Analysis Overview
SHA256
de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
Threat Level: Shows suspicious behavior
The file erdre gdps.7z was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
58s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\erdre gdps\desktop.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:04
Platform
win7-20240508-en
Max time kernel
18s
Max time network
16s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3008 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3008 wrote to memory of 2676 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\erdre gdps\desktop.ini"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win7-20240611-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp" /SL5="$30130,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
Network
Files
memory/2112-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2112-2-0x0000000000401000-0x00000000004A9000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp
| MD5 | fe9bea77f231fb8526ce2a8a2ccd58dc |
| SHA1 | 0c502b1e730e1274e90e08b35cb5f62430db3862 |
| SHA256 | 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7 |
| SHA512 | c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855 |
memory/892-8-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/2112-10-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/892-11-0x0000000000400000-0x00000000006F3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
51s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1944 wrote to memory of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe | C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp |
| PID 1944 wrote to memory of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe | C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp |
| PID 1944 wrote to memory of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe | C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp" /SL5="$600EC,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1944-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1944-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp
| MD5 | fe9bea77f231fb8526ce2a8a2ccd58dc |
| SHA1 | 0c502b1e730e1274e90e08b35cb5f62430db3862 |
| SHA256 | 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7 |
| SHA512 | c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855 |
memory/1040-6-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/1944-8-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1040-9-0x0000000000400000-0x00000000006F3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-18 10:03
Reported
2024-06-18 10:06
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |