Resubmissions
18-06-2024 10:26
240618-mglccatcpr 818-06-2024 10:22
240618-mefdbatbrp 418-06-2024 10:17
240618-mblqxsyglg 818-06-2024 10:15
240618-majvyaygje 818-06-2024 10:13
240618-l9cp8stakr 718-06-2024 10:11
240618-l7x86ayfke 818-06-2024 10:08
240618-l6ds5ayenh 818-06-2024 10:05
240618-l4jatssgmp 818-06-2024 10:03
240618-l3pq8aydqc 7Analysis
-
max time kernel
99s -
max time network
101s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
18-06-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
erdre gdps/erdre GDPS install.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
erdre gdps/erdre GDPS install.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
erdre gdps/readme
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
erdre gdps/readme
Resource
win10v2004-20240508-en
Errors
General
-
Target
erdre gdps/erdre GDPS install.exe
-
Size
1.6MB
-
MD5
3d266248c5b1c72bc74474f0dc5faf10
-
SHA1
9462f26700a5c8fa7e4c4529799c8f5a7bd24381
-
SHA256
d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d
-
SHA512
2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941
-
SSDEEP
24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
erdre GDPS install.tmperdresem`s GDPS.exepid process 4856 erdre GDPS install.tmp 5020 erdresem`s GDPS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 372 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
erdre GDPS install.tmppid process 4856 erdre GDPS install.tmp 4856 erdre GDPS install.tmp -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exeshutdown.exedescription pid process Token: SeDebugPrivilege 372 taskkill.exe Token: SeShutdownPrivilege 1224 shutdown.exe Token: SeRemoteShutdownPrivilege 1224 shutdown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
erdre GDPS install.tmppid process 4856 erdre GDPS install.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3480 LogonUI.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
erdre GDPS install.exeerdresem`s GDPS.execmd.exedescription pid process target process PID 4672 wrote to memory of 4856 4672 erdre GDPS install.exe erdre GDPS install.tmp PID 4672 wrote to memory of 4856 4672 erdre GDPS install.exe erdre GDPS install.tmp PID 4672 wrote to memory of 4856 4672 erdre GDPS install.exe erdre GDPS install.tmp PID 5020 wrote to memory of 2960 5020 erdresem`s GDPS.exe cmd.exe PID 5020 wrote to memory of 2960 5020 erdresem`s GDPS.exe cmd.exe PID 2960 wrote to memory of 4340 2960 cmd.exe chcp.com PID 2960 wrote to memory of 4340 2960 cmd.exe chcp.com PID 2960 wrote to memory of 372 2960 cmd.exe taskkill.exe PID 2960 wrote to memory of 372 2960 cmd.exe taskkill.exe PID 2960 wrote to memory of 1224 2960 cmd.exe shutdown.exe PID 2960 wrote to memory of 1224 2960 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp"C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp" /SL5="$60230,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4856
-
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38CE.tmp\38CF.tmp\38D0.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\chcp.comchcp 12513⤵PID:4340
-
C:\Windows\system32\taskkill.exeTaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\system32\shutdown.exeshutdown /r3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af0055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD51f2cec484d93617fa81ecff025ebd981
SHA12a0e9083aa48236edd47a140380b800dc56579c1
SHA2562aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8
SHA51257c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562
-
Filesize
1KB
MD5d46f641fd04723e353e062eff5679ef6
SHA1319637221e4edaf0d59836285d065e58542afbdb
SHA25694c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74
SHA5129d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b
-
Filesize
2.9MB
MD5fe9bea77f231fb8526ce2a8a2ccd58dc
SHA10c502b1e730e1274e90e08b35cb5f62430db3862
SHA2560b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855