Resubmissions

18-06-2024 10:26

240618-mglccatcpr 8

18-06-2024 10:22

240618-mefdbatbrp 4

18-06-2024 10:17

240618-mblqxsyglg 8

18-06-2024 10:15

240618-majvyaygje 8

18-06-2024 10:13

240618-l9cp8stakr 7

18-06-2024 10:11

240618-l7x86ayfke 8

18-06-2024 10:08

240618-l6ds5ayenh 8

18-06-2024 10:05

240618-l4jatssgmp 8

18-06-2024 10:03

240618-l3pq8aydqc 7

Analysis

  • max time kernel
    46s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 10:13

General

  • Target

    erdre gdps/erdre GDPS install.exe

  • Size

    1.6MB

  • MD5

    3d266248c5b1c72bc74474f0dc5faf10

  • SHA1

    9462f26700a5c8fa7e4c4529799c8f5a7bd24381

  • SHA256

    d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d

  • SHA512

    2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941

  • SSDEEP

    24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
    "C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp" /SL5="$5014C,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
        "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7964.tmp\7965.tmp\7966.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\system32\chcp.com
            chcp 1251
            5⤵
              PID:1824
            • C:\Windows\system32\taskkill.exe
              Taskkill /f /im explorer.exe
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7964.tmp\7965.tmp\7966.bat

      Filesize

      1KB

      MD5

      d46f641fd04723e353e062eff5679ef6

      SHA1

      319637221e4edaf0d59836285d065e58542afbdb

      SHA256

      94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74

      SHA512

      9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b

    • \Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe

      Filesize

      100KB

      MD5

      1f2cec484d93617fa81ecff025ebd981

      SHA1

      2a0e9083aa48236edd47a140380b800dc56579c1

      SHA256

      2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8

      SHA512

      57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562

    • \Users\Admin\AppData\Local\Programs\erdre GDPS\unins000.exe

      Filesize

      2.9MB

      MD5

      78cc109e79e5ad00bfcdb163482e27a1

      SHA1

      d18113b37d2fa5b049a5c1753b1a4c25f5e004a5

      SHA256

      5597795862db5b9253dfb740feef39ba2af1d822aaa2749f59b79d7a14a37a10

      SHA512

      42c9c973164ff0b0424f68355edb6a00521f331af282eb30c187624fc1beaa65bb2c914268b29822a53c01e093aa26ce1ef1159a56e842c984b4084c0c8e04c4

    • \Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp

      Filesize

      2.9MB

      MD5

      fe9bea77f231fb8526ce2a8a2ccd58dc

      SHA1

      0c502b1e730e1274e90e08b35cb5f62430db3862

      SHA256

      0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7

      SHA512

      c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855

    • memory/768-8-0x0000000000400000-0x00000000006F3000-memory.dmp

      Filesize

      2.9MB

    • memory/768-10-0x0000000000400000-0x00000000006F3000-memory.dmp

      Filesize

      2.9MB

    • memory/768-13-0x0000000000400000-0x00000000006F3000-memory.dmp

      Filesize

      2.9MB

    • memory/768-37-0x0000000000400000-0x00000000006F3000-memory.dmp

      Filesize

      2.9MB

    • memory/816-12-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/816-9-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/816-2-0x0000000000401000-0x00000000004A9000-memory.dmp

      Filesize

      672KB

    • memory/816-39-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB

    • memory/816-0-0x0000000000400000-0x00000000004C0000-memory.dmp

      Filesize

      768KB