Analysis Overview
SHA256
bfe7b087895debbd2c7d0cce9c9cea878995eb573eb8476a2254a38b452b622f
Threat Level: Shows suspicious behavior
The file Gorillatag.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Unsigned PE
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:08
Reported
2024-04-07 23:11
Platform
win10v2004-20240226-en
Max time kernel
37s
Max time network
45s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe
"C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c "HelloWorld.bat"
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWorld.bat
| MD5 | 7317106041accde5262b86d54071f702 |
| SHA1 | 31776e27262c6bf0af7f092c8dcb71a46d12509e |
| SHA256 | 5b32f7305df0f48dc9936104f508949ee92003c5ed8091b34f520c4a5de473a5 |
| SHA512 | 3c9b572264e47df4726636aa61a35526a293e3b9b3a80c39dfd216d6cf90e3c12ee3c362d3d9fabe2d13fdd2e22ad18194358ae80d68b8c5dc8d68cfb1758427 |