Analysis
-
max time kernel
106s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 22:39
Static task
static1
Behavioral task
behavioral1
Sample
634aad8f4610e0c0841b4a1232acc090N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
634aad8f4610e0c0841b4a1232acc090N.exe
Resource
win10v2004-20240709-en
General
-
Target
634aad8f4610e0c0841b4a1232acc090N.exe
-
Size
55KB
-
MD5
634aad8f4610e0c0841b4a1232acc090
-
SHA1
6bbe387b1d971f1bc53fc36285ea9f9099aea787
-
SHA256
da99f1c1a9cb0c0dd58c9958004391a3305ca2aefae46dcb70afa7bcfb81fc1f
-
SHA512
122dd20b63f8c3164e803c870bb35cc01857cfa5e9dcbd0d6cd3fb777eff8fbc82cabcb10f0abed74818bffae02173998af2bbbc5c30abe6d5229d976eee8344
-
SSDEEP
1536:V9rg3X/7ov9ZdzRiRcxa/XIwLkGAO7uUd0W20Tf:/03Xcv9zIRcxa/bLk2d0n0
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gfgpqhmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ke1IfvPkDT = "C:\\ProgramData\\uhwnwdah\\gfgpqhmf.exe" gfgpqhmf.exe -
Executes dropped EXE 1 IoCs
pid Process 2556 gfgpqhmf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gfgpqhmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 634aad8f4610e0c0841b4a1232acc090N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4616 634aad8f4610e0c0841b4a1232acc090N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4616 wrote to memory of 2556 4616 634aad8f4610e0c0841b4a1232acc090N.exe 98 PID 4616 wrote to memory of 2556 4616 634aad8f4610e0c0841b4a1232acc090N.exe 98 PID 4616 wrote to memory of 2556 4616 634aad8f4610e0c0841b4a1232acc090N.exe 98 PID 4616 wrote to memory of 5064 4616 634aad8f4610e0c0841b4a1232acc090N.exe 99 PID 4616 wrote to memory of 5064 4616 634aad8f4610e0c0841b4a1232acc090N.exe 99 PID 4616 wrote to memory of 5064 4616 634aad8f4610e0c0841b4a1232acc090N.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\634aad8f4610e0c0841b4a1232acc090N.exe"C:\Users\Admin\AppData\Local\Temp\634aad8f4610e0c0841b4a1232acc090N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\ProgramData\uhwnwdah\gfgpqhmf.exeC:\ProgramData\uhwnwdah\gfgpqhmf.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\SysWOW64\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\634AAD~1.EXE.bak >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:5064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5634aad8f4610e0c0841b4a1232acc090
SHA16bbe387b1d971f1bc53fc36285ea9f9099aea787
SHA256da99f1c1a9cb0c0dd58c9958004391a3305ca2aefae46dcb70afa7bcfb81fc1f
SHA512122dd20b63f8c3164e803c870bb35cc01857cfa5e9dcbd0d6cd3fb777eff8fbc82cabcb10f0abed74818bffae02173998af2bbbc5c30abe6d5229d976eee8344