bd9746682dd79bd6c0cae33d68baa998f7dc636c059637e6cecb4606d7f6f8f6

Analysis

max time kernel
73s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GiF.exe
Size

3.1MB
MD5

46f57a9bb8636f0a1467c72eeb6b5eb6
SHA1

c78f9c9b5daccb904f1d6d458dbfdd2b0f9d60bb
SHA256

cbb4e6fee72b9d3c115c3fba3d2dce221874c8842b3b8af8d85a14e1dca46fc1
SHA512

6af573033c674ad6fa26f2fe61b9853a3dd3afa40937503b1df25614210f9a2f32c835612f9b072381962cbc779f11829e559b23372ec46829506ea67a13889f
SSDEEP

49152:zhguTy/bSqfmNlXd9SQ2qTYPFwX5PwOcmOue6eKfITUhTEnBgN+e+Vzzixa0Ba2O:OuUOMm7XbS1nJzT8aqj+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	gif.exe
1912	360tray.exe

Loads dropped DLL 10 IoCs

pid	Process
4832	GiF.exe
4832	GiF.exe
4832	GiF.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safe = "C:\\Windows\\system32\\360tray.exe"	360tray.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gif.exe	GiF.exe
File created	C:\Windows\SysWOW64\360tray.exe	GiF.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4832	GiF.exe
4832	GiF.exe
2780	gif.exe
2780	gif.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe
1912	360tray.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2780	4832	GiF.exe	88
PID 4832 wrote to memory of 2780	4832	GiF.exe	88
PID 4832 wrote to memory of 2780	4832	GiF.exe	88
PID 4832 wrote to memory of 1912	4832	GiF.exe	90
PID 4832 wrote to memory of 1912	4832	GiF.exe	90
PID 4832 wrote to memory of 1912	4832	GiF.exe	90

C:\Users\Admin\AppData\Local\Temp\GiF.exe
"C:\Users\Admin\AppData\Local\Temp\GiF.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\gif.exe
  C:\Windows\system32\gif.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Windows\SysWOW64\360tray.exe
  C:\Windows\system32\360tray.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
272KB

MD5
e1edaac13d335c5dd4344a1a95144bed

SHA1
29473f0a41dcdf61ee237d08f8b8cb9fbfd8e365

SHA256
6cb36f8f4b1bab12c5be665633b69099f41fbd9ca8d57b04ade5d6debd480f5f

SHA512
e4e5847f907bead950781dc28dd34b10dae8cdd8cbac53c841eabf1431438de28b21cd11fb485b2fe0d638c23a845d15ae0ab9553903d84b1ee4e03c8b31e6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
221KB

MD5
b4040db293b145544b941608a26894ae

SHA1
0cb69965ef7efdd3c6344afb0076c33213a7fa7d

SHA256
9eee954f193ccf63b2af2f8521c0ebd51f9d4265296ffdaffcecda74d0772c3f

SHA512
3bc0cb50f2b3a618a79ee9a9dfdcae88266036ced8d927f6be6a4cb715eaf96976a7c9abed1358989a8b7e19ae0638466c54a9c2b57e7f953f759b8ce86e7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
48KB

MD5
4200e5cb9a9960c159204a4fbc20e799

SHA1
16043e87b14d6513c485a857989be492ce983393

SHA256
ce1c8c66be5cd364823cea153212f1ff185f2a010cda5f245245ea0e03676e45

SHA512
38fbfa81bc8f36c7c0251d4875a4edb0d0f6d53559751795c5a01a0f9704638469a794355329b48e0b2f8604fb4344b7fd87df51d656b5657e378c9eb582dd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
57KB

MD5
bbfae0dad6c51a19577dd3eab218a815

SHA1
9311d3402853768a62c8957d6377482e3791a765

SHA256
8cb59c4e135181fae5b45db205f9c5316d914fd4dc84df8738785a4f885894bb

SHA512
839ff0d8e4077817f760b92731ece999c68432e2463d8891a712f6f008765a9252e97036eef212a58b2dd700cf14ec04c9bcefc66ec92722f5589c68da705a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
300KB

MD5
b0fa4b7eb442d6ad76eb7f97798e867b

SHA1
7d3fc7e777fb1ea6ddf202a5dfd5a195bbcdcacc

SHA256
f452231aaaa7a7a2c93a9e4bd4d7eef81c4f7746a5cf07cc38eed0faca3dcf12

SHA512
ac9fe350f0fa59eef5e2ab5d3a1b89669e956f7c38010e929772a1b5ff01f3c0fde6898b7a14086b301197d8f079805d980d9868d87ce2d9c7bbd77728a01f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
156KB

MD5
f556c16d279a8ffb63b86960f5712a02

SHA1
cc085e1913051f742348b97ebf81d6bcf9eff214

SHA256
4163c82f3c613292d9f91659c1e24706092aaea717a951c53b442fd3d83ae814

SHA512
7cbc2f00b7c36bf11042cbeed5ddbcf04c74eafd749ed1b05b22fb2e4b217b9c467812c7b198fd2a6c654bdc83f5089feadfc94a51b06ffc0014e38c6b1578c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
245KB

MD5
c21fca47e4c0d9f9c54073bd87f4dbec

SHA1
15f48366d0b3a3f02bc3eb48224df408488ea7ce

SHA256
cc2f948f9c9c7998ee8334f7971028163f30cb312abfebf34033e82b2f734820

SHA512
582322ff100c28ecc3444c23a60c9aadd399ced8da04e231cbe1f8e1222bc1367387a6305a54f8958c6b40273822296fcfbe54b5094ef1ef98ed773578213725

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
C:\Windows\SysWOW64\360tray.exe

Filesize
343KB

MD5
b528fbd8ce7dda62c9b65aac82895602

SHA1
8f5c44b34e1c3902628df684bf2c378cffdc7fe6

SHA256
a54b9d1bea77d3b74598ad5922eafbc7e209d41c7e6ea45db1217d23af0223aa

SHA512
373228c13e3808b14866de78b06cc87813733cb5e48c95f40bc7da7c1751275d46957a32ac0726a5fe302eb85825ec841d06d4012e116698f1eceacd88bd537b

Download Submit
C:\Windows\SysWOW64\360tray.exe

Filesize
143KB

MD5
7f93c5b4ba56840f24d8c6bd36fe9498

SHA1
0401d362d131f0a5bfa0cdc4dd00078faac97730

SHA256
d79debf45d200ef37a6db34f4c64e7a5ad21fcf75ae09192d05724511f6378a7

SHA512
1237838472e43bf7f7d869d6af6afc2805cdd91f536cc117d4b3152cd5dcbb2b9a0ec96727688da79849f97956d433ec2d3c7e6f759b62e556ef7e54e45cc825

Download Submit
C:\Windows\SysWOW64\gif.exe

Filesize
25KB

MD5
b1bbffdc33478ec10e7ef1ad8a9746e1

SHA1
e141f0aa6851fc55e3b0ee51e6ade26bb1d3b864

SHA256
d576cfa1d04a138b4a6779786dde0e446479384850c395d9c5973b3e14f0390a

SHA512
c4f531f158011672d6967b6c1326af592927b90ed08befa4f8abbf977499a16b94a259e5d64d3dfd7ff10a25a598ff30bd8909547477c3f9a36bc3552778a391

Download Submit
C:\Windows\SysWOW64\gif.exe

Filesize
57KB

MD5
7cf893411c835027108e01e31bfc5e81

SHA1
42963588a422e8a794d6e2adbeac5881dcd36583

SHA256
3b61b8120edc17c81067ba7c3ca904ca003d97141972e308db1bf021c3c1f043

SHA512
10e1e5fcbaf900a3eb7dc3523da6418f3834add92668038f08f5dd93206627bf36afce3f3c32f103cb93f770be157c39e3bb91883ab0947a27968074f059b71a

Download Submit
memory/1912-35-0x0000000002180000-0x00000000021DD000-memory.dmp

Filesize
372KB

Download
memory/1912-30-0x0000000002160000-0x0000000002171000-memory.dmp

Filesize
68KB

Download
memory/1912-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-42-0x0000000003750000-0x000000000378C000-memory.dmp

Filesize
240KB

Download
memory/1912-47-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2780-16-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/2780-46-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/4832-31-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4832-0-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4832-9-0x00000000025A0000-0x00000000025B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads