e72af294e6dee508fdacba512816c6ba6c45609d3e15213b183d609d20029610

Analysis

max time kernel
1705s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 14:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

groupfunctionpro/groupfunctionpro.exe
Size

182KB
MD5

3d0a13f5252e72da042fc72db97832e9
SHA1

2637d2ba74b6f86362f13b0ba37724f6bc21324d
SHA256

3427eeba9cd7bfbc53548dea44015910713d00b18601cdfc3410698867774546
SHA512

029ad84b035223ce3cd010bc978d30b5be64a8255e1a67ac1c4f1345ea711fe5d84fe16b25ad2d8356c23a4dd61ec571cd4d1e2865148677b06939fc6735d13e
SSDEEP

3072:2ahKyd2n317J5GWp1icKAArDZz4N9GhbkrNEk1wX2ydT:2ahOZPp0yN90QEfl

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3304	groupfunction.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	groupfunctionpro.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	groupfunction.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3304	4756	groupfunctionpro.exe	84
PID 4756 wrote to memory of 3304	4756	groupfunctionpro.exe	84

C:\Users\Admin\AppData\Local\Temp\groupfunctionpro\groupfunctionpro.exe
"C:\Users\Admin\AppData\Local\Temp\groupfunctionpro\groupfunctionpro.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\groupfunction.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\groupfunction.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\groupfunction.exe

Filesize
137KB

MD5
3fe735f42fde1e48e043395863c0ca5c

SHA1
52a0d64ae4033f4cb36c0ea66877b46869b27ab9

SHA256
84f18b27efc302046c56334b7799766b9a907d7f2b5cc0a429b20f7e74d7158f

SHA512
5c72987b29c72f74c0f6743d70785d93cd4aa75ab683c3852a3b69ece9234cdefb3d531463ad7f647ed819fb8337ff4b165cc1459e5a45963e6194029ac004a7

Download Submit
memory/3304-5-0x00007FFAA3C63000-0x00007FFAA3C65000-memory.dmp

Filesize
8KB

Download
memory/3304-6-0x0000025A9CA80000-0x0000025A9CAA2000-memory.dmp

Filesize
136KB

Download
memory/3304-7-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/3304-8-0x00007FFAA3C63000-0x00007FFAA3C65000-memory.dmp

Filesize
8KB

Download
memory/3304-9-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads