Overview

overview

10

Static

static

10

Gath_Porta...3l.exe

windows7-x64

8

Gath_Porta...3l.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Gath_Portable_Setup_29.5.3l.exe

  • Size

    96.1MB

  • MD5

    7f6a6ef2c51ffa3ffd4aa5cac09d74a5

  • SHA1

    984fee23b14fa4e53d9cab8ab0aa289a9c3bb44f

  • SHA256

    534baf68b23474fd41c2320b64ccc61ba0a2cda9cf7539dcaac1cadfb61ddb76

  • SHA512

    12474e2b448555a48c3de61661f91cbe47372b0862684eb0d5c252c8973032c0775bac58c682c494ed6e6e3e51861389c1c904befd6b3bd6417ede87171ff66a

  • SSDEEP

    3145728:qAH2SALB1KcYt3TIQt6syau0o1kYn6LlPNc8cGb:fWSgDYt/8syauz1hn6LMwb

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gath_Portable_Setup_29.5.3l.exe
    "C:\Users\Admin\AppData\Local\Temp\Gath_Portable_Setup_29.5.3l.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\DiskMUI\HPSupportSolutionsFramework-13.0.1.131.exe
      C:\Users\Admin\AppData\Local\DiskMUI\HPSupportSolutionsFramework-13.0.1.131.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:776
    • C:\Users\Admin\AppData\Local\DiskMUI\VagrantAudioMaster.exe
      C:\Users\Admin\AppData\Local\DiskMUI\VagrantAudioMaster.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:328
    • C:\Users\Admin\AppData\Local\DiskMUI\VagrantVideoMaster.exe
      C:\Users\Admin\AppData\Local\DiskMUI\VagrantVideoMaster.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 776
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    65712488fa57dc900f91bf69bd3a1fd1

    SHA1

    7811f994bfb5ce7cd0be7152eabceb5c40d36fb0

    SHA256

    6d6a22db7c043a3b64c0443a41305076b6fcbce7f19f756e19dd464dcecd12e2

    SHA512

    f9da66f241ad6990eeb65da353247e24e16539b8654f69877c5e1a46828ca8dd5bc0cc6ac0436beb15f1760683ff0457e788767c089bed26a78776e48b676128

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b8586c96dd532633007dc6647f2edbba

    SHA1

    b3426191b416d4df608c9b0dbdcbe91c51585f01

    SHA256

    da7e55aeb45d3a6dafc6e21d99423806708ea87369a92fb5310eaaa7df189f9b

    SHA512

    fb0493eb97bb7059e4aeca7b65cb8a0fb6ef9b78cff261e86fe472807e5bc8b8fb63393dce3172230c7886d70f33bcc4fe4092dd9c716177021a5bcf9e1392b6

    Download Submit

  • C:\Users\Admin\AppData\Local\DiskMUI\VagrantVideoMaster.exe
    Filesize

    14.4MB

    MD5

    f566847c970cb7a797c0f800f9536f77

    SHA1

    96c30f95944ea6c5bef6a5116671c947c9f2271b

    SHA256

    603c553d773f94dc2fef76a75cb004a9af4072bccd6fe10513a3a2d147df4c90

    SHA512

    0da9f8ee6bd0fcd53ddbe551f1e0ee8a9d053e7c9501147a097f7b8341290f605a317b7ccbcb7f21a85b08c39f313d0dd56184c8e08650223efa9824c31b5531

    Download Submit

  • C:\Users\Admin\AppData\Local\DiskMUI\mscorrc.dll
    Filesize

    133KB

    MD5

    53e03d5e3bffa02fbc7fb1420ac8e858

    SHA1

    36c44c9ff39815aa167f341c286c5cd1514f771f

    SHA256

    23a433398be5135222ee14bb1de6334e7b22bad1a38664a83f1cf19dfbddd960

    SHA512

    f6aca16b90f6b4efa413dc9a8f1d05e83c1e3791b2cb988f9bce69d5272a0077c1edcae4111a494d166b5e3ab4e25956dead4e93ee1e43417c2b7bb082292170

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab77A0.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar78AC.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nse29A1.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    35bff78b1d8848b9a1ad8fc753897cd9

    SHA1

    1f2272eaea97ac9056360054462d4a855050eecb

    SHA256

    50c6eba7626834821f060a1396ffe241594af34e5666c3165e474057214c08d0

    SHA512

    70e89daaa2bbdb056183671ad9863577f8c9a22203396dc3f7a78cc79c974f6b04489b0f238bbce5f806882d13b6995144f64c32fd2fa6848adcf4067866e3f5

    Download Submit

  • \Users\Admin\AppData\Local\DiskMUI\VagrantAudioMaster.exe
    Filesize

    14.7MB

    MD5

    71e4f9174a6070307a8ac51034a91016

    SHA1

    70907c62bcb849f2fbda7bbdd5aadee13aa14b24

    SHA256

    7009adc43f53211e3c185efc90c3673f1797d13da70384df2bcb60e6d4f89887

    SHA512

    e8ac84acdd1971b76c79b3cd7986416be9eed3db883e40ae0a662bb829cd062f0a757cfd1bbba98fcc6e84f2080d3d061d16f9f99e8552b720a79e277f63cc75

    Download Submit

  • \Users\Admin\AppData\Local\DiskMUI\msquic.dll
    Filesize

    476KB

    MD5

    ac3a293aeea9b3c6422bdb818fecb8bd

    SHA1

    a7ae76487acfb08b4900a008d341351e08b3add7

    SHA256

    714803871932e91a6dce57597169e32f3b31507a494e7dd62d08a0a5cd78c622

    SHA512

    aaeb2f55958ffb8ce5cf18645f560bcc1869f70a8dd940a348fb5a9b982e33e8e87c1f90754b19962fe122a51431c5b6dcc859fed54ca2dda7bf227430203137

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nse29A1.tmp\INetC.dll
    Filesize

    25KB

    MD5

    40d7eca32b2f4d29db98715dd45bfac5

    SHA1

    124df3f617f562e46095776454e1c0c7bb791cc7

    SHA256

    85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

    SHA512

    5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nse29A1.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    d1eefb07abc2577dfb92eb2e95a975e4

    SHA1

    0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

    SHA256

    89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

    SHA512

    eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

    Download Submit

  • memory/776-373-0x0000000006870000-0x0000000006880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-397-0x0000000007CF0000-0x0000000007DA0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/776-377-0x00000000079D0000-0x0000000007A70000-memory.dmp

    Filesize

    640KB

    Download

  • memory/776-389-0x0000000007B70000-0x0000000007BA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/776-369-0x0000000006860000-0x0000000006870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-365-0x0000000001340000-0x0000000001350000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-361-0x0000000007880000-0x0000000007910000-memory.dmp

    Filesize

    576KB

    Download

  • memory/776-357-0x0000000001040000-0x0000000001050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-353-0x0000000007200000-0x0000000007880000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/776-381-0x0000000007AA0000-0x0000000007AC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/776-343-0x000000000C190000-0x0000000011B50000-memory.dmp

    Filesize

    89.8MB

    Download

  • memory/776-385-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-393-0x0000000007BF0000-0x0000000007C30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/776-401-0x0000000007DC0000-0x0000000007DE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/776-340-0x000000000C190000-0x0000000011B50000-memory.dmp

    Filesize

    89.8MB

    Download

  • memory/776-344-0x0000000000B90000-0x0000000000BF0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/776-348-0x0000000000D70000-0x0000000000D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-334-0x00000000063A0000-0x00000000067C0000-memory.dmp

    Filesize

    4.1MB

    Download