Overview

overview

5

Static

static

3

GitMultiLoader.exe

windows10-1703-x64

5

Analysis

  • max time kernel
    301s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-02-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GitMultiLoader.exe

  • Size

    42.7MB

  • MD5

    5ec24905f80bb16b8844d440fd4ca921

  • SHA1

    079f6782c79d633f3ac1288523d39fd5c6132df9

  • SHA256

    eec6302b15fdbf92d7c6204f195246278aa2d7c54ed2eaf51f8298554ac75024

  • SHA512

    10e3b37422b3d540f9435712ee94955df759ed1c404e35e708f0b6863ff2f8c4b1ff0fc084df10ffd805a9a9e633bb6110dc82d0d8d8d474439cd8a5b6fbfc55

  • SSDEEP

    98304:YfCv+rScGQYPDofAKB1RYQpHd5nKRQGEaTmR3vNUkqh76n7EnVFG8TzIhX724Lks:Y7EsfAeHY0x7nbT9UsMaN6maSl

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\GitMultiLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\GitMultiLoader.exe"
    1⤵
      PID:1816
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4988
      • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
        1⤵
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2236
      • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
        1⤵
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4300
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Setup\State\State.ini
        1⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4244
      • C:\Windows\system32\mmc.exe
        "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
        1⤵
        • Drops file in System32 directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:364
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2140

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.sechealthui_cw5n1h2txyewy\AC\Microsoft\Windows\4272278488\3302449443.pri
        Filesize

        65KB

        MD5

        153393e3433cc37fb82899a854dc262c

        SHA1

        db4fe1a5d4700dbd9c3c63febd50ce1b7cbcd881

        SHA256

        c566ced32f0759eb7ced2ecea21eecfec01cf8cd981c54a4fecf0d685067b0de

        SHA512

        a30e6843a26038339aecbc1de847d426ed3886c10a468fd4d02eea19000f868f6aaccdfbbb2e45251570c53c738cb2fea5af53ce3cba8b188d9eebd633ea242a

        Download Submit

      • memory/364-6-0x00007FFF29C70000-0x00007FFF2A65C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/364-7-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-40-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-48-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-164-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-165-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-166-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-167-0x00007FF726850000-0x00007FF726860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-169-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-170-0x000000001D5D0000-0x000000001D5E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/364-171-0x00007FFF29C70000-0x00007FFF2A65C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/364-230-0x00007FFF29C70000-0x00007FFF2A65C000-memory.dmp

        Filesize

        9.9MB

        Download