Malware Analysis Report

2025-03-14 22:20

Sample ID 240407-25grdshc8x
Target Gorillatag.exe
SHA256 bfe7b087895debbd2c7d0cce9c9cea878995eb573eb8476a2254a38b452b622f
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

bfe7b087895debbd2c7d0cce9c9cea878995eb573eb8476a2254a38b452b622f

Threat Level: Shows suspicious behavior

The file Gorillatag.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Unsigned PE

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:09

Reported

2024-04-07 23:10

Platform

win10v2004-20240226-en

Max time kernel

33s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe

"C:\Users\Admin\AppData\Local\Temp\Gorillatag.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c "HelloWorld.bat"

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HelloWorld.bat

MD5 7317106041accde5262b86d54071f702
SHA1 31776e27262c6bf0af7f092c8dcb71a46d12509e
SHA256 5b32f7305df0f48dc9936104f508949ee92003c5ed8091b34f520c4a5de473a5
SHA512 3c9b572264e47df4726636aa61a35526a293e3b9b3a80c39dfd216d6cf90e3c12ee3c362d3d9fabe2d13fdd2e22ad18194358ae80d68b8c5dc8d68cfb1758427