0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0

General

Target

0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Size

339KB
MD5

6ee18f2ba1f6b15fba9385d73a53f4c1
SHA1

f9787fcaf489f29bfdc3625ac8826ff05bbb2270
SHA256

0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0
SHA512

f29a30db895ca04439fa7cd30e4cc175f3a5ff09ebd409c4284c5953f8a47cfdd7bc4db1a07812b290c0a75a0157f501246119813769a94250f914057c0130b9
SSDEEP

6144:yVTzU1kCV/w+p+pXd6I9dUhJZXAnBY+adSEm:ATzU13jspt6adqJhqBY+b

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 22 IoCs

resource	yara_rule
behavioral2/memory/1580-0-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x001c000000023af8-23.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-24-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1580-1-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-25-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1580-27-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-28-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-29-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-30-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-31-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-33-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-34-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-35-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-36-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-37-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-38-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-39-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-40-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-41-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-42-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-43-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1436-44-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
1436	GTOM.EXE

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\GTOM.EXE \"%1\" %*"	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	GTOM.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GTOM.EXE = "C:\\Program Files\\GTOM.EXE"	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\G:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\O:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\Q:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\K:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\M:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\R:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\J:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\P:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\S:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\U:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\V:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\H:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\I:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\L:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\N:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened (read-only)	\??\T:	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\GTOM.EXE	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
File opened for modification	C:\Program Files\GTOM.EXE	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\GTOM.EXE %1"	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files\\GTOM.EXE \"%1\""	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\GTOM.EXE %1"	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	GTOM.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\GTOM.EXE \"%1\""	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\GTOM.EXE \"%1\" %*"	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1436	GTOM.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1436	1580	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe	83
PID 1580 wrote to memory of 1436	1580	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe	83
PID 1580 wrote to memory of 1436	1580	0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe	83

C:\Users\Admin\AppData\Local\Temp\0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe
"C:\Users\Admin\AppData\Local\Temp\0c4527a7e2fed5c2418d3ccbc81f612a605e7903acce46a2b23f1f5c3cf30eb0.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files\GTOM.EXE
  "C:\Program Files\GTOM.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\GTOM.EXE

Filesize
339KB

MD5
da9ff13fd83e02c4891cd13be73954b1

SHA1
e79b179272e18b5898e65d9adbe4db3ee04bed5f

SHA256
027f5e95c23d6f368ea7cfae7125d6381d01164c79a1e5cf234e64e29af015d4

SHA512
8ccacfd6eb806300eccee5ac6064975f3823924331a6a37126605d2c1ae7a90ff043f61059ae2c2d7d0306f51bdb1382ba2abfe3817fb3236c46b7103275d7b3

Download Submit
C:\filedebug

Filesize
243B

MD5
bda92358662b8c71e9fe57e1dd834e57

SHA1
075e4d553148204573f343f0f6a2253e6d0695b3

SHA256
7bd793fce23cc63b56cc97c7c20ee051eb6d825b1bb99a67b0e1e1e2f6aab433

SHA512
4e6fdf56c997ac37debdff164bd79186bbb6242e38fd53cf984a862c7e3de0823dd24bfc661a062fdd04ec39a163e4dfa54ee424706b7817a5d543870b69ea5d

Download Submit
memory/1436-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-37-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-43-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-32-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1436-25-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-26-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1436-41-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-42-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-33-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-36-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1436-40-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1580-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1580-1-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1580-16-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1580-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads