40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5

Analysis

max time kernel
93s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gs10021w64.exe
Size

61.7MB
MD5

f63aac688f92b4e6f1c43944317d5d2e
SHA1

ffb94baf4f7512426770677a7a012f83eab4838b
SHA256

40dca8cc9156a448082670599d1779339738028a616b3c1047178cf0a0baa6e5
SHA512

f93cd5f07f358c7ca445c02a18a0026dc1fd5fbb8697db830c3661d98e42ac852938b50401179435d0704e5512b6bfa7409ac6386c5ae7b4596e0d1534e41b7b
SSDEEP

1572864:C2oBTMqP1ZkXMmzxNBP/zWjWHDtXr8rwP1G1Y1ex4PuS:NcTMEkXnzz6WjlACMjxVS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1588	vcredist_x64.exe
1960	vcredist_x64.exe
4040	gswin64c.exe

Loads dropped DLL 8 IoCs

pid	Process
2132	gs10021w64.exe
2132	gs10021w64.exe
2132	gs10021w64.exe
1960	vcredist_x64.exe
2132	gs10021w64.exe
2132	gs10021w64.exe
4040	gswin64c.exe
2132	gs10021w64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\gs\gs10.02.1\examples\vasarely.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\Fontmap.Ult	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\pdf2ps.cmd	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\viewmiff.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\CNS1-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Encoding\CEEncoding	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF32-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_pdfwr.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\index.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\cdj690ec.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\83pv-RKSJ-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\KSCpc-EUC-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniCNS-UCS2-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJIS2004-UTF16-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\iccprofiles\esrgb.icc	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Add-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-0	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-3	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\HKgccs-B5-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\HKm471-B5-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\PPI_CUtils	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\Ghostscript-Enterprise.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\examples\text_graph_image_cmyk_rgb.pdf	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\bjc610b4.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\pdf2dsc	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ras32.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-4	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2pdf13	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniKS-UTF8-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\examples\cjk\all_ac1.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2pdf12.cmd	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Korea1-2	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Decoding\Unicode	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusRoman-Italic	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\examples\cjk\all_ag1.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\bjc610a2.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-GB1-4	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_epsf.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\colormanage\figures\proof_link.pdf	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\cid2code.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\pdf2dsc.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2ps2.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-Japan1-6	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\B5pc-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\src\Ps-style.rst	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\stc800p.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\78-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\IdiomSet\Pscript5Idiom	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\examples\cjk\gscjk_ac.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\bj8gc12f.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\bjc610a8.upp	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gssetgs32.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\GBpc-EUC-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniGB-UTF16-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gssetgs.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\ps2pdf.bat	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\UniJISPro-UCS2-HW-V	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Init\gs_typ42.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Add-RKSJ-H	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\CMap\Adobe-CNS1-1	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\viewcmyk.ps	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\Resource\Font\NimbusSans-Italic	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\doc\GS9_Color_Management.pdf	gs10021w64.exe
File created	C:\Program Files\gs\gs10.02.1\lib\gs_m.xpm	gs10021w64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1588	2132	gs10021w64.exe	92
PID 2132 wrote to memory of 1588	2132	gs10021w64.exe	92
PID 2132 wrote to memory of 1588	2132	gs10021w64.exe	92
PID 1588 wrote to memory of 1960	1588	vcredist_x64.exe	93
PID 1588 wrote to memory of 1960	1588	vcredist_x64.exe	93
PID 1588 wrote to memory of 1960	1588	vcredist_x64.exe	93
PID 2132 wrote to memory of 4040	2132	gs10021w64.exe	96
PID 2132 wrote to memory of 4040	2132	gs10021w64.exe	96

C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe
"C:\Users\Admin\AppData\Local\Temp\gs10021w64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files\gs\gs10.02.1\vcredist_x64.exe
  "C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" /norestart /install /quiet
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.02.1\vcredist_x64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552 /norestart /install /quiet
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1960
- C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe
  "C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.02.1/lib/cidfmap" "C:/Program Files/gs/gs10.02.1/lib/mkcidfm.ps"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\gs\gs10.02.1\bin\gsdll64.dll

Filesize
23.5MB

MD5
8b1c56e138efc3c678c7eb1d88648592

SHA1
d29bac308e3ed3fa884ea264ae8de5d9b0bd8ab7

SHA256
f96834ba3dc32f81b6a70b11d894f3e495866e386f0e575be6f2acff0f0493b5

SHA512
4b425e0a60107ca2aaae5be43fefe4b40fbcc662529bedd0d0468499569238b0067740e3ef9d8676a44294b43afedb32f2c467f05d69c13d8dfa40428d6e80a8

Download Submit
C:\Program Files\gs\gs10.02.1\bin\gswin64c.exe

Filesize
91KB

MD5
afa48925e3fa6a78215e454efdfaa730

SHA1
e16bb545c38998a417ea2412ff780b698dff6387

SHA256
0772e280480805c8d8277db2ff2ac56eca17c733835ccf1ab3a31150e75853b7

SHA512
1bcbefe989314a4aea09afd6874b4e092710c076cf5ba778b7249bbcee4f6a0800998d3f746f58f4151a3d79bedbe29e6addf052fe59575dfb995bca2a607ff2

Download Submit
C:\Program Files\gs\gs10.02.1\lib\mkcidfm.ps

Filesize
21KB

MD5
8c30e8f093b1481e3469aa4e1b8eed71

SHA1
fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8

SHA256
c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8

SHA512
7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e

Download Submit
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

Filesize
9.6MB

MD5
1398e0b9d13d9cf6f9b932c4564bb9b7

SHA1
c6fdfbfffe1a28f2fe469edaa93ef7c70f3a883a

SHA256
7cca427e433bfd9ab6dd87ed0f8e037d29168d1278b5f8ad3f77e482af6c223a

SHA512
e8c9068bf7a1d9316fe5a5e9bc6b045c2aaeba20cb01aa6751cf3acddfb7a6718589c696b885cfabaf09b445da4523747f309a4b4cad5845499cc1d006daf1f0

Download Submit
C:\Program Files\gs\gs10.02.1\vcredist_x64.exe

Filesize
11.4MB

MD5
50a0ac7b378b15e89e2f7f24603fe46a

SHA1
5789fecd07caeee6f920eb968a5f19d90b7e640e

SHA256
4f4faa90d4e51ee5ee90f7bf19342f0a47e01b01e810376239c9ec8c72909abd

SHA512
e14a70db6956a7bf8aa5f5fa0c6e8edc2dfc5496c5d6d8a54b3107eaaa22cd792e8a59915cbadc1bbc21bc693bf48809792a2ba7ccbfd5a9e6d3b5cf3de965bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\EnVar.dll

Filesize
10KB

MD5
4ee6c0578960bcb5dad78947e0cbffe9

SHA1
dd90488ffde0b0df76e0a5e8dca8192c77619d8b

SHA256
eb182d049ba19f697628e20228af329780aaf62c3585a1e36b9fb988911fe697

SHA512
0592166761c32aa804a26fb90191f636173b6e5144e4c10b100841fcb4d05cc30d8ffc3716e823d02dd3bcc73cfb9106639cf8ae2aeeba409213f2f40df5932c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3F7C.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Windows\Temp\{CA624441-1A89-424D-86D9-CCBF6F00BD18}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{CA624441-1A89-424D-86D9-CCBF6F00BD18}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{EF04CBCD-B1CE-4F00-8FE0-B9510C396085}\.cr\vcredist_x64.exe

Filesize
633KB

MD5
7f28c88875700454d8fb733341658edd

SHA1
434159872b168112b86e91cf84f4d9d545ab0410

SHA256
92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9

SHA512
7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

Download Submit