize
9.2MB

Download