Overview

overview

10

Static

static

3

gdifuncs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 19:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    gdifuncs.exe

  • Size

    5.5MB

  • MD5

    f3811d1e35cea25136e52908349f2ba3

  • SHA1

    c8060ef0a74de26fc17d61f4aa922856a13f902c

  • SHA256

    3a11b4588634a176f193d65fae91c419cd4f530a5181e60e56bcfd29a33f9cb2

  • SHA512

    c51f424f1e367c00fbdae9b49f0446c89ab58f6acadab847ab788fd4a91de89886451a8ea3d7818d22c80c1c99062826b221d5ff74bee1e9e8f25fdb3b7eeb22

  • SSDEEP

    98304:VQz+04D+i4DBz2NHlruSSDllNmd+5z/Le7q2//Le7q2:VQS04D+i4DZmLclKez/Lkq4/Lkq

Score
10/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe
    "C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:3840

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3840-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3840-1-0x0000000000E10000-0x0000000001398000-memory.dmp

          Filesize

          5.5MB

          Download

        • memory/3840-2-0x0000000006240000-0x00000000067E4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3840-3-0x0000000005D70000-0x0000000005E02000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3840-4-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-5-0x00000000067F0000-0x00000000067FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3840-6-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-7-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-8-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-9-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-10-0x00000000745DE000-0x00000000745DF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3840-11-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-12-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-13-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-14-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3840-15-0x00000000745D0000-0x0000000074D80000-memory.dmp

          Filesize

          7.7MB

          Download