Malware Analysis Report

2024-10-16 06:41

Sample ID 240618-l3pq8aydqc
Target erdre gdps.7z
SHA256 de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b

Threat Level: Shows suspicious behavior

The file erdre gdps.7z was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\erdre gdps\desktop.ini"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\erdre gdps\desktop.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:04

Platform

win7-20240508-en

Max time kernel

18s

Max time network

16s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3008 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3008 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps.7z"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\erdre gdps\desktop.ini"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\erdre gdps\desktop.ini"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win7-20240611-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe

"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

C:\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp" /SL5="$30130,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

Network

N/A

Files

memory/2112-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2112-2-0x0000000000401000-0x00000000004A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-U4PMU.tmp\erdre GDPS install.tmp

MD5 fe9bea77f231fb8526ce2a8a2ccd58dc
SHA1 0c502b1e730e1274e90e08b35cb5f62430db3862
SHA256 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512 c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855

memory/892-8-0x0000000000400000-0x00000000006F3000-memory.dmp

memory/2112-10-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/892-11-0x0000000000400000-0x00000000006F3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe

"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp" /SL5="$600EC,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1944-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1944-2-0x0000000000401000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-72RSK.tmp\erdre GDPS install.tmp

MD5 fe9bea77f231fb8526ce2a8a2ccd58dc
SHA1 0c502b1e730e1274e90e08b35cb5f62430db3862
SHA256 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512 c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855

memory/1040-6-0x0000000000400000-0x00000000006F3000-memory.dmp

memory/1944-8-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1040-9-0x0000000000400000-0x00000000006F3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 10:03

Reported

2024-06-18 10:06

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A