a794ac78882a744b97acebed7a6a76ac8b3cfdef9d38bd891aa262081e303d52

Analysis

max time kernel
49s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gs10020w64.exe
Size

61.7MB
MD5

5acc156bb25ec222aa328b4ee2795d23
SHA1

0d7d22dde3110f65daf479e2c369907d51f15abb
SHA256

a794ac78882a744b97acebed7a6a76ac8b3cfdef9d38bd891aa262081e303d52
SHA512

25012e5f217ab4c3055932c8f55916ed2ab47a1da351461049365f3290d4b924c3b00ecbd97fef26956a89524562110b3d0cc24d86b64a52e874358b9bfcebbb
SSDEEP

1572864:LxGsyJtoUaahN5YImcXbpZHfzYvN074A8A0:LxhAaahAcXn7S0kAV0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4504	vcredist_x64.exe
1584	vcredist_x64.exe

Loads dropped DLL 4 IoCs

pid	Process
6072	gs10020w64.exe
6072	gs10020w64.exe
6072	gs10020w64.exe
1584	vcredist_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\gs\gs10.02.0\Resource\Decoding\Latin1	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\colormanage\figures\source_intent.pdf	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\requirements.txt	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\examples\annots.pdf	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\traceimg.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniKS-UTF16-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\bjc610a7.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\dnj750c.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\docie.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniHojo-UTF16-H	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniCNS-UTF16-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Init\pdf_main.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\footer.rst	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\bjc610b4.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\necp2x6.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\78-EUC-H	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniCNS-UCS2-H	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniCNS-UTF16-H	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniKS-UTF16-H	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Font\NimbusSansNarrow-Bold	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\_static\cm-fig5.png	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\lp386.bat	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\Adobe-CNS1-3	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\Adobe-Japan1-4	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Font\URWGothic-Demi	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\iccprofiles\default_gray.icc	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\iccprofiles\gray_to_k.icc	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Init\gs_init.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\viewpbm.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\78-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\HKm314-B5-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Init\gs_agl.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\Add-RKSJ-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\B5pc-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniCNS-UTF32-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\ColorSpace\DefaultCMYK	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\_static\favicon.ico	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\ps2ps.bat	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\stcany.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\viewmiff.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Decoding\FCO_Unicode	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\ghostpdf.inf	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\Hojo-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\ps2pdf14.bat	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Font\NimbusSans-Bold	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\gs_s_m.xbm	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\ps2ps2.cmd	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Font\NimbusMonoPS-Bold	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniCNS-UCS2-V	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\index.htm	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\ColorSpace\sGray	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\Make.rst	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\gs_m_m.xbm	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\lprsetup.sh	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Init\gs_dps2.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\Ps2epsi.rst	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\ras4.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\viewjpeg.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Init\gs_resmp.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Font\URWGothic-Book	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\Init\gs_il1_e.ps	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\doc\src\_static\cm-fig2.png	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\lib\bjc610a2.upp	gs10020w64.exe
File created	C:\Program Files\gs\gs10.02.0\Resource\CMap\UniGB-UTF32-H	gs10020w64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 6072 wrote to memory of 4504	6072	gs10020w64.exe	80
PID 6072 wrote to memory of 4504	6072	gs10020w64.exe	80
PID 6072 wrote to memory of 4504	6072	gs10020w64.exe	80
PID 4504 wrote to memory of 1584	4504	vcredist_x64.exe	81
PID 4504 wrote to memory of 1584	4504	vcredist_x64.exe	81
PID 4504 wrote to memory of 1584	4504	vcredist_x64.exe	81

C:\Users\Admin\AppData\Local\Temp\gs10020w64.exe
"C:\Users\Admin\AppData\Local\Temp\gs10020w64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Program Files\gs\gs10.02.0\vcredist_x64.exe
  "C:\Program Files\gs\gs10.02.0\vcredist_x64.exe" /norestart /install /quiet
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\Temp\{C292F045-D89D-4BD6-8AC0-DD280E82A2D7}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{C292F045-D89D-4BD6-8AC0-DD280E82A2D7}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.0\vcredist_x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=580 /norestart /install /quiet
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1584
- C:\Program Files\gs\gs10.02.0\bin\gswin64c.exe
  "C:\Program Files\gs\gs10.02.0\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.0/lib/cidfmap" "C:/Program Files/gs/gs10.02.0/lib/mkcidfm.ps"
  2⤵
  PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\gs\gs10.02.0\bin\gsdll64.dll

Filesize
1.8MB

MD5
adb27b7d2546c9b293f3bc4518298741

SHA1
e239f18b74097102e89fd3d717b70ee1cad71652

SHA256
0f11e633b6153c6a0504e57b3a76c3961ff7d0437704d345392123b702ea02eb

SHA512
7322cbf689612d3673dda2009e089c34d651eec71127f7093817ca6a38b581004888454bd1884d48a17ebacbe728d8570c7580baa1f77373aabfd09265339c03

Download Submit
C:\Program Files\gs\gs10.02.0\bin\gsdll64.dll

Filesize
1.5MB

MD5
fb215d1d9c45f412321ccd59f8b965cf

SHA1
4b02b2b680322775a6faff81de9eda6062815f10

SHA256
38e87da7c01699c25f297e49dcc8a3baea30ce9704de2352f8d3e65f0276c903

SHA512
5af1ae35cac5e80dce01cd2f9a2123c89997f7700f51656d8ae091a89eae91f0e5701effcfff8e5c9c8c38df39675ec47dfcf15752f77940099699dccb18f2f6

Download Submit
C:\Program Files\gs\gs10.02.0\bin\gswin64c.exe

Filesize
91KB

MD5
a469f23c418c586f91ae4a8df83f93a8

SHA1
2563a91f4ef8724b9e7f9b462f936f9da8a30839

SHA256
d3ceb0febfc377d5eb85a95e58cbb309c934854557731e01bac2b384e8667dca

SHA512
6a97da8408c904bb214c1c92f2241218ae6f86255c19646d90e7bbf231200599ab107cfe6ce2ed434f1ab3214e301a8b83513bcfa3c1e44f562198fcdeedb361

Download Submit
C:\Program Files\gs\gs10.02.0\lib\mkcidfm.ps

Filesize
21KB

MD5
8c30e8f093b1481e3469aa4e1b8eed71

SHA1
fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8

SHA256
c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8

SHA512
7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e

Download Submit
C:\Program Files\gs\gs10.02.0\vcredist_x64.exe

Filesize
6.0MB

MD5
5aedbb343d2296c8a51c74cdded71999

SHA1
baacdf0240723e23d25720ab770f147282fa4ffd

SHA256
99406550bb13681cf73b6b9d4a3f5b87d1874ba977ebcb9c3340fc5c4489baee

SHA512
c0e4b9ed02e931497d65e419cee3cbe73f1ddafdab061b8ad5a08c781a8c462b03591c62190e69324fcf828928ebd2f80920083b3b5e522212431b73366d44d0

Download Submit
C:\Program Files\gs\gs10.02.0\vcredist_x64.exe

Filesize
9.7MB

MD5
0846ef6184647d1e50b542c2ee752e4a

SHA1
a83a47af50cf03ebec8e0c4dfd641078a6b04c8a

SHA256
9ed86361be299922d5b94d29c1b99517ae9773ce9be774519f15169a12b0a6b6

SHA512
fa64ed2d59992bd650f2541a3995396a61c0b3faeb93ef1380885e0637b6458499795e0f8ec7c3531434a3a6783785e6fdd0a2dc236decbbbaeb314f5b698a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9DB9.tmp\EnVar.dll

Filesize
10KB

MD5
4ee6c0578960bcb5dad78947e0cbffe9

SHA1
dd90488ffde0b0df76e0a5e8dca8192c77619d8b

SHA256
eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697

SHA512
0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9DB9.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9DB9.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9DB9.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9DB9.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Windows\Temp\{3012CF3D-349D-4A23-80A2-80E9469DF851}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{3012CF3D-349D-4A23-80A2-80E9469DF851}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{C292F045-D89D-4BD6-8AC0-DD280E82A2D7}\.cr\vcredist_x64.exe

Filesize
633KB

MD5
7f28c88875700454d8fb733341658edd

SHA1
434159872b168112b86e91cf84f4d9d545ab0410

SHA256
92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9

SHA512
7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

Download Submit