Analysis Overview
SHA256
de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
Threat Level: Shows suspicious behavior
The file erdre gdps.7z was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:13
Reported
2024-06-18 10:15
Platform
win7-20240611-en
Max time kernel
46s
Max time network
27s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
Checks installed software on the system
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp" /SL5="$5014C,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7964.tmp\7965.tmp\7966.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\taskkill.exe
Taskkill /f /im explorer.exe
Network
Files
memory/816-2-0x0000000000401000-0x00000000004A9000-memory.dmp
memory/816-0-0x0000000000400000-0x00000000004C0000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-T09VN.tmp\erdre GDPS install.tmp
| MD5 | fe9bea77f231fb8526ce2a8a2ccd58dc |
| SHA1 | 0c502b1e730e1274e90e08b35cb5f62430db3862 |
| SHA256 | 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7 |
| SHA512 | c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855 |
memory/768-8-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/816-9-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/768-10-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/816-12-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/768-13-0x0000000000400000-0x00000000006F3000-memory.dmp
\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
| MD5 | 1f2cec484d93617fa81ecff025ebd981 |
| SHA1 | 2a0e9083aa48236edd47a140380b800dc56579c1 |
| SHA256 | 2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8 |
| SHA512 | 57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562 |
\Users\Admin\AppData\Local\Programs\erdre GDPS\unins000.exe
| MD5 | 78cc109e79e5ad00bfcdb163482e27a1 |
| SHA1 | d18113b37d2fa5b049a5c1753b1a4c25f5e004a5 |
| SHA256 | 5597795862db5b9253dfb740feef39ba2af1d822aaa2749f59b79d7a14a37a10 |
| SHA512 | 42c9c973164ff0b0424f68355edb6a00521f331af282eb30c187624fc1beaa65bb2c914268b29822a53c01e093aa26ce1ef1159a56e842c984b4084c0c8e04c4 |
memory/816-39-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/768-37-0x0000000000400000-0x00000000006F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7964.tmp\7965.tmp\7966.bat
| MD5 | d46f641fd04723e353e062eff5679ef6 |
| SHA1 | 319637221e4edaf0d59836285d065e58542afbdb |
| SHA256 | 94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74 |
| SHA512 | 9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b |