2facae0316bb398d1895af1248d21cb3e88f83da4b8c0eeaef4f837d1bc98799

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9c2ca31ac824ed5653a26d433d30e8e.exe
Size

208KB
MD5

c9c2ca31ac824ed5653a26d433d30e8e
SHA1

a8ed6c5f097e03ba9c5380b28e23b222ec882fe9
SHA256

2facae0316bb398d1895af1248d21cb3e88f83da4b8c0eeaef4f837d1bc98799
SHA512

743c495e8970670486f6fab76c0a28ac705e7dbd0043c29012e7f77b1926aad15c3e3989a29877bb3d1760c4b1e58ff2f8c05efa57898d3ba6c176fb9ef0dde0
SSDEEP

3072:BltUotXpzghxJ2Gb8epdi6e81o82p/JDuGIl+JKWMocftvX:ftmx3dN71n2p/JDuRl+JKWMP

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\ImagePath = "%SystemRoot%\\system32\\svchost.exe -k netsvcs"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	Garss.exe

Loads dropped DLL 1 IoCs

pid	Process
1616	Garss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Garss.exe	c9c2ca31ac824ed5653a26d433d30e8e.exe
File opened for modification	C:\Program Files\Garss.exe	c9c2ca31ac824ed5653a26d433d30e8e.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\Gk0nw5+Dx999n\BITC43C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\c5514a56efb2ef445bc6493452b519be4c2f6438	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\cf3fdea3ee2ec932bb2977d31480b7d7cbbddbb8	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\BIT9F27.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\Gk0nw5+Dx999n\TZw4kpgQzpkqLI6QIjOOO1nnIV1rM=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\BIT1059.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\BIT9E7B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\BITACC8.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\BITADB3.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\BITC585.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BIT13F6.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\BIT14D2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BIT1801.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\xPnH1+pblf7oK+ivWJwv1GUym6aXbAIuBqJq02SrG\BIT9E4B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BITF8C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\00c5a18b3243c99296724d4c02975ba8fc3ff353	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\BITC9FC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\fc358891923a5c9c31398fecfc600ecb1b992014	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\BIT9F67.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\xPnH1+pblf7oK+ivWJwv1GUym6aXbAIuBqJq02SrG\BITA19A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\Gk0nw5+Dx999n\BITBFF4.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BIT1098.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\ViSi+zdHv\BIT618E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\BIT6279.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\EonSpJ2OVmkTezWws2DAwPoxif4BKC5VqMCSWGhbEtE=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\304a27e1622cdb6b244eb7d37af4a9481ece1041	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\9tnctpkXHmC+y689ELvhZtScww+egzyOUotYUmLdqAc=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BIT12DB.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\xPnH1+pblf7oK+ivWJwv1GUym6aXbAIuBqJq02SrG\c=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\BITC13D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\BITA286.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\ViSi+zdHv\BITF3D.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\ViSi+zdHv\R8X4AQ4KGiFnNn4Yxo+CdNGqO2aVbXTGg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\ViSi+zdHv\BIT13C7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BIT1725.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\Gk0nw5+Dx999n\BITC884.tmp	svchost.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4172	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3536	c9c2ca31ac824ed5653a26d433d30e8e.exe
3536	c9c2ca31ac824ed5653a26d433d30e8e.exe
3536	c9c2ca31ac824ed5653a26d433d30e8e.exe
3536	c9c2ca31ac824ed5653a26d433d30e8e.exe
3536	c9c2ca31ac824ed5653a26d433d30e8e.exe
3536	c9c2ca31ac824ed5653a26d433d30e8e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1616	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	91
PID 3536 wrote to memory of 1616	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	91
PID 3536 wrote to memory of 1616	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	91
PID 3536 wrote to memory of 4172	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	101
PID 3536 wrote to memory of 4172	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	101
PID 3536 wrote to memory of 4172	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	101
PID 3536 wrote to memory of 752	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	102
PID 3536 wrote to memory of 752	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	102
PID 3536 wrote to memory of 752	3536	c9c2ca31ac824ed5653a26d433d30e8e.exe	102

C:\Users\Admin\AppData\Local\Temp\c9c2ca31ac824ed5653a26d433d30e8e.exe
"C:\Users\Admin\AppData\Local\Temp\c9c2ca31ac824ed5653a26d433d30e8e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Program Files\Garss.exe
  "C:\Program Files\Garss.exe" "C:\Documents and Settings\QQCRT.DLL" Main
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1616
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\1.reg
  2⤵
  - Sets service image path in registry
  - Runs .reg file with regedit
  PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C9C2CA~1.EXE > nul
  2⤵
  PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.reg

Filesize
3KB

MD5
9e76f69aaf34e16a17169546051374a4

SHA1
d08bdddb3ed8c52241a3c438f75ee30e273c1224

SHA256
63d49b4032dcadb4a9d9f454addb105398bfb8c05c367f99ebaee1c2a5ddd389

SHA512
6a68299f9cdf91c84cfb1e2bb6bdce817712a1ca302a26b35b05bbdf38d79f029c9d77a8b8e9510745b1758b8d95d92a31f6536d31a927bd35953c071f172d62

Download Submit
C:\Documents and Settings\QQCRT.DLL

Filesize
19.6MB

MD5
3271644158a66c4549245839ad62e53e

SHA1
3a9c0ef1eb9ca1e68f091a0e4c70d64c119a50b8

SHA256
77cbcfbc3e638c7be2898266be86a9b81562cdb5d63e6ce62a2f0eb5e86150b1

SHA512
88db94c05467e79b6b9d4721d4352b69157ddcfc9b584929267ffefe3fdf292aefd2cbc25e91fde5a86d12f5cb0a47a1f230f08710a0be63155f8422755cc2e2

Download Submit
C:\Program Files\Garss.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Users\QQCRT.DLL

Filesize
19.9MB

MD5
aa38ff2a07d050ffb0ae5988d5e0a8d7

SHA1
ef061e7bc1afccb33ef6d775f9e2b5c23b17ee93

SHA256
fd0d0535bb79d2866d8cb3f9e832c68dcd3f7ae817ab1f08d019c61bd09f2a03

SHA512
2cae1cd124663edb403d769865209988b909c6b8414c56a5161ed1dd12bf3ed120f22c977773d35fe4ac35bd5eee0aa6727142e961f52753c62dad57eb1bc782

Download Submit
C:\Windows\SoftwareDistribution\Download\0a06e050a9fb74e005210fbe22ca6009\Gk0nw5+Dx999n\BITC43C.tmp

Filesize
192KB

MD5
e7f815281ce76dc67151643b41a3ab29

SHA1
fa0b569815425edf8671d6bff4c1f36695e47ea8

SHA256
1a4d27c39f83c7df7d9ff4d9c38929810ce992a2c8e9022338e3b59e7215d6b3

SHA512
3e9bb4d874531e921b0bb4a607c3f3ddb9cc76a8df889a39c4ca2dfbc4aad8e099e7773a1c09623bb21606bb6438962aac95ded95077b1de3c0a185a64901411

Download Submit
C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\BIT12DB.tmp

Filesize
26KB

MD5
b17e70e0f1aa3b26c87fc3fdd7b1d51e

SHA1
5c9b53c5e05070baea92fac3194fb675cd0afa34

SHA256
f6d9dcb699171e60becbaf3d10bbe166d49cc30f9e833c8e528b585262dda807

SHA512
5f8689638bd1d756166a5116f816f73fce169787e5e4bad0fb60e8e19a59b25acc24082d2e58cc9788c06ccb93d27ba0bf5021af4499409a1d2de47e3180065b

Download Submit
C:\Windows\SoftwareDistribution\Download\c0e8d71de8b53a2b9d1cd9915e1e5586\cf3fdea3ee2ec932bb2977d31480b7d7cbbddbb8

Filesize
80KB

MD5
b6f893d2118881b01ba26e576fbeb5dd

SHA1
6f00a485e5bd1ff2e87a6309209d67681705c540

SHA256
97dce3e5096efc622934d674ced2079b9c9fd1519ebc7fa2ff577f37586318ae

SHA512
5dd5f1f19b462f8c40ea524583143958a167aad1644e21e3cccee44eb303ec76e1fe0906e5a412db3c096271c324cb31796a3d30875c75429e97d79209ecfd15

