40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gs10021w64.exe
Size

61.7MB
MD5

f63aac688f92b4e6f1c43944317d5d2e
SHA1

ffb94baf4f7512426770677a7a012f83eab4838b
SHA256

40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5
SHA512

f93cd5f07f358c7ca445c02a18a0026dc1fd5fbb8697db830c3661d98e42ac852938b50401179435d0704e5512b6bfa7409ac6386c5ae7b4596e0d1534e41b7b
SSDEEP

1572864:C2oBTMqP1ZkXMmzxNBP/zWjWHDtXr8rwP1G1Y1ex4PuS:NcTMEkXnzz6WjlACMjxVS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
612	vcredist_x64.exe
1088	vcredist_x64.exe
2028	gswin64c.exe

Loads dropped DLL 12 IoCs

pid	Process
1096	gs10021w64.exe
1096	gs10021w64.exe
1096	gs10021w64.exe
612	vcredist_x64.exe
1088	vcredist_x64.exe
1096	gs10021w64.exe
1096	gs10021w64.exe
1096	gs10021w64.exe
2028	gswin64c.exe
1096	gs10021w64.exe
1096	gs10021w64.exe
1096	gs10021w64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\RKSJ-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniGB-UTF16-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Encoding\CEEncoding	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Font\P052-Italic	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_icc.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\Ps-style.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\examples\annots.pdf	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\GBK2K-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\Ps2epsi.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJIS-UTF32-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Decoding\Unicode	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gs_ce_e.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-4	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Ext-RKSJ-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\stc600pl.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\ETen-B5-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\iccprofiles\default_cmyk.icc	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\stc500p.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\Pscript5Idiom	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\thirdparty.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UTF16-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniHojo-UTF16-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\GBTpc-EUC-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Identity-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\bjc610b4.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gssetgs64.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gst.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gsnd.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\90ms-RKSJ-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-1	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\Fontmap	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_dps2.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\pclxps\README	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\font2pcl.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gslp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_wan_e.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-GB1-2	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\necp2x.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2epsi.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\viewjpeg.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan2-0	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF16-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusRoman-Italic	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\Ghostscript-Enterprise.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\Info-macos.plist	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2ps2.cmd	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\rinkj-2200-setup	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\stcany_h.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\ColorSpace\TrivialCMYK	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\pdf2ps.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\CNS-EUC-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UTF8-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniHojo-UTF32-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_fonts.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\language-bindings\images\gsviewer.png	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\Fontmap.ATM	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gslj.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\SubstCID\Korea1-WMode	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2ps2	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ras4.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\examples\doretree.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\ColorSpace\sGray	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\uninstgs.exe	gs10021w64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 1096 wrote to memory of 612	1096	gs10021w64.exe	28
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 612 wrote to memory of 1088	612	vcredist_x64.exe	29
PID 1096 wrote to memory of 2028	1096	gs10021w64.exe	30
PID 1096 wrote to memory of 2028	1096	gs10021w64.exe	30
PID 1096 wrote to memory of 2028	1096	gs10021w64.exe	30
PID 1096 wrote to memory of 2028	1096	gs10021w64.exe	30

C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe
"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
  "C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" /norestart /install /quiet
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /norestart /install /quiet
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1088
- C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
  "C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.1/lib/cidfmap" "C:/Program Files/gs/gs10.02.1/lib/mkcidfm.ps"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\gs\gs10.02.1\bin\gsdll64.dll

Filesize
4.0MB

MD5
c370af627e9eccfba9f77ec246afbebd

SHA1
234f29ac94d5c83c795da68926018d32866ab086

SHA256
92cde0bccf3a7cbc4946ff0d7ddd946c2bf55be94f333d5f515d007eed0ad749

SHA512
e5e01a575a8657685608469f2b52b3fd6c39211e45e9cec125db2d4e73ad5d75b4a2076c4caba32611619f2b8c34ed7e0837a28659301020531a791422239d80

Download Submit
C:\Program Files\gs\gs10.02.1\lib\mkcidfm.ps

Filesize
21KB

MD5
8c30e8f093b1481e3469aa4e1b8eed71

SHA1
fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8

SHA256
c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8

SHA512
7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e

Download Submit
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

Filesize
24.0MB

MD5
291e0c486cbe22cb000c5e541c9e8317

SHA1
64e813bb9024a8e8d5aa64ee20e0d13de97ec7fd

SHA256
9b9dd72c27ab1db081de56bb7b73bee9a00f60d14ed8e6fde45dab3e619b5f04

SHA512
666da980e006648c8ea5eb09ed1d8bafb59bb8c8e798d18bd1c9b1f523237bb7c0d5937813a34ab37f6e0daefe8f2baf9373b73c0c9262fe3a1d88c0f4eae611

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi3390.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Windows\Temp\{993D794B-04C3-46FA-A39D-1CE4425C65FF}\.cr\vcredist_x64.exe

Filesize
633KB

MD5
7f28c88875700454d8fb733341658edd

SHA1
434159872b168112b86e91cf84f4d9d545ab0410

SHA256
92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9

SHA512
7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

Download Submit
C:\Windows\Temp\{C0FD401F-EDD4-4621-A329-5D332305875E}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Program Files\gs\gs10.02.1\bin\gsdll64.dll

Filesize
4.1MB

MD5
534719272fc2a304e848ad1a9b05a65f

SHA1
a71d055833b7def9d30737b6497b4051ccf9e076

SHA256
2305d47458e976a266c901b805fd213e7b1dc52c3590730c2a0b1667d4e731bd

SHA512
ee06951eafe00d26a207e3ffecc874650c27ddf6741e2b82b0f8e25a3aef9f6ffa2849cb6e167da09af42f5da2e7f406431ec6242dda1a93ba8aa1c24549fa94

Download Submit
\Program Files\gs\gs10.02.1\bin\gswin64.exe

Filesize
102KB

MD5
8fd9ecd60518648ae0e3f45517bcd22d

SHA1
216367f4f3ed71fb89e01d5cc1318765dd9302ae

SHA256
441f81fbd8b3ee04121e7ece5bca2fe172466d732ff7695c5c2e61b1696c8a79

SHA512
4cc6669eeb579069c8591e0bbe53b77a6bdc507f4e6f3648ea73bc85a65cd595765dea9b92889b419c8f3d3e7a2ad8e3294bf5157f4e1ac76ead17fbead64c20

Download Submit
\Program Files\gs\gs10.02.1\bin\gswin64c.exe

Filesize
91KB

MD5
afa48925e3fa6a78215e454efdfaa730

SHA1
e16bb545c38998a417ea2412ff780b698dff6387

SHA256
0772e280480805c8d8277db2ff2ac56eca17c733835ccf1ab3a31150e75853b7

SHA512
1bcbefe989314a4aea09afd6874b4e092710c076cf5ba778b7249bbcee4f6a0800998d3f746f58f4151a3d79bedbe29e6addf052fe59575dfb995bca2a607ff2

Download Submit
\Program Files\gs\gs10.02.1\uninstgs.exe

Filesize
65KB

MD5
6f6dc91ebc30b9b956d2949020b32d25

SHA1
311c156e360672b4faa6653c5528f395481e4b8e

SHA256
2784fccaf70d1a653ab68d6f55a2798e7d87262419e7cb150ff4e14fa4ebf55e

SHA512
f4106fd08f44429a1802c118d08f0ef0b731aa991b2d4c8e30425d40504373872314b6830bbc6e8a52a50de1d542334c6c0f043d389af74cec4c1a40ae9fee57

Download Submit
\Program Files\gs\gs10.02.1\vcredist_x64.exe

Filesize
21.1MB

MD5
23b8f64f891b5c3c67c1a11c30b32f73

SHA1
bbff440ce19d1dabd9367af69eed6bbfe14727e0

SHA256
8d3ccebf3ff5b781567cd779c67dc30d80ef5445f3ee87562c16654edf8d38f1

SHA512
3c4aa37b830d89c6aecf1fa7aaa1096b6311aaaf23b70066bc5a03e3800ce88f5c0a8c4020c8ef688a42bdf753a0748ab2531bf71c8dd9bbfdf920a27c156d71

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\EnVar.dll

Filesize
10KB

MD5
4ee6c0578960bcb5dad78947e0cbffe9

SHA1
dd90488ffde0b0df76e0a5e8dca8192c77619d8b

SHA256
eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697

SHA512
0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3390.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
\Windows\Temp\{C0FD401F-EDD4-4621-A329-5D332305875E}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit