Overview

overview

10

Static

static

3

4f8f68c870...af.exe

windows7-x64

7

4f8f68c870...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/05/2024, 09:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4f8f68c87060b025a048a61a18250610867b7ee1cea0686e6b27e6c870777baf.exe

  • Size

    73KB

  • MD5

    6dbdeca47da21451535678f2c6dc17e8

  • SHA1

    dbdb639b6c562f4845fc836c7faa445d33861a74

  • SHA256

    4f8f68c87060b025a048a61a18250610867b7ee1cea0686e6b27e6c870777baf

  • SHA512

    5f0c874bacb922e1901b9af94479cabe493bccfe8e06c30f93bd231278019c5a4a27415a4eeece598dc00cc729eff006e8a7f94cd1a924a521e3084bf9ba7d4e

  • SSDEEP

    1536:nXvUyX5kH+oNrnQt07k1sXMilxClvVL3i/t:nXvUyXMcnsRxeMt

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:388
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:480
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:608
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:2360
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                3⤵
                  PID:688
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  3⤵
                    PID:748
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                    3⤵
                      PID:820
                      • C:\Windows\system32\Dwm.exe
                        "C:\Windows\system32\Dwm.exe"
                        4⤵
                          PID:1172
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        3⤵
                          PID:848
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          3⤵
                            PID:972
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            3⤵
                              PID:280
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              3⤵
                                PID:340
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                3⤵
                                  PID:1076
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  3⤵
                                    PID:1116
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    3⤵
                                      PID:2948
                                    • C:\Windows\system32\sppsvc.exe
                                      C:\Windows\system32\sppsvc.exe
                                      3⤵
                                        PID:3044
                                      • C:\Windows\ggmiuy.exe
                                        C:\Windows\ggmiuy.exe
                                        3⤵
                                        • Executes dropped EXE
                                        • Checks processor information in registry
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: MapViewOfSection
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2384
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      2⤵
                                        PID:496
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:504
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:400
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:436
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1208
                                              • C:\Users\Admin\AppData\Local\Temp\4f8f68c87060b025a048a61a18250610867b7ee1cea0686e6b27e6c870777baf.exe
                                                "C:\Users\Admin\AppData\Local\Temp\4f8f68c87060b025a048a61a18250610867b7ee1cea0686e6b27e6c870777baf.exe"
                                                2⤵
                                                • Drops file in System32 directory
                                                • Drops file in Windows directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1688
                                            • C:\Users\Admin\AppData\Local\Temp\3684688119\zmstage.exe
                                              C:\Users\Admin\AppData\Local\Temp\3684688119\zmstage.exe
                                              1⤵
                                                PID:2832

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Windows\ggmiuy.exe
                                                      Filesize

                                                      73KB

                                                      MD5

                                                      6dbdeca47da21451535678f2c6dc17e8

                                                      SHA1

                                                      dbdb639b6c562f4845fc836c7faa445d33861a74

                                                      SHA256

                                                      4f8f68c87060b025a048a61a18250610867b7ee1cea0686e6b27e6c870777baf

                                                      SHA512

                                                      5f0c874bacb922e1901b9af94479cabe493bccfe8e06c30f93bd231278019c5a4a27415a4eeece598dc00cc729eff006e8a7f94cd1a924a521e3084bf9ba7d4e

                                                      Download Submit

                                                    • memory/1688-0-0x0000000000400000-0x0000000000415000-memory.dmp

                                                      Filesize

                                                      84KB

                                                      Download

                                                    • memory/1688-2-0x0000000076FDF000-0x0000000076FE0000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1688-3-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1688-7-0x0000000076FDF000-0x0000000076FE0000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1688-6-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1688-8-0x000000007EF90000-0x000000007EF9C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/1688-10-0x000000007EF90000-0x000000007EF9C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/1688-9-0x0000000000400000-0x0000000000415000-memory.dmp

                                                      Filesize

                                                      84KB

                                                      Download

                                                    • memory/2384-5-0x0000000000400000-0x0000000000415000-memory.dmp

                                                      Filesize

                                                      84KB

                                                      Download

                                                    • memory/2384-11-0x0000000000400000-0x0000000000415000-memory.dmp

                                                      Filesize

                                                      84KB

                                                      Download