Analysis
-
max time kernel
145s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 01:36
General
-
Target
.exe
-
Size
241KB
-
MD5
fd66ad744b4ac44881aec78b82792bfa
-
SHA1
942703c06198a7c8929e2a2da82c9b0713653d6e
-
SHA256
1d452ac3158f4353caead71ec3424dd12c543cec45d9b8739ea2e86fcd48fa51
-
SHA512
fae353c41169d3f2a748744bb75935ef3acfcbda6c7472abbe79bf2c332ba90c1eecb1fd4a523bcb6422e488dc8d8f446103e202cc0026f61e7cdbe5615558da
-
SSDEEP
6144:JZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876WWhE:XXmwRo+mv8QD4+0N46WW+
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gorn\Gorn\1.txtFilesize
16B
MD5768c3bec3fd688305a2f2e8e6a1affc4
SHA1c3886cb9f83c3eba0cd55b8e1b1ec8918855e67c
SHA256c87b314dc7c4a201a8e24efdc5d0aafe07b77ccb7c430601628b3f2bbc33c066
SHA512a9faa535428d483bbbdc68270da656d07d177273b7141288d410aad57fc0259d4c64a9ee144e78941d15dcc079a033c1207be4c8184a25739550feab735cbe25
-
C:\Program Files (x86)\Gorn\Gorn\2.txtFilesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbsFilesize
218B
MD5f920326c9fa8ffbb136d0089a52c0b04
SHA16cd85d1f3c518030a97f20e5b974e9ad09da085c
SHA25641e5bd5a5295874e32cef72d5b19db7b6b1a90153ee38c9d93191c4d7bbf91df
SHA51257697c0a646959592707a54777542336fef69269f6e8adb1e3722027db84e531966929d18262e44e240790cba3da1dbd0d4b758212b3763d741e40973a100be6
-
C:\Program Files (x86)\Gorn\Gorn\prostoigra.batFilesize
1KB
MD557b3c94445a1f9fc2de9d088de084b39
SHA11b7e1b51257354d5e509b16916ea9a74ec9c1bb2
SHA25642de4c51bbd9ff752527ab2574378ec4c10c950422da83eaceb01edb27f2116c
SHA51266ebc964daf2f9a090d5dd5745dc8c03e4d8d9d1b61f6272b73b0c62136dc693e529d719e978c07079ed85c93b9b1dc77eccc83e0f36019da85603e454ca151f
-
memory/1488-49-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB