96ba623b49bc0e546b7c0d66a0cfeb457cdb882700ceacc424468cf4998ec5bc

General

Target

Gadenis.exe
Size

781KB
MD5

71b95442443e68968a6b57695b0a7c3a
SHA1

9c6704a948d1738c152d6b2eb661802aa5238490
SHA256

96ba623b49bc0e546b7c0d66a0cfeb457cdb882700ceacc424468cf4998ec5bc
SHA512

1a7769780611876c7fa32ba8f204c22df8c0a73a792544c59203775212572358c5cce52e8f9973a1fb4c97d0bc9861b79c40c243c56242d8a33918fe95be0fd6
SSDEEP

12288:HoRcAm7QW7JlbJjyToYhRnOdwn52ruFSWgoxxvPZj3WN3dn9KYoh6STqaVRsyJaF:HoCn7NdORKsEruwWDPZjmn9K9h6SmY

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/220-0-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/220-27-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	508	WScript.exe
Token: SeCreatePagefilePrivilege	508	WScript.exe
Token: 33	588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	588	AUDIODG.EXE
Token: SeShutdownPrivilege	508	WScript.exe
Token: SeCreatePagefilePrivilege	508	WScript.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3544	220	Gadenis.exe	74
PID 220 wrote to memory of 3544	220	Gadenis.exe	74
PID 3544 wrote to memory of 508	3544	cmd.exe	77
PID 3544 wrote to memory of 508	3544	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\Gadenis.exe
"C:\Users\Admin\AppData\Local\Temp\Gadenis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\762A.tmp\762B.tmp\762C.bat C:\Users\Admin\AppData\Local\Temp\Gadenis.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\g.VBS"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\762A.tmp\762B.tmp\762C.bat

Filesize
27B

MD5
f7797a987e496cd654125fe3bac95c14

SHA1
7cba1d358434ca024a7180b773f9f0f144b918f9

SHA256
0fea6030305df43e8555f79806142eee57f3df68476ba3de9713c0cdc12d96c0

SHA512
f9aead43b503882eca3b33775e38f287e4c541b17f2338f5324720a7a550f83cba9bc9a5420c32c33192dff076b2fedfe2f9e0963174253b306e6fc3c68926f4

Download Submit
C:\Users\Admin\AppData\Roaming\99.mp3

Filesize
743KB

MD5
b8b28136f2f3368edf2328945976d086

SHA1
ccb5bec232adc415da187b114913429d613a252b

SHA256
26429917113c9880cc48fb382a82ce301112270b6133a6a57b0b48c47839cbc8

SHA512
7909f5d0853701f1415f445304b54375a7e6011e112f489b39ee48578664ba9b1f3ce217c429236c25d9e1beb916d7762d8a05437d40eb31a61efe376e21446c

Download Submit
C:\Users\Admin\AppData\Roaming\g.VBS

Filesize
114B

MD5
2a8ff4a916ef8c709834ca6c01a9b82b

SHA1
293199e83a300133444bec524fa8554a6650f44d

SHA256
bb44658dfa13b55f495d85cfdd6d41d51cf0c5cf92e476ef5f795a01974ca66d

SHA512
a9d4233b020129071acab6f702c95aa86a6c5bf60ac7b4df8ed71e7424933d11d689417c838574d33c1a0a8f1d96591d700840793ac3f50e1565c88352d236ed

Download Submit
memory/220-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/220-27-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing