Overview

overview

10

Static

static

10

Guna.UI2.dll

windows10-1703-x64

1

Guna.UI2.dll

windows10-2004-x64

1

GunaPatcher.exe

windows10-1703-x64

7

GunaPatcher.exe

windows10-2004-x64

3

dnlib.dll

windows10-1703-x64

1

dnlib.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    299s
  • max time network
    267s
  • platform
    windows10-1703_x64
  • resource
    win10-20231129-es
  • resource tags

    arch:x64arch:x86image:win10-20231129-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    12-12-2023 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GunaPatcher.exe

  • Size

    8KB

  • MD5

    7c8c748cf23a45836a35f4a28bdadcb3

  • SHA1

    5eb25218086b81026ec38f6d2bdb222f68cc327e

  • SHA256

    91ba12e96fbef22c551a957970ca2638456d3feae01b7566d473b5ad566e609b

  • SHA512

    602362de34099fa609ae37ef9dd3c723900b3abd976f2f3bc9cdcdb9ab72931ec6100634283e1abe170c41dcd78c55a1c2f8c72923396219aba801a9ba1c2902

  • SSDEEP

    96:Z6ttpdOaBqOFaSXdJr2Gl2TyNl8EOQcFV62VyGtqFh5vXXX6gWIfWrb65zNt:ZCcGcSX72/Ayx9oqgWBY

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GunaPatcher.exe
    C:\Users\Admin\AppData\Local\Temp\GunaPatcher.exe Guna.UI2.dll
    1⤵
    • Checks computer location settings
    PID:4576
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4948
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3004
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2996
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2052
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3444-57-0x00000284FAAC0000-0x00000284FAAC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3444-67-0x00000284FAD00000-0x00000284FAD02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3444-65-0x00000284FACE0000-0x00000284FACE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3444-63-0x00000284FAC20000-0x00000284FAC22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3444-61-0x00000284FAC00000-0x00000284FAC02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3444-59-0x00000284FAAE0000-0x00000284FAAE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4576-3-0x0000000005770000-0x0000000005C6E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4576-0-0x00000000008A0000-0x00000000008A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4576-2-0x00000000732F0000-0x00000000739DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4576-1-0x0000000005140000-0x0000000005266000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4576-69-0x00000000732F0000-0x00000000739DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4948-39-0x000001DC8CDB0000-0x000001DC8CDB2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4948-20-0x000001DC8D500000-0x000001DC8D510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4948-4-0x000001DC8CC20000-0x000001DC8CC30000-memory.dmp

    Filesize

    64KB

    Download