Analysis Overview
SHA256
de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
Threat Level: Likely malicious
The file erdre gdps.7z was found to be: Likely malicious.
Malicious Activity Summary
Modifies Installed Components in the registry
Executes dropped EXE
Checks installed software on the system
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:11
Reported
2024-06-18 10:12
Platform
win10v2004-20240611-en
Max time kernel
45s
Max time network
74s
Command Line
Signatures
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{16317FB1-2E2C-49FD-8F3D-D7518D0C658D} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{87B1BBA4-4E6B-48AC-BD42-8D3385CF0D4B} | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp" /SL5="$401E8,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E6A.tmp\6E6B.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\taskkill.exe
Taskkill /f /im explorer.exe
C:\Windows\system32\shutdown.exe
shutdown /r
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /f /IM explorer.exe
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\explorer.exe
explorer
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\mspaint.exe
mspaint
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3963855 /state1:0x41c64e6d
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
Files
memory/640-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/640-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KS422.tmp\erdre GDPS install.tmp
| MD5 | fe9bea77f231fb8526ce2a8a2ccd58dc |
| SHA1 | 0c502b1e730e1274e90e08b35cb5f62430db3862 |
| SHA256 | 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7 |
| SHA512 | c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855 |
memory/3540-6-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/640-8-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/3540-9-0x0000000000400000-0x00000000006F3000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
| MD5 | 1f2cec484d93617fa81ecff025ebd981 |
| SHA1 | 2a0e9083aa48236edd47a140380b800dc56579c1 |
| SHA256 | 2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8 |
| SHA512 | 57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562 |
memory/3540-26-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/640-28-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6E5A.tmp\6E6A.tmp\6E6B.bat
| MD5 | d46f641fd04723e353e062eff5679ef6 |
| SHA1 | 319637221e4edaf0d59836285d065e58542afbdb |
| SHA256 | 94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74 |
| SHA512 | 9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b |
memory/1696-36-0x000001FB6E400000-0x000001FB6E500000-memory.dmp
memory/1696-37-0x000001FB6E400000-0x000001FB6E500000-memory.dmp
memory/1696-40-0x000001FB6F320000-0x000001FB6F340000-memory.dmp
memory/1696-51-0x000001FB6F2E0000-0x000001FB6F300000-memory.dmp
memory/1696-71-0x000001FB6F900000-0x000001FB6F920000-memory.dmp
memory/388-89-0x0000000003460000-0x0000000003461000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631791517407389.txt
| MD5 | ec861d1b31e9e99a4a6548f1e0b504e1 |
| SHA1 | 8bf1243597aba54793caf29c5e6c258507f15652 |
| SHA256 | 9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da |
| SHA512 | 30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd |