Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 08:19
Behavioral task
behavioral1
Sample
1341f290bac6394454de086e9c7dd58d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1341f290bac6394454de086e9c7dd58d.exe
Resource
win10v2004-20231215-en
General
-
Target
1341f290bac6394454de086e9c7dd58d.exe
-
Size
20KB
-
MD5
1341f290bac6394454de086e9c7dd58d
-
SHA1
b7aca1f2f0044921e40d130a2ab9fdbb1a90f28f
-
SHA256
d097a847f06b698accc337c2ca7833c8e729a2e2755a261b91efe2e4bb0159b4
-
SHA512
179fc93cc3efcaeae1af6d24313c799d893ed3a5d3e4942658f93e885d6b51586f9be8dc057ad27e3bec5393818b8d39fed6c20b9f658669ef141a3227f87c06
-
SSDEEP
384:ZqhhXLRWHpmK2IZh0pqA4To0KtBKMWFIdtWOmQlOiOnBpDWFEa:Zqh7/KJX0pn4To0KXKMWctWxkOP/J
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2984 gdisvc.exe 2576 gdisvc.exe -
Loads dropped DLL 4 IoCs
pid Process 2948 1341f290bac6394454de086e9c7dd58d.exe 2948 1341f290bac6394454de086e9c7dd58d.exe 2984 gdisvc.exe 2984 gdisvc.exe -
resource yara_rule behavioral1/files/0x000c00000001220d-11.dat upx behavioral1/memory/2576-30-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2948-32-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2984-31-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2984-20-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2948-12-0x00000000002D0000-0x00000000002E5000-memory.dmp upx behavioral1/memory/2948-0-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\gdisvc.exe 1341f290bac6394454de086e9c7dd58d.exe File opened for modification \??\c:\windows\SysWOW64\gdisvc.exe 1341f290bac6394454de086e9c7dd58d.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\program files\common files\system\gdiserver.exe 1341f290bac6394454de086e9c7dd58d.exe File opened for modification \??\c:\program files\common files\system\gdiserver.exe 1341f290bac6394454de086e9c7dd58d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2948 1341f290bac6394454de086e9c7dd58d.exe 2948 1341f290bac6394454de086e9c7dd58d.exe 2984 gdisvc.exe 2984 gdisvc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2948 1341f290bac6394454de086e9c7dd58d.exe 2984 gdisvc.exe 2576 gdisvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2984 2948 1341f290bac6394454de086e9c7dd58d.exe 29 PID 2948 wrote to memory of 2984 2948 1341f290bac6394454de086e9c7dd58d.exe 29 PID 2948 wrote to memory of 2984 2948 1341f290bac6394454de086e9c7dd58d.exe 29 PID 2948 wrote to memory of 2984 2948 1341f290bac6394454de086e9c7dd58d.exe 29 PID 2984 wrote to memory of 2576 2984 gdisvc.exe 28 PID 2984 wrote to memory of 2576 2984 gdisvc.exe 28 PID 2984 wrote to memory of 2576 2984 gdisvc.exe 28 PID 2984 wrote to memory of 2576 2984 gdisvc.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1341f290bac6394454de086e9c7dd58d.exe"C:\Users\Admin\AppData\Local\Temp\1341f290bac6394454de086e9c7dd58d.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\windows\SysWOW64\gdisvc.exec:\windows\system32\gdisvc.exe c:\users\admin\appdata\local\temp\1341f290bac6394454de086e9c7dd58d.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
-
-
\??\c:\windows\SysWOW64\gdisvc.exec:\windows\system32\gdisvc.exe c:\windows\syswow64\gdisvc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51341f290bac6394454de086e9c7dd58d
SHA1b7aca1f2f0044921e40d130a2ab9fdbb1a90f28f
SHA256d097a847f06b698accc337c2ca7833c8e729a2e2755a261b91efe2e4bb0159b4
SHA512179fc93cc3efcaeae1af6d24313c799d893ed3a5d3e4942658f93e885d6b51586f9be8dc057ad27e3bec5393818b8d39fed6c20b9f658669ef141a3227f87c06