bd24dbbe865e638bd48dbe25aedb6d0c847bffc2a1bf8ca79f8a97e3c9c2b39c

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d0b092088308baa1d14c028f722416.exe
Size

3.6MB
MD5

12d0b092088308baa1d14c028f722416
SHA1

16a3c5137da6ed91fb704513df58ff65747e7de4
SHA256

bd24dbbe865e638bd48dbe25aedb6d0c847bffc2a1bf8ca79f8a97e3c9c2b39c
SHA512

fcd3074a4edfef24b04cdd3f5e04501afddf2c4980f810736ff830af1ae850dcd8c6429bce9181e0e2c1e85f146cafae1f838f6d9b4b554f20bee9ab2069b87b
SSDEEP

98304:YAhPizEMkWfBGzQXIj1yfiA2BzOi7xbSkJIDvhP:H1izEMjwz7jBzOEyDvhP

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2272	is-MKU1A.tmp
2896	gfl.exe
2672	gfl.exe

Loads dropped DLL 7 IoCs

pid	Process
2924	12d0b092088308baa1d14c028f722416.exe
2272	is-MKU1A.tmp
2272	is-MKU1A.tmp
2272	is-MKU1A.tmp
2272	is-MKU1A.tmp
2272	is-MKU1A.tmp
2272	is-MKU1A.tmp

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016c20-42.dat	upx
behavioral1/files/0x0007000000016c20-49.dat	upx
behavioral1/files/0x0007000000016c20-45.dat	upx
behavioral1/memory/2272-44-0x00000000052E0000-0x0000000005368000-memory.dmp	upx
behavioral1/memory/2896-56-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/files/0x0007000000016c20-87.dat	upx
behavioral1/memory/2672-94-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/2672-91-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/files/0x0007000000016c20-83.dat	upx
behavioral1/files/0x0007000000016c20-81.dat	upx
behavioral1/memory/2896-52-0x0000000000400000-0x0000000000488000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	is-MKU1A.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2924 wrote to memory of 2272	2924	12d0b092088308baa1d14c028f722416.exe	27
PID 2272 wrote to memory of 2896	2272	is-MKU1A.tmp	28
PID 2272 wrote to memory of 2896	2272	is-MKU1A.tmp	28
PID 2272 wrote to memory of 2896	2272	is-MKU1A.tmp	28
PID 2272 wrote to memory of 2896	2272	is-MKU1A.tmp	28
PID 2272 wrote to memory of 2672	2272	is-MKU1A.tmp	30
PID 2272 wrote to memory of 2672	2272	is-MKU1A.tmp	30
PID 2272 wrote to memory of 2672	2272	is-MKU1A.tmp	30
PID 2272 wrote to memory of 2672	2272	is-MKU1A.tmp	30

C:\Users\Admin\AppData\Local\Temp\12d0b092088308baa1d14c028f722416.exe
"C:\Users\Admin\AppData\Local\Temp\12d0b092088308baa1d14c028f722416.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\is-G1RU9.tmp\is-MKU1A.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G1RU9.tmp\is-MKU1A.tmp" /SL4 $5015C "C:\Users\Admin\AppData\Local\Temp\12d0b092088308baa1d14c028f722416.exe" 3506026 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe
    "C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe" /inireplace gdclicense.ini
    3⤵
    - Executes dropped EXE
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe
    "C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe" /inireplace gdcreadme.ini
    3⤵
    - Executes dropped EXE
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-G1RU9.tmp\is-MKU1A.tmp

Filesize
410KB

MD5
07a257adcb5cc2d8bb3a40dbe09e2391

SHA1
988267a0e8774014556e190d443fca9a76edc00f

SHA256
203d7559a57e1e5b7a8bebcbc6ceaacd056cb56e2206e722c1cc73ddd59cb3c8

SHA512
6de5d254418e272e2b7a9c7c2f346084e4d19c2a1d7f077021e6c28fb738d243431cdce584dd0eb1358ee795d171a4cea6476247be51119b49fea5c94eb00cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\License.rtf

Filesize
14KB

MD5
b6a67a67af85002b4e3cf2f469c48377

SHA1
c559d465cc446ec719a689102965208b690bb882

SHA256
bb197a37213bf04e1201b05361190398d6df10c8b22b4d10d4ba2982567d96c4

SHA512
89015535a8c5d52fc17d8ed88d7837c6a967a8b8f492a09b38549f67a863d1522a1e04e203742fd8140f7085412c966b4cc8430257297116897b60da1146ea64

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\LicenseFree.rtf

Filesize
14KB

MD5
cf27aad282b88dc12fa8f408a8c8cdd6

SHA1
3362e02a87a7d76f54b3e2ed01d8b6e28a3bdc4d

SHA256
8f2e2a5a59bad224c26aa666eb04307e23e62970139259513e858126faac1dbc

SHA512
cbaa189f994840e46cd7f7a45704565ebc772a5158234de003798a56ac47bbdfbd87c607b45cc80274a05ffa8b4742cc6397ed59b5cba73320cfd0f96d03c6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\Readme.rtf

Filesize
3KB

MD5
1c9c93abecfe348b95eeaaa4f62011a3

SHA1
200b886ebb6ecaf6fee2d644c9f7399195179517

SHA256
de39a7f29717006024f669ed650ff551cd39e9febd56701040ae2ee8d5d4ef82

SHA512
60ad61bb6faf917937de6f065611a935386813d193e3a01d37b916e3a25cccb3c01113ff1305d4d2f881cbf7805c8f4ffc6c1d96c80d87db1649308d0437d2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\ReadmeFree.rtf

Filesize
3KB

MD5
92ee31a7d304f8843d96f70ff3f3ff1a

SHA1
22fb8e02b3b90c233e671a548513b2618085b507

SHA256
b2f164cc871d16c3cde0655c5f73c584697259daedd7ecf884a203f21f719d2a

SHA512
34a7dcfc1c7ccaa8e9257875e4359b0d1a7f0388fdb99c730ab07756ae9b9a6f1e54e95055a393f703861d2daa1731979f7bd8d0e77451841e5f505f80f82050

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gdclicense.ini

Filesize
708B

MD5
36f80e08f73678b82035a2aeb2c662f8

SHA1
5348f79a3fad62b3278bfec274567c068d461d88

SHA256
09b9f4147d8c213ce28dd80259cbb3824edde4c4393abac00934dfbc45e1c7b7

SHA512
ee34f1787a03e714e385ee8db2ec7eaded9c88b2bcd8e7744dfb497ee52571fdb346017f4d25d7abefb4a54746a31468baf510d111f0b2f92c10dac1be12060b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gdcreadme.ini

Filesize
706B

MD5
559a8fd308e2f50868a961de42bcd323

SHA1
7bfda321365cf6e0ace7f448909154f806ff6b32

SHA256
7b3d56ad6123266b7047dbd1678ec3c6e1e1892244507c2959cee3cc573e2788

SHA512
fdae290f1af3c0203fe2f133a50e7570a5b17a543fde8059a5a3b88816c36166769bc0954aff2fcb80edd51aed03f6620a6005708c7a8c2dfb0f3ab565f5771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe

Filesize
202KB

MD5
9d599dd48b2d3f2a622349e8de66b70c

SHA1
b4ae25be52d1e3e543104a100510627239aaee76

SHA256
4464ea7dca25df182c61ebd00fe5a0c0b53f260f5ccc4f805a43bef2ff5984c7

SHA512
03fb1c26ca7891b3ce6365588e1cc22c51b827f5c959e6bee7645459b01fb0b1f3c2f0af6ae9bb8e0179f40f26d3256313a9ba5c2587f449c63e42088f385b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe

Filesize
136KB

MD5
c0a15336f6a2d321f103e3d0fd93aa16

SHA1
fd772da62a6b2825cb2839c824f1a8aa3a6745de

SHA256
f3675a39a15fb46ab442f75117d1589595df448c5a1a0d2049ed4c87c6d05508

SHA512
9c13a85b42ac8c8e4d6827c550df6d2c70093136b858650b273d377411ecb31f8203ee6bf1608a67cf845c5efd7a740d13c14f38431ed610bfe5ce4a86f65650

Download Submit
\Users\Admin\AppData\Local\Temp\is-G1RU9.tmp\is-MKU1A.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe

Filesize
502KB

MD5
00a8ab7432b501498da6cc50f2e75631

SHA1
d1f1e7c6412eeab746ea29c22592299def96739f

SHA256
78862ab6c3bc0579b46855f01926f6d9a3190fd84a238e54dfa8f9997b932b61

SHA512
4a5f94237c472978ba24f3c1e618cbc1b5469c54fe5e06469076b767af5d43827fb4327ca43b46f91508f2834b611ed946d799045176c77535a97932c00b2c65

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe

Filesize
259KB

MD5
16cbd90b497d13db7e25e233ec5b9216

SHA1
bc2b61be74b42c8908bfaa08a3921e460a1bd462

SHA256
f1ce4d25920725d1e13a6179294aa5c6b8dc6cb57c5e19bc0f10e867fa71fb5d

SHA512
512515d68e0cf7e01555c556002503efe62c916c205b709ae8ed844be5ebe83ab7438fedf230566e08e2ccc256407c861591b85c31f2cdd65614f81eebfca1d1

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe

Filesize
257KB

MD5
45214937083bd008c683ceac11c36cf9

SHA1
843b7186728b0a8a3172d41b049633e35217a39a

SHA256
bbc0d6b7a484aea47277a5cf4deaa2ff57866116b76384b04efa4c2db82e2b55

SHA512
81f8c532446e5b6269fb3c600fff2cda8c87a0ffd0898f5d9b4f5ac59c77eb0b64c3b5a72edea5cf46e9b0440f1538aa1aa5aac2fd0ce45a19401cba54f3e9fd

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q9CGS.tmp\gfl.exe

Filesize
219KB

MD5
532d5f3524d129eb9629d9ca356a89b6

SHA1
d460968f25e56d325a6faf94ae12a2f1c0a22c78

SHA256
5f56c25669a60764ef717db80e8e0171343f24b56fd1a323d67da3167155f81b

SHA512
2db1f058317fa8f3bbee66a239b6e77b698b666c60be24455e44f82d385dd3abd26473b11cab115a45b1e09358f95c57da4db69e559c2ca88a02d9ddc19ba938

Download Submit
memory/2272-55-0x00000000052E0000-0x0000000005368000-memory.dmp

Filesize
544KB

Download
memory/2272-98-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2272-88-0x00000000052F0000-0x0000000005378000-memory.dmp

Filesize
544KB

Download
memory/2272-44-0x00000000052E0000-0x0000000005368000-memory.dmp

Filesize
544KB

Download
memory/2272-102-0x00000000052F0000-0x0000000005378000-memory.dmp

Filesize
544KB

Download
memory/2272-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2272-100-0x00000000052E0000-0x0000000005368000-memory.dmp

Filesize
544KB

Download
memory/2272-99-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2672-94-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2672-93-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2672-91-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2896-56-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2896-52-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2896-53-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2924-97-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2924-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download