Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 13:30
Static task
static1
Behavioral task
behavioral1
Sample
1a15794535503cd1ec60d05133806e19.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1a15794535503cd1ec60d05133806e19.exe
Resource
win10v2004-20231215-en
General
-
Target
1a15794535503cd1ec60d05133806e19.exe
-
Size
299KB
-
MD5
1a15794535503cd1ec60d05133806e19
-
SHA1
1aedbc0f29cc8d952ed38f4f2d770b99a4d41415
-
SHA256
45a52b77b5a3f48b0981ddf23c99ca6c3162f351290a10e0a4853d01d48e5e0d
-
SHA512
7c2b427dcabab64c33500522bbb1917ec9072cd80667d7260b1288d6c7334acc6de1d195c7cabf6dcc70f7d406eb8c08eb39e14282189b1dcddfb2b568bffbd8
-
SSDEEP
6144:XAYEC5+tSkUGr4EnbSetLTs7TOd3o3PuoDtrlo+O:VE0+Ikh92etZE3r
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2312 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2624 gmgifo.exe -
Loads dropped DLL 3 IoCs
pid Process 2312 cmd.exe 2312 cmd.exe 2624 gmgifo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2860 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2840 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe 2624 gmgifo.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2312 2024 1a15794535503cd1ec60d05133806e19.exe 28 PID 2024 wrote to memory of 2312 2024 1a15794535503cd1ec60d05133806e19.exe 28 PID 2024 wrote to memory of 2312 2024 1a15794535503cd1ec60d05133806e19.exe 28 PID 2024 wrote to memory of 2312 2024 1a15794535503cd1ec60d05133806e19.exe 28 PID 2312 wrote to memory of 2860 2312 cmd.exe 30 PID 2312 wrote to memory of 2860 2312 cmd.exe 30 PID 2312 wrote to memory of 2860 2312 cmd.exe 30 PID 2312 wrote to memory of 2860 2312 cmd.exe 30 PID 2312 wrote to memory of 2840 2312 cmd.exe 32 PID 2312 wrote to memory of 2840 2312 cmd.exe 32 PID 2312 wrote to memory of 2840 2312 cmd.exe 32 PID 2312 wrote to memory of 2840 2312 cmd.exe 32 PID 2312 wrote to memory of 2624 2312 cmd.exe 33 PID 2312 wrote to memory of 2624 2312 cmd.exe 33 PID 2312 wrote to memory of 2624 2312 cmd.exe 33 PID 2312 wrote to memory of 2624 2312 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a15794535503cd1ec60d05133806e19.exe"C:\Users\Admin\AppData\Local\Temp\1a15794535503cd1ec60d05133806e19.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2024 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1a15794535503cd1ec60d05133806e19.exe" & start C:\Users\Admin\AppData\Local\gmgifo.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 20243⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2840
-
-
C:\Users\Admin\AppData\Local\gmgifo.exeC:\Users\Admin\AppData\Local\gmgifo.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD51a15794535503cd1ec60d05133806e19
SHA11aedbc0f29cc8d952ed38f4f2d770b99a4d41415
SHA25645a52b77b5a3f48b0981ddf23c99ca6c3162f351290a10e0a4853d01d48e5e0d
SHA5127c2b427dcabab64c33500522bbb1917ec9072cd80667d7260b1288d6c7334acc6de1d195c7cabf6dcc70f7d406eb8c08eb39e14282189b1dcddfb2b568bffbd8