Resubmissions
18-06-2024 10:26
240618-mglccatcpr 818-06-2024 10:22
240618-mefdbatbrp 418-06-2024 10:17
240618-mblqxsyglg 818-06-2024 10:15
240618-majvyaygje 818-06-2024 10:13
240618-l9cp8stakr 718-06-2024 10:11
240618-l7x86ayfke 818-06-2024 10:08
240618-l6ds5ayenh 818-06-2024 10:05
240618-l4jatssgmp 818-06-2024 10:03
240618-l3pq8aydqc 7Analysis
-
max time kernel
46s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
erdre gdps/erdre GDPS install.exe
Resource
win7-20240611-en
General
-
Target
erdre gdps/erdre GDPS install.exe
-
Size
1.6MB
-
MD5
3d266248c5b1c72bc74474f0dc5faf10
-
SHA1
9462f26700a5c8fa7e4c4529799c8f5a7bd24381
-
SHA256
d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d
-
SHA512
2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941
-
SSDEEP
24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
erdre GDPS install.tmperdresem`s GDPS.exepid process 768 erdre GDPS install.tmp 2572 erdresem`s GDPS.exe -
Loads dropped DLL 5 IoCs
Processes:
erdre GDPS install.exeerdre GDPS install.tmppid process 816 erdre GDPS install.exe 768 erdre GDPS install.tmp 768 erdre GDPS install.tmp 768 erdre GDPS install.tmp 768 erdre GDPS install.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1264 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
erdre GDPS install.tmppid process 768 erdre GDPS install.tmp 768 erdre GDPS install.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1264 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
erdre GDPS install.tmppid process 768 erdre GDPS install.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
erdre GDPS install.exeerdre GDPS install.tmperdresem`s GDPS.execmd.exedescription pid process target process PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 816 wrote to memory of 768 816 erdre GDPS install.exe erdre GDPS install.tmp PID 768 wrote to memory of 2572 768 erdre GDPS install.tmp erdresem`s GDPS.exe PID 768 wrote to memory of 2572 768 erdre GDPS install.tmp erdresem`s GDPS.exe PID 768 wrote to memory of 2572 768 erdre GDPS install.tmp erdresem`s GDPS.exe PID 768 wrote to memory of 2572 768 erdre GDPS install.tmp erdresem`s GDPS.exe PID 2572 wrote to memory of 2164 2572 erdresem`s GDPS.exe cmd.exe PID 2572 wrote to memory of 2164 2572 erdresem`s GDPS.exe cmd.exe PID 2572 wrote to memory of 2164 2572 erdresem`s GDPS.exe cmd.exe PID 2572 wrote to memory of 2164 2572 erdresem`s GDPS.exe cmd.exe PID 2164 wrote to memory of 1824 2164 cmd.exe chcp.com PID 2164 wrote to memory of 1824 2164 cmd.exe chcp.com PID 2164 wrote to memory of 1824 2164 cmd.exe chcp.com PID 2164 wrote to memory of 1264 2164 cmd.exe taskkill.exe PID 2164 wrote to memory of 1264 2164 cmd.exe taskkill.exe PID 2164 wrote to memory of 1264 2164 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp"C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp" /SL5="$5014C,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7964.tmp\7965.tmp\7966.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\chcp.comchcp 12515⤵PID:1824
-
C:\Windows\system32\taskkill.exeTaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d46f641fd04723e353e062eff5679ef6
SHA1319637221e4edaf0d59836285d065e58542afbdb
SHA25694c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74
SHA5129d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b
-
Filesize
100KB
MD51f2cec484d93617fa81ecff025ebd981
SHA12a0e9083aa48236edd47a140380b800dc56579c1
SHA2562aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8
SHA51257c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562
-
Filesize
2.9MB
MD578cc109e79e5ad00bfcdb163482e27a1
SHA1d18113b37d2fa5b049a5c1753b1a4c25f5e004a5
SHA2565597795862db5b9253dfb740feef39ba2af1d822aaa2749f59b79d7a14a37a10
SHA51242c9c973164ff0b0424f68355edb6a00521f331af282eb30c187624fc1beaa65bb2c914268b29822a53c01e093aa26ce1ef1159a56e842c984b4084c0c8e04c4
-
Filesize
2.9MB
MD5fe9bea77f231fb8526ce2a8a2ccd58dc
SHA10c502b1e730e1274e90e08b35cb5f62430db3862
SHA2560b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855