Analysis

  • max time kernel
    153s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 17:44

General

  • Target

    GDLauncher.exe

  • Size

    142.0MB

  • MD5

    51dc199e41223520217f34624b276e18

  • SHA1

    0ce3f6b9a26759b21a23bf25ed34b1b7ce624295

  • SHA256

    0b3c6bce1a0a61414a7e3048616c6dbfd55a2233b7ead7c4666d7d0c59e1ff50

  • SHA512

    c40e9d4b8db3ce4d195f0e634b48f4b7f1da74070ec2a9bf3db4b543d819a712a011496d99da6fdd6461305c012f808c7761363a6ef2b137bb58a439485fc42c

  • SSDEEP

    1572864:Zx8e2z2aMcuE5p9vzLECsyP2d+J/AG8TQX60:vLabp9rY/W6

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Modifies registry class 7 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_next" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1764,i,5247501284046318974,12266459043291357763,131072 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:2052
      • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_next" --mojo-platform-channel-handle=2036 --field-trial-handle=1764,i,5247501284046318974,12266459043291357763,131072 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:1404
        • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
          "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_next" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-experimental-web-platform-features --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2408 --field-trial-handle=1764,i,5247501284046318974,12266459043291357763,131072 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Windows\System32\reg.exe
              C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
              4⤵
                PID:5048
          • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
            "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_next" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1764,i,5247501284046318974,12266459043291357763,131072 --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3520

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\0dde7ef6-2863-47a7-8426-c95fe7b30518.tmp.node

                Filesize

                281KB

                MD5

                4cef69a682d9b896b4fff99fca80a08a

                SHA1

                85fcae77830c3e55badfac97badc97ee53d5ada8

                SHA256

                bccc1ea670ddf3560352327eac402e7a99b5a585bd1d2af02bff8111b6ee9738

                SHA512

                cccf2aced4edf15a3162cdd867f623c73895b4962910e1d6a57afa17032247becd6378546206dd4705b3ca5f54e6d063a56a5ca54223bc5a67406cfcc27b2587

              • C:\Users\Admin\AppData\Local\Temp\248faa4c-776e-4146-a35d-b961d6e9c601.tmp.node

                Filesize

                495KB

                MD5

                be94689f0cf2f4e36ef77fff3b573460

                SHA1

                f7187d89237506e6f50db5418c25b79cd1b3d271

                SHA256

                a8ae4e1f6ff70c724282b5d468ac463012e9b0fd5b52997116946fdb2e2ac34f

                SHA512

                83078c0a3340d912f42b6b67f6dce624e6395fede93043cd4f5b391c2547cc68aa6d147a70b523c9e8d646d4913a92b96d59fda0b28ade83c478693d8a256da5

              • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\IndexedDB\file__0.indexeddb.leveldb\CURRENT

                Filesize

                16B

                MD5

                46295cac801e5d4857d09837238a6394

                SHA1

                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                SHA256

                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                SHA512

                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\Network\Network Persistent State

                Filesize

                1KB

                MD5

                949e4128177091e594698ad2e330a5cf

                SHA1

                69eeb6dae0a783eff0f3a4c718a3fc5fda574505

                SHA256

                d823c55c284e8ba408639ffcedf166b4100c8f986132d0b160178be750280cfe

                SHA512

                38d5adac879c0a273877ceedd41e832ebd5e0929455d37b694f915662b889e2b5a77c471420eccc17535703df1886c595e9fb4c0bea0658f2cd5a3f3a99a0d42

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\Network\Network Persistent State~RFe58c196.TMP

                Filesize

                59B

                MD5

                2800881c775077e1c4b6e06bf4676de4

                SHA1

                2873631068c8b3b9495638c865915be822442c8b

                SHA256

                226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                SHA512

                e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\Network\TransportSecurity

                Filesize

                871B

                MD5

                62a4d86bd498572d9c5f9a24b1d31695

                SHA1

                9ec255c03e7d00e7994971ede21a604c5ac50431

                SHA256

                3df80fe2134cf0baba119b80dd3d8856025a5d76d6be025fa74fdc11daa6c7e0

                SHA512

                bb18e30145eee593d45865acf4f930727ab8db06131132676655b103a5c618578e0a693a0a876a51ee48bd5d4889005142dce3071fb5df0ecc0723ad3a30bad3

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\Network\TransportSecurity~RFe596874.TMP

                Filesize

                871B

                MD5

                50b59f71e324cad185104163ddde1f96

                SHA1

                69d0bc35d087045bac27c21a6388af4c89f3eaa9

                SHA256

                7a2caafe3bf0e84a8610f1bfdcd147ec6f7f01b0a4190077de13afc8c1eeb6ec

                SHA512

                89e43724c62a1dd7c560fb5279b96f727bcd0c1ae1d601a3a1aea41ea8b0fa18a73c617c8aafff07777a16e51395b39c0ad1d06073d5af3c3402edba883816df

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\Preferences

                Filesize

                57B

                MD5

                58127c59cb9e1da127904c341d15372b

                SHA1

                62445484661d8036ce9788baeaba31d204e9a5fc

                SHA256

                be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

                SHA512

                8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

              • C:\Users\Admin\AppData\Roaming\gdlauncher_next\Preferences~RFe57dca4.TMP

                Filesize

                86B

                MD5

                d11dedf80b85d8d9be3fec6bb292f64b

                SHA1

                aab8783454819cd66ddf7871e887abdba138aef3

                SHA256

                8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

                SHA512

                6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

              • memory/2052-10-0x00007FFF322B0000-0x00007FFF322B1000-memory.dmp

                Filesize

                4KB

              • memory/3520-126-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-127-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-128-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-132-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-133-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-134-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-136-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-135-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-137-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB

              • memory/3520-138-0x00000280CDDB0000-0x00000280CDDB1000-memory.dmp

                Filesize

                4KB