Overview

overview

7

Static

static

3

GTweak.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    128s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 21:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GTweak.exe

  • Size

    2.0MB

  • MD5

    f39e25a531547d491058b65987601a08

  • SHA1

    2aff7da8a4b750885426410ecba9b16e10ccaa9b

  • SHA256

    6e340e96092a63bc7155da8c95dcb8e53917a29c6b9e0e426cf45501aa4743d1

  • SHA512

    1b6871251e08eae53abf8fc2ed7bc9af1cfc4b672c9986c7962fd525d5dff266551d7e0e1d5aee9f0909e1229571b275cba13706888c1f3806a60468b598891a

  • SSDEEP

    49152:voiu/jCF/nrH1LkOVUQkqXfd+/9AqAanTmV1:voiu74/nrVgCkqXf0FPAWW

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\GTweak.exe
    "C:\Users\Admin\AppData\Local\Temp\GTweak.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 & netsh interface teredo show state & netsh int ipv6 isatap show state & netsh interface isatap show state & netsh int ipv6 6to4 show state
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2528
        • C:\Windows\system32\netsh.exe
          netsh interface teredo show state
          3⤵
            PID:2268
          • C:\Windows\system32\netsh.exe
            netsh int ipv6 isatap show state
            3⤵
              PID:3780
            • C:\Windows\system32\netsh.exe
              netsh interface isatap show state
              3⤵
                PID:4772
              • C:\Windows\system32\netsh.exe
                netsh int ipv6 6to4 show state
                3⤵
                  PID:1460
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-AppxPackage | select Name | ft -hide
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:996
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c sc config wbengine start= demand
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4356
                • C:\Windows\system32\sc.exe
                  sc config wbengine start= demand
                  3⤵
                  • Launches sc.exe
                  PID:924
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c rstrui.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4032
                • C:\Windows\system32\rstrui.exe
                  rstrui.exe
                  3⤵
                  • Drops file in Windows directory
                  PID:4232
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /v "{09F7EDC5 - 294E-4180 - AF6A - FB0E6A0E9513}" /t REG_MULTI_SZ /d "1" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2360
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /v "{09F7EDC5 - 294E-4180 - AF6A - FB0E6A0E9513}" /t REG_MULTI_SZ /d "1" /f
                  3⤵
                    PID:4976
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc config swprv start= demand
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3548
                  • C:\Windows\system32\sc.exe
                    sc config swprv start= demand
                    3⤵
                    • Launches sc.exe
                    PID:3036
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc config vds start= demand
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4436
                  • C:\Windows\system32\sc.exe
                    sc config vds start= demand
                    3⤵
                    • Launches sc.exe
                    PID:1756
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc config VSS start= demand
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4416
                  • C:\Windows\system32\sc.exe
                    sc config VSS start= demand
                    3⤵
                    • Launches sc.exe
                    PID:4752
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" Get-ComputerRestorePoint | Where-Object {$_.Description -ne 'Точка созданная с помощью GTweak' -and $_.Description -ne 'A point created with a GTweak'} | Select-Object EventType | ft -hide
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4224
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" Get-ComputerRestorePoint | Where-Object {$_.Description -ne 'Точка созданная с помощью GTweak' -and $_.Description -ne 'A point created with a GTweak'} | Select-Object EventType | ft -hide
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:876
              • C:\Windows\system32\wbem\WmiApSrv.exe
                C:\Windows\system32\wbem\WmiApSrv.exe
                1⤵
                  PID:2448
                • C:\Windows\system32\wbengine.exe
                  "C:\Windows\system32\wbengine.exe"
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:824
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3164
                • C:\Windows\System32\vdsldr.exe
                  C:\Windows\System32\vdsldr.exe -Embedding
                  1⤵
                    PID:2428
                  • C:\Windows\System32\vds.exe
                    C:\Windows\System32\vds.exe
                    1⤵
                    • Checks SCSI registry key(s)
                    PID:4984
                  • C:\Windows\system32\AUDIODG.EXE
                    C:\Windows\system32\AUDIODG.EXE 0x4f0 0x240
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2964

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\GTweak\Sound.mp3
                          Filesize

                          54KB

                          MD5

                          b86ba925e9ee812edf9b05a69d4ce27e

                          SHA1

                          dd91cb8df56c4d580ae82cca1847ad94fdc1c1e3

                          SHA256

                          11e7e7402ad550ff8961e83e34c54abe02eee884365c878689fb4d5bbb6f021a

                          SHA512

                          8ab3567e4c4d09736ede5a74147f9b0b56e3c35a412e5d974ac000599e7045adfbea36807579b536e7241e821b00f5805772d86868524ba2c2668ee22df984f8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          3KB

                          MD5

                          958ec9d245aa0e4bd5d05bbdb37475f4

                          SHA1

                          80e6d2c6a85922cb83b9fea874320e9c53740bd9

                          SHA256

                          a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

                          SHA512

                          82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                          Filesize

                          64KB

                          MD5

                          c374c25875887db7d072033f817b6ce1

                          SHA1

                          3a6d10268f30e42f973dadf044dba7497e05cdaf

                          SHA256

                          05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

                          SHA512

                          6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                          Filesize

                          9KB

                          MD5

                          7050d5ae8acfbe560fa11073fef8185d

                          SHA1

                          5bc38e77ff06785fe0aec5a345c4ccd15752560e

                          SHA256

                          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                          SHA512

                          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          55402b46a8b1fcb1e68683f07f15e452

                          SHA1

                          4e590f83da76e879040ef7250c3f104903e06e2d

                          SHA256

                          6ef81b848ab6548f316457a4d3e3aebb1bfaee3e50a0a714b3aa418847442072

                          SHA512

                          84c10912410a9f7fc270c72132b85199ac0f6c728baae9305133ad66754eb32d2e755bdc7adf92b66c0836e088b6c91b55e4f8a88a097f12ba149decb9596d38

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          b4e9229b9b2edd0da4caf755a16d442a

                          SHA1

                          3e0687dd379f26ed3e21469f0bcc9742936b7963

                          SHA256

                          a7263efd2db975903cea497ad2364cf0dc0b3d57871149ad0980b192fc2f0b40

                          SHA512

                          658fb0f7eddedb9ab7d5d66bb006cb54efb8e523bd3ff3b58664c00183f574659dccdc9a1d685489c5826fb5fa81cb1a6d02acd566b319cda816d9851d42d379

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pngstwb3.fiy.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • memory/996-19-0x00000247F2120000-0x00000247F2142000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/996-23-0x00000247F23F0000-0x00000247F2416000-memory.dmp

                          Filesize

                          152KB

                          Download

                        • memory/996-22-0x00000247F2150000-0x00000247F215A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/996-21-0x00000247F2170000-0x00000247F2186000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/3128-26-0x000001EC4E9E0000-0x000001EC4E9E8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/3128-32-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-9-0x000001EC4E930000-0x000001EC4E988000-memory.dmp

                          Filesize

                          352KB

                          Download

                        • memory/3128-8-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-6-0x000001EC52490000-0x000001EC524C8000-memory.dmp

                          Filesize

                          224KB

                          Download

                        • memory/3128-0-0x00007FFC39403000-0x00007FFC39405000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/3128-27-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-28-0x00007FFC39403000-0x00007FFC39405000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/3128-29-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-30-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-31-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-20-0x000001EC53ED0000-0x000001EC53F82000-memory.dmp

                          Filesize

                          712KB

                          Download

                        • memory/3128-33-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-34-0x000001EC4E920000-0x000001EC4E92C000-memory.dmp

                          Filesize

                          48KB

                          Download

                        • memory/3128-7-0x000001EC51FD0000-0x000001EC51FDE000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/3128-5-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-4-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-3-0x00007FFC39400000-0x00007FFC39EC1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/3128-2-0x000001EC32B00000-0x000001EC32B1A000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/3128-1-0x000001EC32530000-0x000001EC3272E000-memory.dmp

                          Filesize

                          2.0MB

                          Download

                        • memory/3128-89-0x000001EC52000000-0x000001EC52008000-memory.dmp

                          Filesize

                          32KB

                          Download