40962b2a411a9dbdb9b288fa1430f912006d66134992c0349c6b566d23681bde

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GST_Audit_Report.exe
Size

1.5MB
MD5

fe310cb94fd6877918c0323c54a29556
SHA1

26d7d7de3b3c7098e2fc52158610227823b6c227
SHA256

40962b2a411a9dbdb9b288fa1430f912006d66134992c0349c6b566d23681bde
SHA512

332bb2726f6bd9daf0604a721ee8f563baf3c8ac892b84a0c6dfc357727ae62153e31f7b7175f246294183d2c65cf51f3def77672b8787272048fbdf36ff3bfe
SSDEEP

24576:P4lavt0LkLL9IMixoEgeaMkIy8OzcQRXorWDbz4q9MmCS:Kkwkn9IMHeaMk+OSWEaPCS

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRIPRU.lnk	GST_Audit_Report.exe

Executes dropped EXE 2 IoCs

pid	Process
3300	XUQNVR.exe
3180	XUQNVR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TRIPRU = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\XUQNVR.exe\""	GST_Audit_Report.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a0000000233df-4.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	GST_Audit_Report.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	GST_Audit_Report.exe
4548	GST_Audit_Report.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4548	GST_Audit_Report.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2348	4548	GST_Audit_Report.exe	83
PID 4548 wrote to memory of 2348	4548	GST_Audit_Report.exe	83
PID 4548 wrote to memory of 2348	4548	GST_Audit_Report.exe	83
PID 2348 wrote to memory of 1640	2348	cmd.exe	85
PID 2348 wrote to memory of 1640	2348	cmd.exe	85
PID 2348 wrote to memory of 1640	2348	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\GST_Audit_Report.exe
"C:\Users\Admin\AppData\Local\Temp\GST_Audit_Report.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn TRIPRU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn TRIPRU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe /sc minute /mo 1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1640

C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe
1⤵
- Executes dropped EXE
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windata\XUQNVR.exe

Filesize
1.5MB

MD5
fe310cb94fd6877918c0323c54a29556

SHA1
26d7d7de3b3c7098e2fc52158610227823b6c227

SHA256
40962b2a411a9dbdb9b288fa1430f912006d66134992c0349c6b566d23681bde

SHA512
332bb2726f6bd9daf0604a721ee8f563baf3c8ac892b84a0c6dfc357727ae62153e31f7b7175f246294183d2c65cf51f3def77672b8787272048fbdf36ff3bfe

Download Submit