45a52b77b5a3f48b0981ddf23c99ca6c3162f351290a10e0a4853d01d48e5e0d

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a15794535503cd1ec60d05133806e19.exe
Size

299KB
MD5

1a15794535503cd1ec60d05133806e19
SHA1

1aedbc0f29cc8d952ed38f4f2d770b99a4d41415
SHA256

45a52b77b5a3f48b0981ddf23c99ca6c3162f351290a10e0a4853d01d48e5e0d
SHA512

7c2b427dcabab64c33500522bbb1917ec9072cd80667d7260b1288d6c7334acc6de1d195c7cabf6dcc70f7d406eb8c08eb39e14282189b1dcddfb2b568bffbd8
SSDEEP

6144:XAYEC5+tSkUGr4EnbSetLTs7TOd3o3PuoDtrlo+O:VE0+Ikh92etZE3r

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	gmgifo.exe

Loads dropped DLL 3 IoCs

pid	Process
2312	cmd.exe
2312	cmd.exe
2624	gmgifo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2860	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2840	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe
2624	gmgifo.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2312	2024	1a15794535503cd1ec60d05133806e19.exe	28
PID 2024 wrote to memory of 2312	2024	1a15794535503cd1ec60d05133806e19.exe	28
PID 2024 wrote to memory of 2312	2024	1a15794535503cd1ec60d05133806e19.exe	28
PID 2024 wrote to memory of 2312	2024	1a15794535503cd1ec60d05133806e19.exe	28
PID 2312 wrote to memory of 2860	2312	cmd.exe	30
PID 2312 wrote to memory of 2860	2312	cmd.exe	30
PID 2312 wrote to memory of 2860	2312	cmd.exe	30
PID 2312 wrote to memory of 2860	2312	cmd.exe	30
PID 2312 wrote to memory of 2840	2312	cmd.exe	32
PID 2312 wrote to memory of 2840	2312	cmd.exe	32
PID 2312 wrote to memory of 2840	2312	cmd.exe	32
PID 2312 wrote to memory of 2840	2312	cmd.exe	32
PID 2312 wrote to memory of 2624	2312	cmd.exe	33
PID 2312 wrote to memory of 2624	2312	cmd.exe	33
PID 2312 wrote to memory of 2624	2312	cmd.exe	33
PID 2312 wrote to memory of 2624	2312	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1a15794535503cd1ec60d05133806e19.exe
"C:\Users\Admin\AppData\Local\Temp\1a15794535503cd1ec60d05133806e19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2024 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1a15794535503cd1ec60d05133806e19.exe" & start C:\Users\Admin\AppData\Local\gmgifo.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2024
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2840
- - C:\Users\Admin\AppData\Local\gmgifo.exe
    C:\Users\Admin\AppData\Local\gmgifo.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\gmgifo.exe

Filesize
299KB

MD5
1a15794535503cd1ec60d05133806e19

SHA1
1aedbc0f29cc8d952ed38f4f2d770b99a4d41415

SHA256
45a52b77b5a3f48b0981ddf23c99ca6c3162f351290a10e0a4853d01d48e5e0d

SHA512
7c2b427dcabab64c33500522bbb1917ec9072cd80667d7260b1288d6c7334acc6de1d195c7cabf6dcc70f7d406eb8c08eb39e14282189b1dcddfb2b568bffbd8

Download Submit
memory/2024-1-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2024-0-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2024-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2024-3-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2024-5-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2024-7-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-16-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-12-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2624-17-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2624-18-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-19-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2624-20-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-14-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-22-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-23-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-24-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-25-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-26-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2624-27-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download