10f7370ebe09c66711810d2b479d9a65a9156be1a0ec926373dbd20325539141

Analysis

max time kernel
120s
max time network
116s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757268985087958a1cea73aed590a480N.exe
Size

136KB
MD5

757268985087958a1cea73aed590a480
SHA1

d4943debcd3bd78a6ac8fd32453b3b568538f06d
SHA256

10f7370ebe09c66711810d2b479d9a65a9156be1a0ec926373dbd20325539141
SHA512

68622f3cd5ca9ff467122d2e3437293f35f4bf1e8d224ebfdf17aee1947688bd9a7bb29498a2fbb7ba32b208d4528a5da0cd759ed379c03571ee012f2f590845
SSDEEP

1536:I7AOxj1ihnBpE6d5rqI43olY5hKyUb/rEG+C0q:8AOxj0BW6TrqIoolYsh0

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gairo.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	gairo.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	757268985087958a1cea73aed590a480N.exe
2396	757268985087958a1cea73aed590a480N.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /q"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /T"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /z"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /n"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /s"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /l"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /Q"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /v"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /H"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /o"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /t"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /S"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /U"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /x"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /c"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /A"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /C"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /e"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /M"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /D"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /a"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /d"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /R"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /Z"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /X"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /i"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /h"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /O"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /J"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /E"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /W"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /I"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /r"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /m"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /P"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /p"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /y"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /w"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /L"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /Y"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /f"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /F"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /j"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /g"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /b"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /G"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /N"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /K"	gairo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\gairo = "C:\\Users\\Admin\\gairo.exe /k"	gairo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe
2176	gairo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2396	757268985087958a1cea73aed590a480N.exe
2176	gairo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2176	2396	757268985087958a1cea73aed590a480N.exe	30
PID 2396 wrote to memory of 2176	2396	757268985087958a1cea73aed590a480N.exe	30
PID 2396 wrote to memory of 2176	2396	757268985087958a1cea73aed590a480N.exe	30
PID 2396 wrote to memory of 2176	2396	757268985087958a1cea73aed590a480N.exe	30
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29
PID 2176 wrote to memory of 2396	2176	gairo.exe	29

C:\Users\Admin\AppData\Local\Temp\757268985087958a1cea73aed590a480N.exe
"C:\Users\Admin\AppData\Local\Temp\757268985087958a1cea73aed590a480N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\gairo.exe
  "C:\Users\Admin\gairo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\gairo.exe

Filesize
136KB

MD5
df217db8e055c8aaa689be8733fad0e8

SHA1
cec7732d51d5dda9e7abfdf750387b473a66fc5b

SHA256
1be891b3eb5c000a171ba83358bc44dd7dd763368816ff46ea43e6211cbcd7d9

SHA512
c549a2c7fe282e3994fd4d6f4c7efc1226c3b0b715fe4a9a437cbd3836c73d608f9fbcc22f5a4265898d493641bd0f68b37ebe45ecc90b112edbb71e7b48ce4e

Download Submit