2ce267bc9f667c070be13be256344023b02850182cdb1e91b074464aafd78a9f

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iUnlock GSM Ramdisk/iUnlock GSM Ramdisk.exe
Size

1.0MB
MD5

6ed2e8057953cd5c208fd0868b14a1af
SHA1

b14da0008f68b18f21f8cde97d54425f797b84a8
SHA256

726d13a1602c89102bd17660781a2bcd57306570c281f0c71c33268f27f58c79
SHA512

6c3fcacdb185cf5629ff796a9696bfe1933fd4edb69dc6578cae6374c856aa0b3cbb9b9f219170abc67f4368df28b9e03fa11e9db873ddcf81d8ac1858c06ced
SSDEEP

12288:KW2vL7h47bT9eyl+tBaDpxM0SLr2+XXXBQp0dlp+5W8spErYrnoLbq1S/JIgN0OX:x2vn8vQraDfmeyLdlG78joLbdDzORM

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1688	iUnlock GSM Ramdisk.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral19/memory/1688-8-0x000000001C280000-0x000000001C4A2000-memory.dmp	agile_net

Kills process with taskkill 1 IoCs

evasion

pid	Process
2476	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1688	iUnlock GSM Ramdisk.exe
1688	iUnlock GSM Ramdisk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2580	1688	iUnlock GSM Ramdisk.exe	28
PID 1688 wrote to memory of 2580	1688	iUnlock GSM Ramdisk.exe	28
PID 1688 wrote to memory of 2580	1688	iUnlock GSM Ramdisk.exe	28
PID 2580 wrote to memory of 2840	2580	cmd.exe	30
PID 2580 wrote to memory of 2840	2580	cmd.exe	30
PID 2580 wrote to memory of 2840	2580	cmd.exe	30
PID 1688 wrote to memory of 2444	1688	iUnlock GSM Ramdisk.exe	31
PID 1688 wrote to memory of 2444	1688	iUnlock GSM Ramdisk.exe	31
PID 1688 wrote to memory of 2444	1688	iUnlock GSM Ramdisk.exe	31
PID 2444 wrote to memory of 2476	2444	cmd.exe	33
PID 2444 wrote to memory of 2476	2444	cmd.exe	33
PID 2444 wrote to memory of 2476	2444	cmd.exe	33
PID 1688 wrote to memory of 2768	1688	iUnlock GSM Ramdisk.exe	35
PID 1688 wrote to memory of 2768	1688	iUnlock GSM Ramdisk.exe	35
PID 1688 wrote to memory of 2768	1688	iUnlock GSM Ramdisk.exe	35

C:\Users\Admin\AppData\Local\Temp\iUnlock GSM Ramdisk\iUnlock GSM Ramdisk.exe
"C:\Users\Admin\AppData\Local\Temp\iUnlock GSM Ramdisk\iUnlock GSM Ramdisk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\cmd.exe
  cmd /c ""tmp\shell.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\iUnlock GSM Ramdisk\lib\curl.exe
    lib\curl.exe -s -k https://geminixteam.com/Message.php
    3⤵
    PID:2840
- C:\Windows\system32\cmd.exe
  cmd /c ""tmp\shell.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM iproxy.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1688 -s 956
  2⤵
  PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iUnlock GSM Ramdisk\tmp\shell.cmd

Filesize
64B

MD5
c6c4ebed69d8e18386f2dc2ce13ccdd2

SHA1
aad3ed8cbd8ecfbea1e0df91fd06612c3ed1d046

SHA256
851607b42f0927db6e19d51dfec1b5fbcb9b4e9ab0c3fa9e2f55d9f463714a2a

SHA512
944a59aac27f93b2b8c755800759f00ddc4a602a127fff121d09cdf270fe48baeba5c8745761880692ec0562b614af02a30669cbf89ab0535f7f93958ec1228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUnlock GSM Ramdisk\tmp\shell.cmd

Filesize
36B

MD5
0b6d7bf354a0986c97f5b96077cec97b

SHA1
d59089642b44a59b670bc3d64daf510ccd98dd8b

SHA256
c21d155a8dc5a7c06306c2fae1e6a240834973467f5c3ff489f42dbf75debf11

SHA512
8164d1b09fbb3be926c5616384d1ba60670d0a3a77c182d8a26e9c41a53b0038fddd14ad749fb8e142fff2371c05498ad2069ba6a6b9f86ab7e542f7e6d86957

Download Submit
\Users\Admin\AppData\Local\Temp\302b4517-bf81-4b85-8a36-553d0c421a3e\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/1688-5-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-17-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-3-0x0000000000350000-0x0000000000368000-memory.dmp

Filesize
96KB

Download
memory/1688-6-0x000000001BBB0000-0x000000001BFB6000-memory.dmp

Filesize
4.0MB

Download
memory/1688-7-0x000000001C1C0000-0x000000001C278000-memory.dmp

Filesize
736KB

Download
memory/1688-8-0x000000001C280000-0x000000001C4A2000-memory.dmp

Filesize
2.1MB

Download
memory/1688-2-0x000000001A740000-0x000000001A7F0000-memory.dmp

Filesize
704KB

Download
memory/1688-15-0x000007FEF3A10000-0x000007FEF3B3C000-memory.dmp

Filesize
1.2MB

Download
memory/1688-16-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-4-0x000000001B070000-0x000000001B148000-memory.dmp

Filesize
864KB

Download
memory/1688-18-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-19-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-1-0x0000000000EB0000-0x0000000000FBA000-memory.dmp

Filesize
1.0MB

Download
memory/1688-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/1688-52-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-51-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-50-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/2840-30-0x000007FEF5E80000-0x000007FEF5E96000-memory.dmp

Filesize
88KB

Download
memory/2840-33-0x000007FEEF010000-0x000007FEEF2C4000-memory.dmp

Filesize
2.7MB

Download
memory/2840-36-0x000007FEF0E50000-0x000007FEF0E78000-memory.dmp

Filesize
160KB

Download
memory/2840-40-0x000007FEF0510000-0x000007FEF05A2000-memory.dmp

Filesize
584KB

Download
memory/2840-41-0x000007FEEEC50000-0x000007FEEED4B000-memory.dmp

Filesize
1004KB

Download
memory/2840-39-0x000007FEF0600000-0x000007FEF0647000-memory.dmp

Filesize
284KB

Download
memory/2840-38-0x000007FEF0700000-0x000007FEF0733000-memory.dmp

Filesize
204KB

Download
memory/2840-37-0x000007FEEEE50000-0x000007FEEF007000-memory.dmp

Filesize
1.7MB

Download
memory/2840-35-0x000007FEF0740000-0x000007FEF084B000-memory.dmp

Filesize
1.0MB

Download
memory/2840-34-0x000007FEF0E80000-0x000007FEF0EB0000-memory.dmp

Filesize
192KB

Download
memory/2840-32-0x000007FEF5E30000-0x000007FEF5E5C000-memory.dmp

Filesize
176KB

Download
memory/2840-31-0x000007FEF5E60000-0x000007FEF5E76000-memory.dmp

Filesize
88KB

Download
memory/2840-28-0x000000013F1A0000-0x000000013F1EC000-memory.dmp

Filesize
304KB

Download
memory/2840-29-0x000007FEF0EB0000-0x000007FEF0F5D000-memory.dmp

Filesize
692KB

Download