a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe
Size

5KB
MD5

3cf2ab1f2fc87feee41193bcce48bebb
SHA1

a42c2c0d2d7b3c133acd9d77aed648ec185f5c56
SHA256

a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0
SHA512

fcf278f2c95676a9d1f59d52bf36b6cb0002189d3c8f70a9cd98678b17e92e67c15880ead6be45c94051484588fd5c016e891987edba79cd1fe3a361c02bb708
SSDEEP

48:6heXLJmTctNPGCvLHmCyYLpHf/UzEVnQBG/RACalGUh2CS7DD:QwmYtPvLGax/wAnQWRRUh2CqD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe

Deletes itself 1 IoCs

Processes:

gffos.exe

pid process

1348 gffos.exe
Executes dropped EXE 1 IoCs

Processes:

gffos.exe

pid process

1348 gffos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1348	gffos.exe

pid	process
1348	gffos.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe

description	pid	process	target process
PID 3516 wrote to memory of 1348	3516	a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe	gffos.exe
PID 3516 wrote to memory of 1348	3516	a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe	gffos.exe
PID 3516 wrote to memory of 1348	3516	a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe	gffos.exe

C:\Users\Admin\AppData\Local\Temp\a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe
"C:\Users\Admin\AppData\Local\Temp\a4536e60ac49c8b13bc26a46e7cb9749a49f6127be4d9f263704fee32914a9a0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\gffos.exe
"C:\Users\Admin\AppData\Local\Temp\gffos.exe"
2⤵
- Deletes itself
- Executes dropped EXE
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\RCH2005[1].htm
Filesize
526B

MD5
aa973bd6c831f1536af1820c9772d531

SHA1
b23ac48b2b423a936398c9c4141330cab0615f84

SHA256
fb313bc6d6ef9ee33cbbbaa9382a7d876175d8841b2738186dd36068d52685f6

SHA512
9467efbce1b7d65c19e278c46437bad5e4c4ccecc12358aeecc037da621253577270f1fb0617663183d7b5ab95dc989cf60d782e2123aca4aea9518afa676f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\RCH2005[1].htm
Filesize
526B

MD5
b9e0bcc825a855a4cf5a55244337dece

SHA1
3bafbc7f40c4ac5fbf4e0f39fd5a2a0df88e3c49

SHA256
92e695e79282d062c99876a6c09d8d7abb766fd6fbbd09d4adf0edb053d03541

SHA512
ffd1aeb60874ca8f4e72c55c790898964705b6ba4c4b0102777339c9a69886d2816c696623e1bea186bb152195c4ec1066af10c84a95e64b24b09efc148ab00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\RCH2005[1].htm
Filesize
526B

MD5
c2a0aa4c2136e291cdbf87059189fd59

SHA1
c9dd1d5c4865a6bfcb15c54fdfdbab2892a2627d

SHA256
f2e30e1a935f0849dcfa6c4474996eb659918e00fa499db549c6cb28c6f632a2

SHA512
7e94726cffbb1a8389a5ac9a8bbd9ad355733a158d6d94cb2a003e5da8565e55793bf3700c9f6e5689f42c4f5213785cd89ae1613f9616c8ad52009703ba3dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\RCH2005[1].htm
Filesize
526B

MD5
97c03c81b944e38194020ab84a6e99d9

SHA1
bf0c0a382f8c3ca3b2a0529fc2ccb4eaa042f8cb

SHA256
168f6bfd1898cc0b62d686a57dbbd79fc61dd0dbe3586e9b730e53c3e1ed3a7d

SHA512
023e4a9c077cb8116c183b99c69d1754382c9ee981a60e7d0766af070ef30f75b31254844a473a9c07973b8e6b952633b68818540c43c02350c8feefff61e6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\gffos.exe
Filesize
5KB

MD5
f7ab6b0fbe947f2343012bde56f936db

SHA1
2f5885623e8f1e3beb7ea6c1a9f9faab80894918

SHA256
f6c9cf341f3eb5ed45c180fe6db003c9c1d0668286699cbff4c0c80f92e0f564

SHA512
fdea6acb1805281b0b488fdbfe12cceeff4962d8b3757c9fbd881fdf12e6ab0d4716fa78c6796ae75a6d5d0848a826054b3a04bfa6c90a60e8e557c60a0bdbbf

Download Submit