564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc

General

Target

564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
Size

53KB
MD5

726164e001b33021e45c21c2ab5f8a44
SHA1

0e22e39503cc2151b96f82216133b3800f5702a7
SHA256

564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc
SHA512

4f990ecc096bfb85fe4f8aaaee27dc2082fc5919c3b1de318850aca759ff3093774a4606a2303569612f1c7d4d2caea9df84abdfe9eee4cca2395a0db9341509
SSDEEP

1536:vNcg8r8QeTRXmuHCo7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:NXm9oJJjmLM3zRJWZsXy4Jt

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

gxkoir.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gxkoir.exe

Executes dropped EXE 1 IoCs

Processes:

gxkoir.exe

pid process

2884 gxkoir.exe

Loads dropped DLL 2 IoCs

Processes:

564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe

pid	process
1984	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
1984	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gxkoir.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\gxkoir = "C:\\Users\\Admin\\gxkoir.exe"	gxkoir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gxkoir.exe

pid	process
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe
2884	gxkoir.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exegxkoir.exe

pid process

1984 564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
2884 gxkoir.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exegxkoir.exe

description	pid	process	target process
PID 1984 wrote to memory of 2884	1984	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe	gxkoir.exe
PID 1984 wrote to memory of 2884	1984	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe	gxkoir.exe
PID 1984 wrote to memory of 2884	1984	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe	gxkoir.exe
PID 1984 wrote to memory of 2884	1984	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe	gxkoir.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
PID 2884 wrote to memory of 1984	2884	gxkoir.exe	564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe

C:\Users\Admin\AppData\Local\Temp\564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe
"C:\Users\Admin\AppData\Local\Temp\564415ed1f904977335de9f7925557eb27d7424b46dea05f6b09e58cb8577acc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\gxkoir.exe
"C:\Users\Admin\gxkoir.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\gxkoir.exe

Filesize
53KB

MD5
67d7f69a60525af1d131a301e6addfb9

SHA1
83dd6e2a83ef0418d832cc635af380ea34f83bba

SHA256
806b43368f9f94d1e04a37474a69e1e5592e72f353f59ff6dc05fb308926c2aa

SHA512
ccb74c8bca8346597c3c0687305507c20eac5891940697f3ff242d25848cc07c3b654c6ca045e889db5463e3d45835ca871bd18e8d28418e59011b9acd8989ca

Download Submit
memory/1984-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1984-9-0x0000000003AB0000-0x0000000003AC2000-memory.dmp

Filesize
72KB

Download
memory/1984-15-0x0000000003AB0000-0x0000000003AC2000-memory.dmp

Filesize
72KB

Download
memory/2884-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads