Analysis Overview
SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
Threat Level: Known bad
The file gdifuncs.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Possible privilege escalation attempt
Modifies file permissions
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies Control Panel
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
System policy modification
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 00:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 00:14
Reported
2024-06-25 00:17
Platform
win11-20240508-en
Max time kernel
191s
Max time network
172s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\WinAttr.gci | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
| File opened for modification | \??\c:\windows\WinAttr.gci | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"
C:\windows\SysWOW64\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
C:\windows\SysWOW64\icacls.exe
"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
C:\Windows\SysWOW64\takeown.exe
takeown /f LogonUI.exe
C:\Windows\SysWOW64\icacls.exe
icacls LogonUI.exe /granted "Admin":F
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "tobi0a0c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2796-0-0x000000007436E000-0x000000007436F000-memory.dmp
memory/2796-1-0x0000000000770000-0x0000000000792000-memory.dmp
memory/2796-2-0x00000000056E0000-0x0000000005C86000-memory.dmp
memory/2796-3-0x0000000005230000-0x00000000052C2000-memory.dmp
memory/2796-4-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-5-0x0000000005610000-0x000000000561A000-memory.dmp
memory/2796-6-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-7-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-8-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-9-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-10-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-11-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-12-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-13-0x000000007436E000-0x000000007436F000-memory.dmp
memory/2796-14-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-15-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-16-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-17-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-18-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-19-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-20-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-21-0x0000000074360000-0x0000000074B11000-memory.dmp
memory/2796-22-0x0000000074360000-0x0000000074B11000-memory.dmp