Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:50

General

  • Target

    GGM 2.7-20161025.exe

  • Size

    4.1MB

  • MD5

    3de848a5415a34eb058d4e48e529e98c

  • SHA1

    996d87695f402ca788e83297f35d2a3771519847

  • SHA256

    cf385be40fa5771c29d2d16572697a5a0bdabb7076bda21b8a9e25bd31991fac

  • SHA512

    025b2cfc7ca9de28d576ed21d59e3bf1fb511dc1344c81b475ba9d998d2cde0854cf58a14c19b030e4015d21f683fa5a6900c6ec179591bb128aa95e9394e345

  • SSDEEP

    98304:ISlb37CB6Q1x+KK6deeAhFJfdlGJ8AtkJpElARiF+b:db+B6Q1x+KwB/5VpElARiFY

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\GGM 2.7-20161025.exe
    "C:\Users\Admin\AppData\Local\Temp\GGM 2.7-20161025.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\is-VSOF9.tmp\GGM 2.7-20161025.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VSOF9.tmp\GGM 2.7-20161025.tmp" /SL5="$30144,3835740,134144,C:\Users\Admin\AppData\Local\Temp\GGM 2.7-20161025.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\is-H9PBG.tmp\_isetup\_setup64.tmp
        helper 105 0x260
        3⤵
        • Executes dropped EXE
        PID:2812
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /XML C:\Windows\system32\GmTaskPlan64.xml /tn net-GmTaskPlan
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Program Files\GGM 2.7\GGM 2.7.exe
        "C:\Program Files\GGM 2.7\GGM 2.7.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\GGM 2.7\Skins\Std\main.png

    Filesize

    613KB

    MD5

    986d20a122893e61d370990612af696b

    SHA1

    04432b91735f3b28c0725f6153dec6daf832659b

    SHA256

    9ded6313fbb6a88bca57540ec1a82ffd88fd3ca17920417d6e07e536ea2a0577

    SHA512

    99fa8f0126e47100de98690e5ac68c0a83144156a7a5f32c22bb6cd53349e0eb7e0b6851c22d67b5d48917f534ab7d5c9d2b1750c05931f15373381ba981ee11

  • C:\Program Files\GGM 2.7\Update\X64\Skins\is-7OU0L.tmp

    Filesize

    4KB

    MD5

    64dcd634deabe00dde4b85689d40e7c4

    SHA1

    c802295d7fd5455a06e05f349a4e721a21e010eb

    SHA256

    ee09ffc9bd949d1b271c57e94541a85e20dacdfd2ee4dc600ee7ebf256a4e3fb

    SHA512

    95e05a4083ddb585817a867f4909bf8e4989c4bc2ea0c0619bea678b616e1e463ce7af8b764aeeed973bfc5e195f0d580eb14cd948b0155e2f9f4f3ca14172d1

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-2JIST.tmp

    Filesize

    5KB

    MD5

    e483eba04c9346d6878cf06599867a98

    SHA1

    5e77d4e9d972caca633351ec1f89ab819cb68fa0

    SHA256

    ce380be17fab6b8e59a74728bcdb0bd53cda31b2c8ac1622f43e257ce5629f5c

    SHA512

    5c844b9d259123624a6f58ee8eaee1dd1df7111f6f06dc6923fe62c7f63f6a7fa169f5e2ca80e33ef2eee2d4b1808fae5b16a97b6ea26bd7241101099fd164ab

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-2K7CL.tmp

    Filesize

    3KB

    MD5

    a96ae87ac04b21369b90030b0883d63f

    SHA1

    c85f408dbde04e4c4c159dba2a7da58a5b8afe13

    SHA256

    8d62a6f881cabc98535bca5274dbb9ee189f604ff1d9dd476a5df6a8e303e9e3

    SHA512

    d4a8e49ae8bea9b1ed704d0121d8813b3f3d4192b828e9242f91fa0084c104766934b5078a32c37f14b236e390f23c7581d6cb2b1c3bc6ebf4c579498ee8c5cd

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-6HV0K.tmp

    Filesize

    3KB

    MD5

    abe05bfd5471563b9fa178cce1a6e7aa

    SHA1

    11d18383203a0f031569024004e577b53ee59a40

    SHA256

    55ba8a73a0c0e0815ea28e5cc3d819b8f74fe27146ff044d3d52b71d75725877

    SHA512

    6f31cc7399fb914c914173dd85beabcafcb53a9a35a03dbb49c1425af25988898cce7177b93797aa9cf04583894dbc72cd081f904835386a5c24a2b06461788c

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-728JM.tmp

    Filesize

    2KB

    MD5

    dfad1b303745085b261ccc84728e0b5d

    SHA1

    6f92488ce3311455a8bd75da15f88f680406e381

    SHA256

    2158267d3fe2503ef0bd2ecc47e5e73791b6a3153f0cadd0fefe305ebe7b7385

    SHA512

    dfea96d0f025f0aaef646dd8c56f3878ba71b438887b1da91ec2cb41e022d4d79cbecceb8f0d9331a5aef7c9e539cffc2ca98d23816839ec2a23bdd0b14f09b7

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-7HUB5.tmp

    Filesize

    5KB

    MD5

    494c4f66ea1886ce7e68b4fb7aad93f0

    SHA1

    0a1ccdbb79f135febc1d24a86abf554a61dd3008

    SHA256

    638ec545f1a34ee42ecb1b0ee355843122365297d69e94ed53fa71873ed029ef

    SHA512

    069e2fc73de2e4481bc10c70fbc3f2c6a0461ba81ac82c004db12658c8fbcc20230156de13b953329295f6436b5798ff3e27d3e4eae066246aa79693b3a54096

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-9IGI9.tmp

    Filesize

    4KB

    MD5

    3cd70d01d8ddf8636e918070e5fc6d21

    SHA1

    715c9648f90cde0b1dc8e1e881ebfca18fd90425

    SHA256

    5b00e2ec228949078e96a1d72284e0f2eb20305a611047c96e1a89b60548cc33

    SHA512

    0357bdff6f113cff14e3e14cf8cd721ac85838c4d55dade26ccdb1988e36ee8ac0de834e562e2c92db113221e182038d182f006b5637f1ae18805dc54b276e18

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-A9SUU.tmp

    Filesize

    3KB

    MD5

    f3b5f677a015143144b3f41b9b4dcf6c

    SHA1

    3992353745821a778b6e9e48bbe6b6c3d3c833a9

    SHA256

    62a3b1b2ce7d20529115ceae68ce90f9e98a4ca59accd22a4a7f459304db527e

    SHA512

    c63cf95414046b55b17174b752dcdc5c125a3a6ff68e1ed879d481f50e8270864cf6217d32a02158305680c36b9a17edb18e3d320c3a5224d289efaa3b3e8070

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-BJC1S.tmp

    Filesize

    4KB

    MD5

    dbfd2f20d5289d5e94f64b4f3762298d

    SHA1

    9e244bd5101aa9e0fe269a9368e2b1674e8ab977

    SHA256

    7b3f3158a346939465ed1e115ac79bc133544b39762bc4f11575f30fcbd60c0e

    SHA512

    50c611bbbdf77058a159db6ab1eddeef3e7d32337fe97efa5d67cbd2e45c2c21399e8c85d318bd684bd23cb0beb56367832663d216edfc6c038d66275905dcc0

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-BQUOL.tmp

    Filesize

    5KB

    MD5

    91a28c1c0e3dbcac3d92c09148db81ff

    SHA1

    8c5f98eb4bc27e40936df92e460e16781f00415a

    SHA256

    f603491904caf64700afcd9c2ff1c50c57779ff1f8f7ce8e85fc2ffe4072211c

    SHA512

    e0834dc3a1385dfd089cf70b3927eb10cbc4260385db6fc0cc7ac5fdcda46fdeeff11dc495b5f3e457f7e6e24b55a88672dada173519d9dab40434c28277ebfc

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-BTSGJ.tmp

    Filesize

    4KB

    MD5

    462119c60793ae5905584ee2de079501

    SHA1

    34760cb7a15ae57e1252f3e4f248fd5376950475

    SHA256

    87fa6515c6a284755daca90734c3255e3dbfce361200987c7cf4782b09facd02

    SHA512

    df715c6d5cf7451a98eb9b455593dc0a57e5ab03709bcedaa008863701d4390d1d223562db67a56beb4c89872bc12a5969051335ab49380065d2b37701c0629c

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-ER2J3.tmp

    Filesize

    2KB

    MD5

    e670e83c063a30d66d5257cf9a8bc1ec

    SHA1

    f72c95ca688c934907282b564353d00b481e0272

    SHA256

    f61b5b0d1f3469a3568b90cf45e54211b44780abe7e93b81f9dfb5f7e0ddff35

    SHA512

    c7a284079fe30475f43d6cde49ecf0ca4263ab2e2e9c6b1ca925519e414b1b3da869cbc0d3a84d2f436ba829cf7bc3ed073488d5af521645a26ee4e34f52fbe2

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-FJ7R8.tmp

    Filesize

    4KB

    MD5

    bf6b2b65b3b15c6e057f7166f31b46c8

    SHA1

    773905561ebe0bc59268af9ba6f29ec50d4e79a9

    SHA256

    5c0b0d4b9cbad99a9b435dda534af8b34f3cc2444df05289f6a2d2d658130c63

    SHA512

    4a6b8492909e9727e74d477643531f47f7371d478d1eb5121096e12f4b6680015741a6f1c8ed4723716a98797d45f1b57bd12f6b466e765757854ec7a4c8562a

