Analysis
-
max time kernel
317s -
max time network
319s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-02-2024 20:17
General
-
Target
GlobalProtect64.msi
-
Size
146.6MB
-
MD5
9439176ef49420d5f408ee9387297988
-
SHA1
b3feeb18c62089147cd7f25c9dcfd645f89ff6ec
-
SHA256
bfdfef5780bbc10ad826e9ae3039fb04434ac02a16d86b8ab6be89eedf48d770
-
SHA512
06c97edfe8cd33325f35c5d757d7d45557263f96df0778c9600dc923845176ab9192cd1393b96914139b074e96850f1b549cabc65d703e0e1341a5660b0f5a61
-
SSDEEP
3145728:HcsxNSn9OR7owDYqEa/7zFBQsrQzxY6hqb5VaBVnlBcRiN:H/xNDlowDYqE47PQsrQCXVIR2RiN
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 61 IoCs
-
Drops file in Windows directory 64 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 51 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 53 IoCs
-
Modifies registry class 42 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GlobalProtect64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "000000000000014C" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" fromGPS2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPSupport.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\route.exeroute print2⤵
-
C:\Windows\SYSTEM32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\System32\Wbem\wmic.exewmic nicconfig list full2⤵
-
C:\Windows\SYSTEM32\netsh.exenetsh interface ipv4 show interfaces level=verbose2⤵
-
C:\Windows\SYSTEM32\netstat.exenetstat -n2⤵
- Gathers network information
-
C:\Windows\SYSTEM32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\System32\Wbem\wmic.exewmic process list full2⤵
-
C:\Windows\System32\Wbem\wmic.exewmic service where state='running' list full2⤵
-
C:\Windows\System32\Wbem\wmic.exewmic sysdriver where state='running' list full2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5ca69fb0390b6ded1219e963f12d28edf
SHA1dae39501a07de19a5380dfac51e9fb83f6ceaca0
SHA256b90a03ea6e5d1304f20ba38bd305c93832fb738deaafa02c0b6b381afb88112d
SHA512d3bf7f2be7670a2a23451a542632d5f2d8e01936ce4f7d45609fd780e3440a3e9d9f683e9e9b2b6db660dd8dd2c8464c7b067c8ff45bb7e89adf1497e02884c0
-
Filesize
76KB
MD56ca91596cfae2079ba66bfbb099f41e6
SHA112729569ca22d782630e988c56a6472d8cfb96aa
SHA2569cc08f70555e3958e1676fba56b12d482ef961f8fdbba9e69db7a44f3b007a02
SHA512f06f785aa445c1f77d6b3553d3db99c1373f99ff55505bea71763f15b62334ebe1dd77550110179942fbb44b85ee7330ee59f888e409c8600f6df7a7611b8ace
-
Filesize
10KB
MD56f4e74e781e6bcf142dd838cfebb41c7
SHA1f4943f6168827c6e6e5cb4f9e7d34b35398d66c9
SHA256f6f9275be2da16360f7498dd1b4631f9b19fff816d8a025b0146c20572b1a1ea
SHA5126fe8ed0041cb9e9f0ed350df512738164b1f26a475a50db2f9691e7855d6e5ae1de590cab13e190ebd66765a722b39153c90e913cfa00835c0fc3cce347baa85
-
Filesize
64KB
MD5a0461f4078af59688aee6ddea095a6a7
SHA1861047e2f15a412f1e8e48fae7434965d15d48ce
SHA256acb8315b92a000ff55d731d8175bbed0668d5cd838df33d24f5244e56ddc6c27
SHA5122bbec4ca8d078e8a7d867ca32569a657210c008715886d0498c2b25e2071e9c87cb7cc4941efc1f22d23192631f14162452a018ceec2da7f7321f7c2c4608de7
-
Filesize
58KB
MD5f29367ad71706b20dd6866347439c528
SHA1aa8fad23f2cc5c8a1fe9ae0ec88e4fb0c7723b93
SHA2561f728377e7a7288a9750f9aa95524d7371cd7bb7454a9c8222528ff1bc463b0c
SHA5127456d8346398bee349ade93ec7dfc898869419f24424a6744ecb69b5901a29b6a30f2b303676a480f4f9c3bbd7465ba1fab9587e36c06c1eb035add5d6137f09
-
Filesize
4.9MB
MD53174b28b5a65fc2b64d0b4004707f528
SHA18eceb0ae983862f10c97d8efc317916677de7213
SHA256024bf463d74a51a2bdc871ae79327fed27079f0eaac087d0ed4665e50f6f7afe
SHA51276baace8b2343e3382460ec174a66c2f1de85e8078c2fd45ed52d568a644edbb1ff5e8255125fd583bb05aba9746a1bd49158d1951071fdb7bd1a76d29110ad4
-
Filesize
1.2MB
MD58d04fc7659531db416bc9b5cb417f673
SHA1741e656abb6fedde3425e9f784454dd9538a41e8
SHA25607fb3b940ec562030ffd484d1ff658c36ef3ff0f18702fd53c61ff8958c2b01b
SHA512b4e95d8d66df4e1978d4e569eef2ca3e2e4dbae21cf0ea987d3518f025675768698e8349b38b9adb3d4336c8a6afee2d4483c1ca31ce0945be9d39c77be75a42
-
Filesize
2.6MB
MD5f48720bde9fd85569c158b464a7fd2b3
SHA19eae82da2535595aeb0916c966f236fddc22fec6
SHA25624051383744c74d433968468262fe58b41c126f52fb8cd05ca8c543b7203b8d4
SHA512faa3f96cc5153cc5d1446705af69a2efb375884a201d7314fc0edc3d5f2cbd13147e901febcfe10462089f813672c4617a3bd9750c6e7d6ceb47b8e99020e6f9
-
Filesize
1.1MB
MD5538869c7753cddcd6aed8152f51d15e7
SHA19c2cf343e6b28416fecbb369ac570853b8ca9d08
SHA256c378b24663c3a319c47d1afd97457d85894eb73a941284c377331df61c2b76c9
SHA512ff4e7c0b25214c69113f7904136f1a547be96a9cbdf503096132938668e0ef3fc0b94027305053585f8c043bfb9beb85915d0fc7d53bb5b49332ac64c91983ec
-
Filesize
6KB
MD59a6671d77d510ee8a0770d7c3f7ee7e0
SHA1ac1577b607e18be8b67973c65ab65dab7d1bb1a8
SHA256c5afe434cc7067bd923bc9f2fccd5828753ba6537a519108f34ffa7d5ad01ec0
SHA512ea91de0e7d32f22ed67b72a495b41d281fb1a505e9a150d0edc4a2989ec3e064ffb64079ce9f2337a04ee139665fe8f94434da5db29bc896941fe3877b79c949
-
Filesize
2.9MB
MD51858301e9f443ce695746ed084bc4548
SHA12c80b53449e607acf6468d723387290a0c6e52bd
SHA2564d4279922a6e901fe1aecf3790d647f4d5ba21dc25514c173a7b53a968091b17
SHA51283e1aa9f0e04375b2fa5005a3f97d530d09269148bd347ce2186ff302c1637a6c3c56b4ee85fb599b48082c2c031fce97e99d15c0716d7f4c27e6468ecdf88c7
-
Filesize
279KB
MD527a8ea702bfb4dacdd21a42257563d9f
SHA1bce90f73a04f4fd3f854ae5b4a93e6da41e5ba63
SHA25685a11027117d5fb33a09298f28dde22af5e859fe574b41a9bf5da1e595334a27
SHA512ad891bc3f0626f67d482d9849384706cadc17b8688e0136aec2b9fc0cfa2203d6c8fbf3f02eb9452970a4ca66281be733e044cdea24a1d645e64e1dd9d390645
-
Filesize
318B
MD5f2c08a010ff0f45f869396ea6162d97e
SHA1d0b2ae69457761699b28683abd2d4232c769eaba
SHA256745e76bf6ce1bbfb800329ca7a8c7e743358da2c50c9feadfafd9d6a78368f25
SHA512aa84ead638c5dfd8209a708eccc06cc706120b022e303b357ab072b612cd8d55858ec85a406f87eaad85273162bd095e56e3389212d462625b0bb8666fd7dbfe
-
Filesize
1KB
MD52e4333230ecaaf6ceead4ee39b2a5f80
SHA16ca34715d9bf18f75744551f9ba1e32bb98b9e57
SHA2564a0f4a4ce176106661660e7569e7cd39a15bac47f9abf6b9d12c87d080461e1d
SHA51220f1e65c18406bcad53275e75ea12b8dc6177fb54b36bdaafc5cc9efa4c2cfe402f6b04ba5d759d4bf523a1d9dab23b755ffd240901d607af00f9d6398a28591
-
Filesize
2KB
MD5849fe0d71a3ff43377f5cf686f9a8794
SHA17a2ee9b8328ee373d068f5f37dcd07416d3177e5
SHA256b887f0a12f7afc783cf8e2a4384c31c76a713cfdeb24d6be6923aed6fe6b3abb
SHA51236161d1747318b8aeb1b84acabef546d0c3fe4a2bd85ecf8a84231e2c9b2ea6cb43039ddbb4b737d0858b29d5f40262559212abff9cd70341449fb91b21d1ea5
-
Filesize
2KB
MD504b160a1f9907c40c213cc3f9eccfc89
SHA19d67c9a7daea596e2c2e0c7ed37a9e68b93a06cc
SHA256e919b8943929f9f7e6a8c9e7f2e7c623dcc7d093b0dbaec522f94fb73a899fac
SHA51296ce80fdb0f193a3c01c91a39aaca2f289c844bf9a0390be94c4d5ab6c24bb7fa6f1f36d3e3260660897e5eafe3a016ff2c341ae91c1e09bdc1f1d23a4c761cd
-
Filesize
139B
MD5448a0093092cbd74d4ce6dd2d76da0fd
SHA1154e35eae78a9655522a622e3ec95bee833d107d
SHA2562932f634b37baeea4b4ef76fdcd509fcae7230644df6c0ce7b43e3d8485be5a1
SHA51250846834e687079f8d7873910f702764fed077f515aafff89f6750841c159e4153e5169af32a649b92a0af39c92e963f873835977d67721fc6227ba10895949d
-
Filesize
4KB
MD5fc97a101113d88276c58400bba7aaf77
SHA1814d0c9fbdee6b3daba6d18389536fde536d3b2d
SHA25620b44f3859a6ff1b7c644fc90ced4e7ab37ccf5cb50ec21d59a92906932a4842
SHA512616ac0eb0bf54e4efb94b9cf1a301e8ad08f13d7477256552be616d450db84614a3a7e5376ec7d3fc11e893c38cf578eb826fbf156b17b2cf48e5004470e5bda
-
Filesize
471B
MD50b5cc1567096a2c26583b437ccffbda6
SHA182f90c0ffd581f776eee31aa02a7ac591b00dba7
SHA256c831ca6c6ab7a7a6d1d45846377665f6c666dd3259a9a92c09ca5a553333ef10
SHA512241eab2417bd67f3b41db185529e95f0408a04f4b9490c23f2f96d4d3f23b613a9b217afd5dc795af36cdafb26472c5461d6da2c369d6942160165c065c618e1
-
Filesize
471B
MD5d54fd4e56689c105746052a518917b44
SHA1c226811fecfaf6c2e2960f52cb9acb594dde9858
SHA256a70828a221acec21eb57ac04a9779062d58ab0e4c542e2443f62629f35fcc09b
SHA51257cefe2c5d7fb01436761e5663032a943f8df269d64ba2c1ba090f0d7543da6d599f98f7a367e8780062b9b9d600b0bc54b3090c993e5acda7957514150769d6
-
Filesize
404B
MD5953e0254994bb9db42872d23d590de0f
SHA11b2155214381e536079adb5e07d5f56b88c458b5
SHA256795e9f9e0ce92d55b7282e2a68fdf4d100de6100e455ff45cac602333b7873f2
SHA51274a86d6cc3e213e373a434e92c8f5ace62db214232395841b5dcc3b70d30f1ca90340b448c1cc9a9aa1fb3e81db85c0d40ef77e9bfc2aad164f42748f99fb382
-
Filesize
404B
MD56535d778d84f42642ad2f2bc179937fe
SHA115e01428e2ae77d3548b5742da232faf7de59bd4
SHA256861b4426792d13a7edca4e26a99c88754f409f223119ff8f868bc936dfe7c718
SHA512badfbdd6f7855451504d079912aa87bba36b9af502798a0eb6256b6ac1557916de9f83fb5eea8f2a01bf30f86715fde252eac6eab2a43951bdb4ea0af6b85ffc
-
Filesize
7KB
MD5505b8200b47596ab6a3f452976cd263e
SHA14cdff7b964c94a56f46a8d5bb21e815596fa5219
SHA2569adca9973081e44ee741f942bf3526b8eaf987bd386d8d331c8a6028f1965d28
SHA512b458093f0b27318f50bd675f199a0fe80148ada6a011e643bd1096cd1989b278b14544ddd0d2faa0b5e83d54f79f0122e9a11f1e26c19226135f5cc936eb87f0
-
Filesize
8KB
MD59f7018e10aab210dcae56256a041205a
SHA16fec12ac17ebf797b0bd25f5b21b3a6f81402709
SHA2564bc34866ce4c1848c4b3474857ce41143452e0097c39b2e16da4cf567ac2ea22
SHA512d8ece697d6a28a67047a31f6f94491ebcc736025ac4dd78e90113aa4e57db26960835e4fc1bee7cfb1d8db96196382a5266ef3d7058e6046ab774f68066e68cb
-
Filesize
2.1MB
MD5fcf165b905ff0d202effc99ff2a48d21
SHA17ff0cb486f05a224fefd50a3b8e802d05f1d494f
SHA2563d594148640c7a7dd5805a925c9df11de76743c57602ddf36b6783d97a942fda
SHA512d7a7bb7f276ded21739fed0b96ccff79237dc8b181bce48671e45085ac8d2851911ca46b71a915a50fc1dd80d38ac68b528667609e151ee4565aefc9fcb17072
-
Filesize
10KB
MD5a9dbb22ae31a9e6ee61467c5798d9178
SHA189d6da8ee8a851cc3c96b93ba8308987581acfbc
SHA256fe25ea8125a359f9658617433b0f17773f73d5a2479cf3baca97180e75febaee
SHA5127b56a3149e200ef4365ec8300c138268735f1054449569c5f0d6f416a8e6a4f6cf808b78a55b098ee42d78b5b54c5b7df3d2f2be53113c34a2fed18b95dbf555
-
Filesize
283B
MD55f4ad71da0e91304018ef0979e545ff2
SHA18e1228cc17ee581f2a7933a4a43b24b6037e6f10
SHA25682f2a1db1e70197ab651f41f07db2f1576ce3ccda20b190afca60665dbf5598f
SHA512897a2982e714b422476b8925e6745e2b58b3915526d3b7796c26d8e57bb7b20c8621d332ca895a7bbc8b72a2e5db5f2017ca1ee971b6bcc2a926971c56458c0b
-
Filesize
3.2MB
MD58ab7bcc7af00c0af2bc7e8ced7c81252
SHA1f35fab065ab2a352d36f3dc1b054cd0d79c442a0
SHA2569a43dd15af016a0a1292db8abf6cca2e028d4655a06e0b1e8dcd73ce97d13770
SHA512f58ffe5c52b8202d9fb39fe32a30a54ad42f5052b9e8b98e0d6f9e1f424a46033853e27bb88e1c32a7eeca4b242818c0882f5a7bc3e29e327efcfbca2099eeb6
-
Filesize
6KB
MD5bf9c0b28f89eefa6a9dcc1c244b0ce6c
SHA1594dc65d7cbdae6faaf2928650eed532c5b737c4
SHA256bdd60ebb2fa06d6915b40d5c51651eb7b2b0b81d01faff64c1f32270e672a074
SHA512e9cc91631c81ab5b8c54c7ae1abefd5a1958cd4578b2bc386ec98ca8b3d87a866a98095076c65d40203197d7e572e9f76d2a7c63879242e0d408fdc489a820c9