Analysis
-
max time kernel
9s -
max time network
12s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 23:26
Behavioral task
behavioral1
Sample
8123baa476516a50e29b32ea0ce7314d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8123baa476516a50e29b32ea0ce7314d.exe
Resource
win10v2004-20231222-en
Errors
General
-
Target
8123baa476516a50e29b32ea0ce7314d.exe
-
Size
596KB
-
MD5
8123baa476516a50e29b32ea0ce7314d
-
SHA1
274bf9fc63b32e1cfa862ed55cbdb5835850c54b
-
SHA256
ecd76aed11be0a866826e5ef226316ccfa0d6e1f70a154418f51acb75fcb7909
-
SHA512
3124819c73f7660b5ac71ddee98dca5d7122ad1591454727f57506fe7a80e493e780c12cdb272761ceaf25871d0f7dddc9ccc4defc1735db0eaaa9665cd59968
-
SSDEEP
12288:Us0efPTb449JQ/rjc15o+t47yr8vWLDmlse7cp3SlEOXoFKl2okeL:T0MPTbT9yT+/foy6K0cdSlEVO2te
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8123baa476516a50e29b32ea0ce7314d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" 8123baa476516a50e29b32ea0ce7314d.exe -
Processes:
resource yara_rule behavioral1/memory/2116-0-0x0000000000400000-0x0000000000571000-memory.dmp upx behavioral1/memory/2116-4-0x0000000000400000-0x0000000000571000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
8123baa476516a50e29b32ea0ce7314d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 8123baa476516a50e29b32ea0ce7314d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 8123baa476516a50e29b32ea0ce7314d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
8123baa476516a50e29b32ea0ce7314d.exepid process 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8123baa476516a50e29b32ea0ce7314d.exedescription pid process Token: SeShutdownPrivilege 2116 8123baa476516a50e29b32ea0ce7314d.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
8123baa476516a50e29b32ea0ce7314d.exepid process 2116 8123baa476516a50e29b32ea0ce7314d.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
8123baa476516a50e29b32ea0ce7314d.exepid process 2116 8123baa476516a50e29b32ea0ce7314d.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8123baa476516a50e29b32ea0ce7314d.exepid process 2116 8123baa476516a50e29b32ea0ce7314d.exe 2116 8123baa476516a50e29b32ea0ce7314d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8123baa476516a50e29b32ea0ce7314d.exe"C:\Users\Admin\AppData\Local\Temp\8123baa476516a50e29b32ea0ce7314d.exe"1⤵
- Modifies WinLogon for persistence
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-6-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/2116-0-0x0000000000400000-0x0000000000571000-memory.dmpFilesize
1.4MB
-
memory/2116-1-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2116-4-0x0000000000400000-0x0000000000571000-memory.dmpFilesize
1.4MB
-
memory/2736-5-0x00000000029C0000-0x00000000029C1000-memory.dmpFilesize
4KB