Resubmissions
18-06-2024 10:26
240618-mglccatcpr 818-06-2024 10:22
240618-mefdbatbrp 418-06-2024 10:17
240618-mblqxsyglg 818-06-2024 10:15
240618-majvyaygje 818-06-2024 10:13
240618-l9cp8stakr 718-06-2024 10:11
240618-l7x86ayfke 818-06-2024 10:08
240618-l6ds5ayenh 818-06-2024 10:05
240618-l4jatssgmp 818-06-2024 10:03
240618-l3pq8aydqc 7Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
erdre gdps/erdre GDPS install.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
erdre gdps/erdre GDPS install.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
erdre gdps/readme
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
erdre gdps/readme
Resource
win10v2004-20240508-en
General
-
Target
erdre gdps/erdre GDPS install.exe
-
Size
1.6MB
-
MD5
3d266248c5b1c72bc74474f0dc5faf10
-
SHA1
9462f26700a5c8fa7e4c4529799c8f5a7bd24381
-
SHA256
d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d
-
SHA512
2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941
-
SSDEEP
24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
erdre GDPS install.tmperdresem`s GDPS.exepid process 5064 erdre GDPS install.tmp 3628 erdresem`s GDPS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 5004 taskkill.exe 2960 taskkill.exe -
Modifies registry class 9 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{1BE36BE8-5602-4CA8-BA76-2826415B6AC3} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
erdre GDPS install.tmpmspaint.exepid process 5064 erdre GDPS install.tmp 5064 erdre GDPS install.tmp 4432 mspaint.exe 4432 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 5004 taskkill.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeCreatePagefilePrivilege 1260 explorer.exe Token: SeShutdownPrivilege 1260 explorer.exe Token: SeCreatePagefilePrivilege 1260 explorer.exe Token: SeShutdownPrivilege 4328 explorer.exe Token: SeCreatePagefilePrivilege 4328 explorer.exe Token: SeShutdownPrivilege 4328 explorer.exe Token: SeCreatePagefilePrivilege 4328 explorer.exe Token: SeShutdownPrivilege 4328 explorer.exe Token: SeCreatePagefilePrivilege 4328 explorer.exe Token: SeShutdownPrivilege 4328 explorer.exe Token: SeCreatePagefilePrivilege 4328 explorer.exe Token: SeShutdownPrivilege 4328 explorer.exe Token: SeCreatePagefilePrivilege 4328 explorer.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
erdre GDPS install.tmpexplorer.exepid process 5064 erdre GDPS install.tmp 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
explorer.exepid process 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe 4328 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mspaint.exepid process 4432 mspaint.exe 4432 mspaint.exe 4432 mspaint.exe 4432 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
erdre GDPS install.exeerdre GDPS install.tmperdresem`s GDPS.execmd.exedescription pid process target process PID 2952 wrote to memory of 5064 2952 erdre GDPS install.exe erdre GDPS install.tmp PID 2952 wrote to memory of 5064 2952 erdre GDPS install.exe erdre GDPS install.tmp PID 2952 wrote to memory of 5064 2952 erdre GDPS install.exe erdre GDPS install.tmp PID 5064 wrote to memory of 3628 5064 erdre GDPS install.tmp erdresem`s GDPS.exe PID 5064 wrote to memory of 3628 5064 erdre GDPS install.tmp erdresem`s GDPS.exe PID 5064 wrote to memory of 3628 5064 erdre GDPS install.tmp erdresem`s GDPS.exe PID 3628 wrote to memory of 4708 3628 erdresem`s GDPS.exe cmd.exe PID 3628 wrote to memory of 4708 3628 erdresem`s GDPS.exe cmd.exe PID 4708 wrote to memory of 2800 4708 cmd.exe chcp.com PID 4708 wrote to memory of 2800 4708 cmd.exe chcp.com PID 4708 wrote to memory of 2960 4708 cmd.exe taskkill.exe PID 4708 wrote to memory of 2960 4708 cmd.exe taskkill.exe PID 4708 wrote to memory of 1260 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1260 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 5004 4708 cmd.exe taskkill.exe PID 4708 wrote to memory of 5004 4708 cmd.exe taskkill.exe PID 4708 wrote to memory of 4896 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4896 4708 cmd.exe calc.exe PID 4708 wrote to memory of 456 4708 cmd.exe calc.exe PID 4708 wrote to memory of 456 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4748 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4748 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4328 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4328 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3996 4708 cmd.exe calc.exe PID 4708 wrote to memory of 3996 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4216 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4216 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4140 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4140 4708 cmd.exe calc.exe PID 4708 wrote to memory of 3120 4708 cmd.exe calc.exe PID 4708 wrote to memory of 3120 4708 cmd.exe calc.exe PID 4708 wrote to memory of 2288 4708 cmd.exe calc.exe PID 4708 wrote to memory of 2288 4708 cmd.exe calc.exe PID 4708 wrote to memory of 2156 4708 cmd.exe calc.exe PID 4708 wrote to memory of 2156 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4420 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4420 4708 cmd.exe calc.exe PID 4708 wrote to memory of 3632 4708 cmd.exe calc.exe PID 4708 wrote to memory of 3632 4708 cmd.exe calc.exe PID 4708 wrote to memory of 4432 4708 cmd.exe mspaint.exe PID 4708 wrote to memory of 4432 4708 cmd.exe mspaint.exe PID 4708 wrote to memory of 264 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 264 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4184 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4184 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3980 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3980 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3624 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3624 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4376 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4376 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4880 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 4880 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 2344 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 2344 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1620 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1620 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3852 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 3852 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1664 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1664 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1504 4708 cmd.exe explorer.exe PID 4708 wrote to memory of 1504 4708 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp"C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp" /SL5="$C0066,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CEF3.tmp\CEF4.tmp\CEF5.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\system32\chcp.comchcp 12515⤵PID:2800
-
C:\Windows\system32\taskkill.exeTaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\system32\taskkill.exetaskkill /f /IM explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\system32\calc.execalc5⤵PID:4896
-
C:\Windows\system32\calc.execalc5⤵PID:456
-
C:\Windows\system32\calc.execalc5⤵PID:4748
-
C:\Windows\explorer.exeexplorer5⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4328 -
C:\Windows\system32\calc.execalc5⤵PID:3996
-
C:\Windows\system32\calc.execalc5⤵PID:4216
-
C:\Windows\system32\calc.execalc5⤵PID:4140
-
C:\Windows\system32\calc.execalc5⤵PID:3120
-
C:\Windows\system32\calc.execalc5⤵PID:2288
-
C:\Windows\system32\calc.execalc5⤵PID:2156
-
C:\Windows\system32\calc.execalc5⤵PID:4420
-
C:\Windows\system32\calc.execalc5⤵PID:3632
-
C:\Windows\system32\mspaint.exemspaint5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Windows\explorer.exeexplorer5⤵PID:264
-
C:\Windows\explorer.exeexplorer5⤵PID:4184
-
C:\Windows\explorer.exeexplorer5⤵PID:3980
-
C:\Windows\explorer.exeexplorer5⤵PID:3624
-
C:\Windows\explorer.exeexplorer5⤵PID:4376
-
C:\Windows\explorer.exeexplorer5⤵PID:4880
-
C:\Windows\explorer.exeexplorer5⤵PID:2344
-
C:\Windows\explorer.exeexplorer5⤵PID:1620
-
C:\Windows\explorer.exeexplorer5⤵PID:3852
-
C:\Windows\explorer.exeexplorer5⤵PID:1664
-
C:\Windows\explorer.exeexplorer5⤵PID:1504
-
C:\Windows\explorer.exeexplorer5⤵PID:2356
-
C:\Windows\explorer.exeexplorer5⤵PID:4944
-
C:\Windows\explorer.exeexplorer5⤵PID:1372
-
C:\Windows\explorer.exeexplorer5⤵PID:3380
-
C:\Windows\system32\charmap.execharmap5⤵PID:4860
-
C:\Windows\system32\charmap.execharmap5⤵PID:3724
-
C:\Windows\system32\charmap.execharmap5⤵PID:1652
-
C:\Windows\system32\charmap.execharmap5⤵PID:4916
-
C:\Windows\system32\charmap.execharmap5⤵PID:4492
-
C:\Windows\system32\charmap.execharmap5⤵PID:2640
-
C:\Windows\system32\charmap.execharmap5⤵PID:1616
-
C:\Windows\system32\charmap.execharmap5⤵PID:2152
-
C:\Windows\system32\charmap.execharmap5⤵PID:1012
-
C:\Windows\system32\charmap.execharmap5⤵PID:2200
-
C:\Windows\system32\charmap.execharmap5⤵PID:2688
-
C:\Windows\system32\charmap.execharmap5⤵PID:1132
-
C:\Windows\system32\charmap.execharmap5⤵PID:116
-
C:\Windows\system32\charmap.execharmap5⤵PID:1416
-
C:\Windows\system32\charmap.execharmap5⤵PID:4792
-
C:\Windows\system32\charmap.execharmap5⤵PID:4668
-
C:\Windows\system32\charmap.execharmap5⤵PID:2364
-
C:\Windows\system32\charmap.execharmap5⤵PID:4752
-
C:\Windows\system32\charmap.execharmap5⤵PID:4524
-
C:\Windows\system32\charmap.execharmap5⤵PID:2232
-
C:\Windows\system32\charmap.execharmap5⤵PID:4500
-
C:\Windows\system32\charmap.execharmap5⤵PID:1856
-
C:\Windows\system32\charmap.execharmap5⤵PID:2064
-
C:\Windows\system32\charmap.execharmap5⤵PID:4324
-
C:\Windows\system32\charmap.execharmap5⤵PID:3004
-
C:\Windows\system32\charmap.execharmap5⤵PID:2272
-
C:\Windows\system32\charmap.execharmap5⤵PID:4696
-
C:\Windows\system32\charmap.execharmap5⤵PID:1144
-
C:\Windows\system32\charmap.execharmap5⤵PID:1384
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3740
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4900
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3880
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3832
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5288
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5440
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5500
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5636
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5796
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5808
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6052
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6116
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4184
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:744
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631796143401822.txt
Filesize77KB
MD50255165ad57beec49a17586c484a729c
SHA1e60fc94b72aa3eb2e2a653fa5e18cbf8e4cb1ff6
SHA25668220a47bb7243356c3cc316d40153a0cf5c0cde2cd4dde96cb494a5bab395cd
SHA5121f5ebbabd3d9b66553d07d5ba4e8802d51b22190f288c9679a57f7c87de1b4845d25ac540a561bc1140668ad018d41820d4520817600130b617b0b654232c1b7
-
Filesize
100KB
MD51f2cec484d93617fa81ecff025ebd981
SHA12a0e9083aa48236edd47a140380b800dc56579c1
SHA2562aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8
SHA51257c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562
-
Filesize
1KB
MD5d46f641fd04723e353e062eff5679ef6
SHA1319637221e4edaf0d59836285d065e58542afbdb
SHA25694c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74
SHA5129d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b
-
Filesize
2.9MB
MD5fe9bea77f231fb8526ce2a8a2ccd58dc
SHA10c502b1e730e1274e90e08b35cb5f62430db3862
SHA2560b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855