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-H03A7.tmp

    Filesize

    2KB

    MD5

    7f19cf113c0932fe3d91f3d5413a75db

    SHA1

    dbf36682ab554f0e44b843106820007774a78f14

    SHA256

    290ccaeb6e504b69b8932e91e955be4ad485dda290a1b70327f75b05f620bcbb

    SHA512

    ed43fc4fb89fdf035415a6530751f19e13d7049bb9c31bf85ce16002a49714a34720a22c66c1e0263a8276d1624f02969aec2f199a0558feb95bf426679ed686

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-HUG50.tmp

    Filesize

    3KB

    MD5

    3c2a81c5da1e6784ae28984455046a15

    SHA1

    24993ddee5bc36b6f92b484ba097e77699b62312

    SHA256

    49f9e25f82cee153ca937d46faf1a0e2ea197a86526f395206f1f2095945dc35

    SHA512

    09cac03a5bb0551ccc678ba74167d54a800b47d22f89d82eae6872046388591caba4ee11ac5eab355e123acc17f50dcae17969cbcb217b0c4d42be87c213e84d

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-J57VT.tmp

    Filesize

    2KB

    MD5

    cd00dc91a9d2b59beadb632c36ee1bb2

    SHA1

    649456fa9694ca8edeae01dcc08e04f5b5fdd210

    SHA256

    407e493724c7bed9a9e14f410c3755d5d092ffacd019750e8a09023991c9cd3e

    SHA512

    1f731496ec69cdf667efc320781f9ff6ae62698e29a0e436853e2317193eb35151998737599219b4521f6b9e57b5971ce460d9518bd1a5a78f84bc7435f52173

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-OC81S.tmp

    Filesize

    3KB

    MD5

    04ca173e2663d4d21799e179212e7615

    SHA1

    b751c7f3b4bdcf3c76b70f9d4cf1de48c0f5473b

    SHA256

    05492bba64f8055a64fd4198d719028ed8422f9e871e5e227cc589a3c8e24c22

    SHA512

    72ccdaf8fd5bd4fcce566aac92ecf7e457c4b675f053c0b0dea8db5aeaba650f47443a353aa1fd4f0df5f3ad6399d1cd4463fca61721933975cefea19de9896e

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-OHDF2.tmp

    Filesize

    3KB

    MD5

    9150d77e67d1f5a63480af7cbfecbfa9

    SHA1

    dbab788739e9f62591af174aacf9b943ed0cf4a2

    SHA256

    2233f17259be63ac68e9d593f34f0000865bd1ab84936330ece313a987c8b5b5

    SHA512

    fb53591e72c88d599cae22a6509adb00a7804a83a43e8ad23d31db235f78bb9edf4a43d72259a276a1e2238c2bbc70bd4a541764821f699824c5bb0bd13d623d

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-Q151J.tmp

    Filesize

    2KB

    MD5

    c7544958c3e034e23812ba6275cd88e3

    SHA1

    5135f8f40f401d94edcec11aa94bc18e6de7f5a8

    SHA256

    4c66c08386619c891b1c6260dc8d54ea96abc1a2447a7eb6c8d4929f391859f9

    SHA512

    d5436a8b2c3dfe69e3205715b3e2788681c3429ed5b2f11a44361dc3eeb9149cd82141437b1e0ac92bae43abf8a08d69aa55785e1098c6beb4a44245c735c29b

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-RPPG6.tmp

    Filesize

    3KB

    MD5

    fc58ed5c5d2b4dcc25140025180b8ec8

    SHA1

    851643f5016c47ce7fde73b41967a56ac6dc4492

    SHA256

    f4306f08e07b58783558c18598d0bbf53eeb2ec75a59020ad300bf7fd3755eb9

    SHA512

    54200f1770f34be9936351ae08eb1ced650d28f3c10da6c5d2a70417ce9dc2f07f32ed9de1621f1e99ced226e895a2f7a11a9b6a2ac71dde95a158b5762ff71b

  • C:\Program Files\GGM 2.7\Update\X86\Skins\is-U0LH3.tmp

    Filesize

    3KB

    MD5

    9471ece800b94fa2cd3df3f5074d84d9

    SHA1

    b1063db731dd33e337bbe1c7fdce8a15436c3ccc

    SHA256

    c5561f490753b31e5f3971e8bdef49762f6d8c4ce406598166dc9c03839cf539

    SHA512

    00c03c6fa8c60fd6450916090c8ae254d2417d11176c8c62bf7c991d1d970adfd2b2a067bef75a89a68867aa919827d1b676e4344da10d4565d98fc5c00f8e4e

  • C:\Program Files\GGM 2.7\is-J00AF.tmp

    Filesize

    562B

    MD5

    091a0c5c229d6249b0c93d28f79c84b3

    SHA1

    e3dd8ade178af2bbee1b111a50bbdae15a50e33e

    SHA256

    0f7d21ce187b567b485797a2cfdf15c862ccc52809bbc16ea723d8f05e3e2328

    SHA512

    cfbef13d6aac32182e54543d20866b7e1860098e6df242c23fd2a09218ea23e9d2c95da4f8943c945d7f7ec99738100e9c03f96b5ab8beee5b657170c7c11b92

  • C:\Program Files\GGM 2.7\is-T71A9.tmp

    Filesize

    1KB

    MD5

    07b271cc0d0aa1280238f7a7571e9546

    SHA1

    be5aa138e710b85d05150732d05766ef889cd6ea

    SHA256

    f0918e1369f9c6eb5904e341b4998943b9a203c74da014e4591e9a7f8580d2fe

    SHA512

    33301467b0afe93d86f3b421916ce3bcc5b2b181aae5140628939cfed181f7cb890cbf4c45787d553c0de6222576c47884e51208fec83df888d2f19ee06c3b49

  • C:\Program Files\GGM 2.7\str3.ini

    Filesize

    570B

    MD5

    50bd10d2bc98d2a4d8b51704d6ce3235

    SHA1

    883f5685a29df5c2b99008015a7344636d4aac11

    SHA256

    984913c07cd16ec2a72058cc99b24ecc6d940bb63604696301b8378f0e60d7b1

    SHA512

    60a5754b4cd9e3d924ef22fe77a7fd36aa5b207bb5a2fd162d06aa9ba53a2725d6e73dc69c7ee911039614f9c21350f82f74bd73013a57cf88e95c05ccadd1ce

  • C:\Users\Admin\AppData\Local\Temp\is-H9PBG.tmp\_isetup\_setup64.tmp

    Filesize

    6KB

    MD5

    e4211d6d009757c078a9fac7ff4f03d4

    SHA1

    019cd56ba687d39d12d4b13991c9a42ea6ba03da

    SHA256

    388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

    SHA512

    17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

  • C:\Windows\system32\GmTaskPlan64.xml

    Filesize

    3KB

    MD5

    25dcb5563d1d85e0d8f6b4e8c0a6e09a

    SHA1

    2c2f522eeb71c2fbd8d40e3e8a1103fa52391f78

    SHA256

    163b3e55ec809143e136a9be0a6bdf28ad3b9086bc963edef214447c2f54809b

    SHA512

    664cadb1fd66abc1707428028caaaf0b20f0cf0d3fed807d3924c8a6847edc06ffc40c754d49f1d1a85a6a4d05f388481f2ddf0a83ca78f1f6c653a246964fc4

  • \Program Files (x86)\GGM 2.7\unins000.exe

    Filesize

    1.2MB

    MD5

    b3c18168226c8ee8460ee800532c5bc0

    SHA1

    1b75b8533d6e470091a6e013447a0c6979c29ce5

    SHA256

    cb6ff132e3f4078482d58fc2f62907605ffe9e49d58dadcabb38266cd7a41257

    SHA512

    348490176d3ed0a26b69c265888eca70160f7845a5daeb0de5fcb3f692734f2b1134ee1b9b02cf0d60f684d36cac5cae718ddcd7ab15e9af63836533fc10df33

  • \Program Files\GGM 2.7\GGM 2.7.exe

    Filesize

    1.2MB

    MD5

    d8a15a5f03ea63e239c1671eb4ebc731

    SHA1

    8d995752d5173a8713fdee52b0bc1dcd70fc1e49

    SHA256

    48f62174984264098e4ef8f2c862c11a9cf737476b1e9176c37811948c412d4e

    SHA512

    f279728594d412c8cfcee150c7025e06e2bc7203918443886f210fada8c763aedf214078c39064c0ee6c436cb83f8525b86860bf6756c446bbcfcbc2cdfc9a2c

  • \Users\Admin\AppData\Local\Temp\is-VSOF9.tmp\GGM 2.7-20161025.tmp

    Filesize

    1.1MB

    MD5

    6c80b708448f522beb25e70d98c6c2ed

    SHA1

    4395c9fe22e72d72a50d9b0980a3ce93281b4ab4

    SHA256

    c3c6bf576ee5f1bb7db3ffc5b4f0b3a5490783f823f6ebf1131c4d2cd6516e1c

    SHA512

    e7911d085b8a55018d068c35767226c8b450c77c6787ab55ecbf7e8ecbb806913cbeb09fbd27abe8ff1ec81ff40201e20509348da82a85d734ca6a9cf5e5dbfb

  • memory/2040-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2040-2-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

  • memory/2040-858-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2864-8-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

  • memory/2864-857-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB