Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 01:35

General

  • Target

    GP Design INV20230103 $68,320.exe

  • Size

    1.2MB

  • MD5

    2bb48ec5bbd40bea3425ea962ce1f7dd

  • SHA1

    9358995c3e5710879f5636977fa06733cfda8dc1

  • SHA256

    5a20cda7ba803803fff6f58ffa694f2f2cedf6eebf1cb97fb87570f219018f13

  • SHA512

    248aa52f7be43fb735e92a77836fb004af641a023726306c969f6856bfe49109370bfd99c2e0a683a3d8061c8cfab7ffa3f261c1e42f32246d9cf44c0eaad77c

  • SSDEEP

    24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8aLDPCPZORBnaS3s7r1:aTvC/MTQYxsWR7aLD6hy134r

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
    "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
      "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
        "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
          "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
            "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
              "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2680
              • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:2924
                • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                  "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:2472
                  • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                    "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2964
                    • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                      "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2820
                      • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                        "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                        11⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2320
                        • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                          "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                          12⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1016
                          • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                            "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                            13⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2328
                            • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                              "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                              14⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:2400
                              • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                15⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:2296
                                • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                  "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:912
                                  • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                    "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                    17⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1280
                                    • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                      "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                      18⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2080
                                      • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                        "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                        19⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1864
                                        • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                          "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2564
                                          • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                            "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                            21⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2976
                                            • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                              "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                              22⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2764
                                              • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                                "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                                23⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2908
                                                • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                                  24⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2312
                                                  • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                                    25⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:624
                                                    • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                                      26⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2492
                                                      • C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\GP Design INV20230103 $68,320.exe"
                                                        27⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Milburt

    Filesize

    350KB

    MD5

    110ee5357ef1f0aa0ffd1f30e54fa3d4

    SHA1

    7ca6dcf0d1cf780ddeae2c77e6904daf95598ce3

    SHA256

    5e05cef383eca353e2243f268a40e61cc1dc2736134c29aad08954042e459eab

    SHA512

    5deb85b915422792bc3278379ac7eaaaea2821f938af280a71a366a4ec9417115bc75a1d173bae8cecb3a27c181714514d68853383926628b25123a34b52529e

  • C:\Users\Admin\AppData\Local\Temp\aut5F11.tmp

    Filesize

    198KB

    MD5

    931989abeb84bc29ca37042173c7fc55

    SHA1

    b5ac9f09d03b001841f53532f0761955a1a8c74b

    SHA256

    1232a3b384e12c03c8f4bb0634915833dc1ac8a74d226a2fc4a70699080e1e70

    SHA512

    96cefb4fba7baa1dbcc211d5237cc89a95cb4b6e134a8f9f052aa45d1a6ade3748f73edc6f127f2fed9672f765983667938d9dda8a3093e179e9d20a04dd8aba

  • C:\Users\Admin\AppData\Local\Temp\aut5F12.tmp

    Filesize

    42KB

    MD5

    14e8218f0232a67910d105e250a33630

    SHA1

    46a84d562f9d882e9114a1ab5556be80b4b862a7

    SHA256

    be834dadc3518703b5dd79fa4df46256377e078c0831cffe6255a778658953e4

    SHA512

    2b8370ef89f631c53d97b20e86a85204f62bd92dd7b404698f1dc99765ce40d7564269aa704c09b022c2bf580afa9ecb3bf6d76d6d7170f0cad2800dcf9b440f

  • C:\Users\Admin\AppData\Local\Temp\misrun

    Filesize

    84KB

    MD5

    ac115a40d989dab0f13d60333eb0f4ee

    SHA1

    3876e57e0a47557c7cbd44e8cf58e6f9c8aaa53e

    SHA256

    7f18ce1e7f8e4d38a0cd7b6963e623517f38a38b89d73b2b1edb89c2dd55efe9

    SHA512

    ef55ea6995d3f938f1e2216274c3990a09aee7390682c8c16175027179acf0da5df976bb99b61c4961e10baaf469d9030b9e5ef9eb8e7e74118d3e9015461992

  • memory/3036-11-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB