78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe
Size

37KB
MD5

c654f6fe27bf038c7ce5471260743b7b
SHA1

e0227202a195bf502dedb3589af1d192b2158b55
SHA256

78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa
SHA512

bb10e2d0792e8007e69b42a6b4335db5bf644c28b9c46be9d539a1733848ef90a10f6d1f83a4104b5420031cd13e6749be23726b881b1bf9b52c5b98808b2c92
SSDEEP

384:oPDUQ/pgeY/PiZpIPHbABisNtA0lYDlIq9dXrm7AG3fmPIJqlCqckkFtJ7:+l/BEPiAvbAbDYDlJdXqEG3eygUtV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe

Executes dropped EXE 1 IoCs

pid	Process
3520	gffos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3520	2436	78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe	86
PID 2436 wrote to memory of 3520	2436	78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe	86
PID 2436 wrote to memory of 3520	2436	78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe	86

C:\Users\Admin\AppData\Local\Temp\78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe
"C:\Users\Admin\AppData\Local\Temp\78e1d165734aa5c629636addd6fd6af745af76fb43285dbf1d4651e3d1bd46aa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\gffos.exe
  "C:\Users\Admin\AppData\Local\Temp\gffos.exe"
  2⤵
  - Executes dropped EXE
  PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gffos.exe

Filesize
37KB

MD5
3d134d763b9bdf6cea923bc04265dd11

SHA1
8e1bc33b79c43172e3fc80b80d6672d0305e578a

SHA256
cd84229bab409b586e13b50e80505b11e7d72fed5a14f17da3c4dd9c1075091a

SHA512
d51c4b773389102f735cb88b3851b29bdce66794b1a4d4f13c712785856c6d3d99a8773ab7a7177665fc4974d23de452b7911132c4c48a7948a7507dbcae60d8

Download Submit
memory/2436-0-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2436-1-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2436-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3520-20-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download