d2c38cecf49e55b35607cb0407a427fc6c0003909038466c8242120703fc7202

General

Target

74331fc1a01348185f62475ee5471472.exe
Size

1.4MB
MD5

74331fc1a01348185f62475ee5471472
SHA1

9c03c6dfc9786dfb960e5d4b1bd6db4fe5a036b2
SHA256

d2c38cecf49e55b35607cb0407a427fc6c0003909038466c8242120703fc7202
SHA512

114069ecf6ba1ff2b101cc6c86de3a5a95ae9b0e7517fdabda057507fcf4ccf76e87516ba019666504f57abbfb011dad3bfa87382d88f74bb913eb81af63fa32
SSDEEP

24576:BzMhy7MCOI7QAJcJpItV8xjPhrmR4Y4ptRNEg2JUYnbuR656+3xCu8kjfaY:BBMCOIBWOtmxjPkyYElOUK6R6pou1fB

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	GBTR_SENTRA.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	74331fc1a01348185f62475ee5471472.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	GBTR_SENTRA.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4060-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4060-7-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4060-18-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GBTR_SENTRA = "C:\\GBTR_SENTRA.exe"	GBTR_SENTRA.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	GBTR_SENTRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4016	4060	74331fc1a01348185f62475ee5471472.exe	89
PID 4060 wrote to memory of 4016	4060	74331fc1a01348185f62475ee5471472.exe	89
PID 4060 wrote to memory of 4016	4060	74331fc1a01348185f62475ee5471472.exe	89

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	GBTR_SENTRA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	GBTR_SENTRA.exe

C:\Users\Admin\AppData\Local\Temp\74331fc1a01348185f62475ee5471472.exe
"C:\Users\Admin\AppData\Local\Temp\74331fc1a01348185f62475ee5471472.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4060
- C:\GBTR_SENTRA.exe
  "C:\GBTR_SENTRA.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GBTR_SENTRA.exe

Filesize
841KB

MD5
eae88fa36714473a16941ce214e7a021

SHA1
6baca028203be5975a1eaf211b90bdbb9e6b5a1f

SHA256
0f06a2915cdc82b61b72f96cbb45f80b8ecdedbb31b05d58aeba1e34c757f4bb

SHA512
cf1ad51adef1af76f966b9cb7003c21634b227e38f4adbc3170fcb316dc5b00ada5c49d5cea501c9ecc5f876f2ef01f67255440aa2fdff6dc9b05a24bce16e14

Download Submit
C:\libmySQL50.dll

Filesize
1.4MB

MD5
51b4cecfb4c9ca5bf38215744e5df39d

SHA1
6e2b8eed69064ff617aaf8a411e0f627fb59eac5

SHA256
d4afdbc3b6169128c7752936d9ee4aefe6a435ab3d0ef0d9eb12d5a1bb1e11ad

SHA512
74d1e9e7da3035a9dda6bdd9fcc3650cecbfb122cc09d6f4ba231982be5c5342cba23e7d00aac10c012673c562596a23e89cb9fccdeb42743ce026122121fe50

Download Submit
memory/4016-19-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4016-20-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4016-21-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4016-24-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4016-26-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4016-31-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4016-32-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/4060-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4060-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4060-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads