6940fd12c37de9c9efc653c98fd504a1a6f8cdafeaa9c57bbd5d8bec4d9aa5cb

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642e57fbe80ead958d0556a19d6c0cfd.exe
Size

159KB
MD5

642e57fbe80ead958d0556a19d6c0cfd
SHA1

eb26190b9169e155ba556960ccd0e8c4d4ecb97d
SHA256

6940fd12c37de9c9efc653c98fd504a1a6f8cdafeaa9c57bbd5d8bec4d9aa5cb
SHA512

5edf6ed379f969498f70577cfd8dbdcff9e50fa140efb24d5981aed2da78f9c8dd554a7269f3a0bc2203320020c9e8eb7d7600f41788ede011e3e9e0c281e938
SSDEEP

3072:Sz6bEbOysMG8xx7GSXhSV+xhpVtN08Cc:SzNJsMG8xhGehSV+PpTN08

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kr0h = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gtp3.exe"	642e57fbe80ead958d0556a19d6c0cfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	642e57fbe80ead958d0556a19d6c0cfd.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	gtp3.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	gtp3.exe
4408	gtp3.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/792-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x00030000000006dd-5.dat	upx
behavioral2/memory/2280-7-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/792-16-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2280-22-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4408-23-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4408-24-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yzc07.log	gtp3.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3120	sc.exe
4840	sc.exe
5020	sc.exe
4732	sc.exe
2848	sc.exe
3952	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
792	642e57fbe80ead958d0556a19d6c0cfd.exe
792	642e57fbe80ead958d0556a19d6c0cfd.exe
792	642e57fbe80ead958d0556a19d6c0cfd.exe
2280	gtp3.exe
2280	gtp3.exe
2280	gtp3.exe
4408	gtp3.exe
4408	gtp3.exe
4408	gtp3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2568	792	642e57fbe80ead958d0556a19d6c0cfd.exe	91
PID 792 wrote to memory of 2568	792	642e57fbe80ead958d0556a19d6c0cfd.exe	91
PID 792 wrote to memory of 2568	792	642e57fbe80ead958d0556a19d6c0cfd.exe	91
PID 792 wrote to memory of 4840	792	642e57fbe80ead958d0556a19d6c0cfd.exe	92
PID 792 wrote to memory of 4840	792	642e57fbe80ead958d0556a19d6c0cfd.exe	92
PID 792 wrote to memory of 4840	792	642e57fbe80ead958d0556a19d6c0cfd.exe	92
PID 792 wrote to memory of 3764	792	642e57fbe80ead958d0556a19d6c0cfd.exe	94
PID 792 wrote to memory of 3764	792	642e57fbe80ead958d0556a19d6c0cfd.exe	94
PID 792 wrote to memory of 3764	792	642e57fbe80ead958d0556a19d6c0cfd.exe	94
PID 792 wrote to memory of 5020	792	642e57fbe80ead958d0556a19d6c0cfd.exe	93
PID 792 wrote to memory of 5020	792	642e57fbe80ead958d0556a19d6c0cfd.exe	93
PID 792 wrote to memory of 5020	792	642e57fbe80ead958d0556a19d6c0cfd.exe	93
PID 792 wrote to memory of 2280	792	642e57fbe80ead958d0556a19d6c0cfd.exe	98
PID 792 wrote to memory of 2280	792	642e57fbe80ead958d0556a19d6c0cfd.exe	98
PID 792 wrote to memory of 2280	792	642e57fbe80ead958d0556a19d6c0cfd.exe	98
PID 792 wrote to memory of 4644	792	642e57fbe80ead958d0556a19d6c0cfd.exe	100
PID 792 wrote to memory of 4644	792	642e57fbe80ead958d0556a19d6c0cfd.exe	100
PID 792 wrote to memory of 4644	792	642e57fbe80ead958d0556a19d6c0cfd.exe	100
PID 3764 wrote to memory of 1256	3764	net.exe	101
PID 3764 wrote to memory of 1256	3764	net.exe	101
PID 3764 wrote to memory of 1256	3764	net.exe	101
PID 2568 wrote to memory of 1096	2568	net.exe	102
PID 2568 wrote to memory of 1096	2568	net.exe	102
PID 2568 wrote to memory of 1096	2568	net.exe	102
PID 4644 wrote to memory of 1240	4644	Rundll32.exe	103
PID 4644 wrote to memory of 1240	4644	Rundll32.exe	103
PID 4644 wrote to memory of 1240	4644	Rundll32.exe	103
PID 792 wrote to memory of 2404	792	642e57fbe80ead958d0556a19d6c0cfd.exe	104
PID 792 wrote to memory of 2404	792	642e57fbe80ead958d0556a19d6c0cfd.exe	104
PID 792 wrote to memory of 2404	792	642e57fbe80ead958d0556a19d6c0cfd.exe	104
PID 2280 wrote to memory of 2092	2280	gtp3.exe	106
PID 2280 wrote to memory of 2092	2280	gtp3.exe	106
PID 2280 wrote to memory of 2092	2280	gtp3.exe	106
PID 2280 wrote to memory of 4732	2280	gtp3.exe	107
PID 2280 wrote to memory of 4732	2280	gtp3.exe	107
PID 2280 wrote to memory of 4732	2280	gtp3.exe	107
PID 2280 wrote to memory of 3936	2280	gtp3.exe	114
PID 2280 wrote to memory of 3936	2280	gtp3.exe	114
PID 2280 wrote to memory of 3936	2280	gtp3.exe	114
PID 2280 wrote to memory of 2848	2280	gtp3.exe	109
PID 2280 wrote to memory of 2848	2280	gtp3.exe	109
PID 2280 wrote to memory of 2848	2280	gtp3.exe	109
PID 2280 wrote to memory of 4408	2280	gtp3.exe	111
PID 2280 wrote to memory of 4408	2280	gtp3.exe	111
PID 2280 wrote to memory of 4408	2280	gtp3.exe	111
PID 2092 wrote to memory of 3416	2092	net.exe	116
PID 2092 wrote to memory of 3416	2092	net.exe	116
PID 2092 wrote to memory of 3416	2092	net.exe	116
PID 3936 wrote to memory of 4444	3936	net.exe	117
PID 3936 wrote to memory of 4444	3936	net.exe	117
PID 3936 wrote to memory of 4444	3936	net.exe	117
PID 4408 wrote to memory of 3144	4408	gtp3.exe	118
PID 4408 wrote to memory of 3144	4408	gtp3.exe	118
PID 4408 wrote to memory of 3144	4408	gtp3.exe	118
PID 4408 wrote to memory of 3120	4408	gtp3.exe	122
PID 4408 wrote to memory of 3120	4408	gtp3.exe	122
PID 4408 wrote to memory of 3120	4408	gtp3.exe	122
PID 4408 wrote to memory of 3352	4408	gtp3.exe	121
PID 4408 wrote to memory of 3352	4408	gtp3.exe	121
PID 4408 wrote to memory of 3352	4408	gtp3.exe	121
PID 4408 wrote to memory of 3952	4408	gtp3.exe	120
PID 4408 wrote to memory of 3952	4408	gtp3.exe	120
PID 4408 wrote to memory of 3952	4408	gtp3.exe	120
PID 1240 wrote to memory of 740	1240	runonce.exe	125

C:\Users\Admin\AppData\Local\Temp\642e57fbe80ead958d0556a19d6c0cfd.exe
"C:\Users\Admin\AppData\Local\Temp\642e57fbe80ead958d0556a19d6c0cfd.exe"
1⤵
- Adds policy Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1096
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  PID:4840
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:5020
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1256
- C:\Users\Admin\AppData\Local\Temp\gtp3.exe
  C:\Users\Admin\AppData\Local\Temp\gtp3.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:3416
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:4732
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\gtp3.exe
    C:\Users\Admin\AppData\Local\Temp\gtp3.exe -d021100EA995E429D5CAD7F58AEEA8A8F2EBB4F3FB3D161A83955B7C120F66B0368148895D2AE247A106453FC6856BC9476B5D931EE45257992ABC3BFB8C76A18125B943B919942AEA2E3DB9C15EEE5EF6B5CADE15CED1E1ED96B523AD92DA224A2F53F2D819FA01004C244132FEC99CC4DF00734471C7245A183B1FF99E6C879F8EEE74E89CB83516657FCAF6DA9AE2A9F72656537CD85BBBA216D3254B5D00D35502954D3A7706E3A6DAFF5CA543896204B8330F6D3FE4B353852DDA1E5F12ABBC4E3F1C9842CD630404AD07EEF8CCBD26C5F1A8CC2BF3C63806EFE5A9C9E492A96303C12A0BD0C3A3BFA6B02C84003F6C3351C4231F044D5650E8698638DE6638D6EC4981066D2896E2D11105928EE0DAD82BBA38CF46F5C6BBFF7B31EB48E88C43BCC84CFAE938DB38FF09F8159B5D80E05BF75F770520A394D3A453C462BF9B7720840A559F6F7E60D40EA2829F3575CB8F8C3474BB12E87C6AC27D0B93D5712316173556CF0BA20D4F969BD2D70CD28DB9CD65FA8CE5A3A770A71E8C20083B4D63607612CD104595233D5D53883B957E9C6350BEC8160D3ED967E67555D9F1BFC4825AF1E2249C533B628F461A4DD429F7AACFDBD40506EF446E48BA97D0CAF827D36BE082C3893
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      PID:3144
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:4240
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:3952
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:3352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:1236
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:3120
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:4444
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\5xb4y8f33.bat
  2⤵
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5xb4y8f33.bat

Filesize
190B

MD5
49c7f49cfaaeda6b697828948b3927bc

SHA1
12d86d3bc59916ff5813822140333ffe5a4d8945

SHA256
5acbb13697508a4fd6022546bf60da004688801b499e66418f4b362a2fd693bf

SHA512
0b3e1686707f69711754e2052be8597ac78ca652e6cf65d8fbbf170ed8597f60de3d103b1efc77eab32ce3ea99cfda1028a3409bccb015cfbfa5f6d4e0c917c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtp3.exe

Filesize
159KB

MD5
642e57fbe80ead958d0556a19d6c0cfd

SHA1
eb26190b9169e155ba556960ccd0e8c4d4ecb97d

SHA256
6940fd12c37de9c9efc653c98fd504a1a6f8cdafeaa9c57bbd5d8bec4d9aa5cb

SHA512
5edf6ed379f969498f70577cfd8dbdcff9e50fa140efb24d5981aed2da78f9c8dd554a7269f3a0bc2203320020c9e8eb7d7600f41788ede011e3e9e0c281e938

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdinstall.inf

Filesize
413B

MD5
ce1f2d7c8e36f3c085a5d281b9ebeb2f

SHA1
bbbfae948d625afe50f66f34282bda3974cfdce5

SHA256
312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

SHA512
89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

Download Submit
memory/792-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/792-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2280-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4408-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4408-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads