gink | 1b1af1ddd18e0504348074fa8f969c5f657f8e5390c5e054a10cf28d8d52bd98

Analysis

max time kernel
146s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c172a633f244dd1c67035715ecb9a4e9.exe
Size

37KB
MD5

c172a633f244dd1c67035715ecb9a4e9
SHA1

e2bf15a024b6d0a88752401d53e047e39bb1e4cd
SHA256

1b1af1ddd18e0504348074fa8f969c5f657f8e5390c5e054a10cf28d8d52bd98
SHA512

9ee7591e45ccc90f2083b0b832bf7906b68d62823113f0fae687ca2c6a60320eefea024fcb871cf6df9048abb4ce79de55cabe024ecaf2693b7975937d3f9ff8
SSDEEP

384:qV4jRGBhOry47SDH02Ijd5vrf6DelcTKmpY2vnqwxX6lBdhoHnI8vuu:BRO0rEDAjdhrf6Del/yDvnqwF67MI8

Score

10^/10

gink persistence worm

Malware Config

Signatures

Gink
worm gink

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c172a633f244dd1c67035715ecb9a4e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\I-Worm.GiGu = "uGiG.eXe"	c172a633f244dd1c67035715ecb9a4e9.exe

Drops file in System32 directory 3 IoCs

Processes:

c172a633f244dd1c67035715ecb9a4e9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\GiGu.eXe	c172a633f244dd1c67035715ecb9a4e9.exe
File opened for modification	C:\Windows\SysWOW64\GiGu.eXe	c172a633f244dd1c67035715ecb9a4e9.exe
File created	C:\Windows\SysWOW64\GiGu.eml	c172a633f244dd1c67035715ecb9a4e9.exe

Drops file in Windows directory 2 IoCs

Processes:

c172a633f244dd1c67035715ecb9a4e9.exe

description	ioc	process
File created	C:\Windows\uGiG.eXe	c172a633f244dd1c67035715ecb9a4e9.exe
File opened for modification	C:\Windows\uGiG.eXe	c172a633f244dd1c67035715ecb9a4e9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2132 2340 WerFault.exe c172a633f244dd1c67035715ecb9a4e9.exe

pid	pid_target	process	target process
2132	2340	WerFault.exe	c172a633f244dd1c67035715ecb9a4e9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c172a633f244dd1c67035715ecb9a4e9.exe

description	pid	process	target process
PID 2340 wrote to memory of 2132	2340	c172a633f244dd1c67035715ecb9a4e9.exe	WerFault.exe
PID 2340 wrote to memory of 2132	2340	c172a633f244dd1c67035715ecb9a4e9.exe	WerFault.exe
PID 2340 wrote to memory of 2132	2340	c172a633f244dd1c67035715ecb9a4e9.exe	WerFault.exe
PID 2340 wrote to memory of 2132	2340	c172a633f244dd1c67035715ecb9a4e9.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c172a633f244dd1c67035715ecb9a4e9.exe
"C:\Users\Admin\AppData\Local\Temp\c172a633f244dd1c67035715ecb9a4e9.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 176
  2⤵
  - Program crash
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2340-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2340-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download