Download Submit
C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\ViSi+zdHv\R8X4AQ4KGiFnNn4Yxo+CdNGqO2aVbXTGg=

Filesize
23KB

MD5
5f52240ea41c2a69c31f8ca42e1365f0

SHA1
edbe671bbfdc556fe4cdeb534e374f454ab48cd7

SHA256
5624a2fb3747bff47c5f8010e0a1a2167367e18c68f8274d1aa3b66956d74c68

SHA512
277cdcd5395da604d866f860c9de096b99d900472f9e87b3ef0822315c1a0ef0fc210aab3af515d27649e222174bc62ea4e35cccd86d19864b3c394015e0a983

Download Submit
C:\Windows\SoftwareDistribution\Download\c799ec51450a41ff046dfd5e0ff1ae89\c5514a56efb2ef445bc6493452b519be4c2f6438

Filesize
75KB

MD5
b4d5a8a9f3960180114ef25e7e9cd59a

SHA1
609eee4073e1f40645d6c770c3e3d865f62c79be

SHA256
d3c1da67262a4420850eed1e2e93f927f96801f95276d65de54a179745b3987e

SHA512
8b59ce5d25efbfa3f4cc71680d660990c0634537b22ef86b1c2850cc845704d20e41c2d1f9fbcc87bb38376a44f9a7d57e19b37c0624af2bb396e2d7dd4288b0

Download Submit
C:\Windows\SoftwareDistribution\Download\ccdd7cdf71bc46870efcbbcc41e29696\xPnH1+pblf7oK+ivWJwv1GUym6aXbAIuBqJq02SrG\BITA19A.tmp

Filesize
1KB

MD5
f3362d51d0285d9ffcdd09813f6c8b56

SHA1
477c0a243daa358c6d76ec39d04cdcc6fe81960e

SHA256
c4f9c7d7ea5b95fee82be8af589c2fd465329ba6976c022e06a26ad364ab1bf7

SHA512
7fbae7cb45ceb46634bf7e80d38215f3204e8174f635f98d41f6795b6de91e0fb09b4297adda3ebf96b2beb593d1124e7c083c4e6f91e5169f4a54c3d396ed83

Download Submit
C:\Windows\SoftwareDistribution\Download\e2bf24f252f953e8cf836ac3e2ffdaf6\BITACC8.tmp

Filesize
1KB

MD5
14f2cb034e2ea20662d1254d74c50fb3

SHA1
a9f44104d0b78a11cfdecbd17709800773e921ae

SHA256
1289d2a49d8e5669137b35b0b360c0c0fa3189fe01282e55a8c09258685b12d1

SHA512
877bb1b37d256179b432f347dc1fbfdc5e58bb35dcf984836f0339a88662f240e496547c1229e2c8913cb7a6e92edffb3ce7111e4b16acd456f9781054e17f32

Download Submit
memory/4044-26-0x000001E0196A0000-0x000001E0196A4000-memory.dmp

Filesize
16KB

Download
memory/4044-45-0x000001E0196D0000-0x000001E0196D4000-memory.dmp

Filesize
16KB

Download
memory/4044-46-0x000001E0196C0000-0x000001E0196C1000-memory.dmp

Filesize
4KB

Download
memory/4044-25-0x000001E0196A0000-0x000001E0196A4000-memory.dmp

Filesize
16KB

Download
memory/4044-9-0x000001E014D60000-0x000001E014D70000-memory.dmp

Filesize
64KB

Download
memory/4044-21-0x000001E019360000-0x000001E019364000-memory.dmp

Filesize
16KB

Download
memory/4044-15-0x000001E014DC0000-0x000001E014DD0000-memory.dmp

Filesize
64KB

Download
memory/4044-124-0x000001E0197D0000-0x000001E0197D4000-memory.dmp

Filesize
16KB

Download
memory/4044-125-0x000001E0197D0000-0x000001E0197D4000-memory.dmp

Filesize
16KB

Download