Resubmissions
03/10/2024, 12:59
241003-p8gvca1gme 603/10/2024, 12:56
241003-p6hc4a1glb 603/10/2024, 12:53
241003-p4xp1a1gjh 603/10/2024, 12:52
241003-p4h7ls1gje 103/10/2024, 12:46
241003-pz17maxhkm 6Analysis
-
max time kernel
77s -
max time network
80s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
03/10/2024, 12:46
General
-
Target
GazeRecorder1.9.2.msi
-
Size
19.5MB
-
MD5
3e0e430226b9781f0a71356d6b6b8d78
-
SHA1
cdfc7317daca37e7e0ad6b6091d9284cd6b18dea
-
SHA256
42c1db18694a798a9248ac6b771fcf7701c6a38a70bd2efbe93828abd896305d
-
SHA512
4655e4a764ac56a49d45b876bd6717aea18fbea4741b649fa441721937fef23c67e4bc3d2067497c9a91bfb9f0004b06d8473e56fd78656b2e343092f3f5971a
-
SSDEEP
393216:kQcxyvHncyhhFuQYHfWCzFBhHLP532F7WRGz74ehIbLsTHDPBZW9XJAEUNovd:rcEvpHYxxHchDz0SYLsjDPG9/
Malware Config
Signatures
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 57 IoCs
-
Drops file in Windows directory 17 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 39 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GazeRecorder1.9.2.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9BBB95F39B4EA4CF121A9C77617A2D64 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 04CC1DCC3351E7C143598D2A89C8B0F92⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeRecorderdfddddf.exe"C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeRecorderdfddddf.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2qwvj1d.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2651.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2650.tmp"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\438e2a617afe463692967ba4d43f3d16 /t 800 /p 35641⤵
-
C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeRecorderdfddddf.exe"C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeRecorderdfddddf.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vimreud.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9FD5.tmp"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\e4667a6cf64b4eaa88748e4af08182d6 /t 868 /p 25641⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD573a873f8884cc7dce84c66de91f8ae5c
SHA1353462d72fa277db1f6aaefcaa10f5b85d7ac9cc
SHA2563d5aacc41cc4feb721338a29e8f2decc5650d64cf431970c06c046a24cf2e45d
SHA5128aaf89b836b1dc3314c4d7c1523e19ecfaa488cbeb23c15d82776814702c7b7c8b74ac064c6c778f90f0b84f4541d784d5ba5563ad235ae7ce1febd1139dbba4
-
Filesize
1.2MB
MD54bd587cf0a24fe2705f48ec6ad4d91db
SHA17c4a8b8c5c8934759491881ec231f2224ed06265
SHA2568bc00bb1459fa4b41ee10d560d8dd29d344741a6a129043985f8f9ab2d6785f3
SHA5121aa3080fd863364dd82086b878edfd405807d8fbf395fef08029615b5e4575d7851b1e0a2bf3767b53e81ece134c9a6cce80e5a8658760e498759e279ca4eca6
-
Filesize
239KB
MD586f2b2e2dd19cf831513850a8af9b9de
SHA12a90065b75c3b853f1d7078e68674d24fdfe8801
SHA2569eff7f397a9d9e967f99e5684234c16491203f48fc3d767e9f01a654bf83ccb2
SHA512ac0855637e060fb4256e5c246e85358063032fb32bb475e8cb00e19aafb016d3702be800a11ec60bbadf4576880ba5238bd8b9c08f2925983bb7b4784a94003e
-
Filesize
54B
MD5827b8a7951b7e0aff0f18a169d2ac3b4
SHA1338a2410f05bd45b67e7aaa797a4aacb5583db39
SHA2569715f7b8d4b37c1de0753c834ba3d77602815b047c003ec66880a34386d03ca6
SHA512594dc5a445872b9a35e63f21e72f57f2c251d7f8686a2c7b71f8ed5169e3799005b713bbc8995987156035651bde0019ebd2acfdc683499409c315e125d38c9b
-
Filesize
899KB
MD5cf69c9f3d54ee3b2a1a80b2f372d1730
SHA1ff1e98bc128548ad3c225fb9e2f744ef57d60255
SHA256e219c79eb93096c93b61b3c438a003be7535943085dc05d674080f1b687d45ce
SHA512e8cb57dfe0479c89ca10ef75503df93040085b9d1772e4bb5514ac91c4b3d5b2154b65b30836abb4c02e7c7ffa289d8827b30e1fb7ab8a0308becaff4aefb2df
-
Filesize
117B
MD5d0089718b62f6e9d91154acae007699c
SHA16b7168ae1fa2fa7cf268e36ba4678aed2b9dbb5d
SHA25683233e66d0f47f016ac44626c179f9006bdb15c22586ee737278a281a8e0a503
SHA512a498eb1505894ce30f8a518432b41c85275defccdb339fea6c0a5425fdd00583da16e3524a175292615929d5bc6ec9eba20b2c9e363a575bdb2763ac2a7cea6b
-
Filesize
72KB
MD539f100b7dbff19f66da4c1538609e895
SHA1f29ee29a3880cbb30506106320709e0b5c577f89
SHA2562004b0f5680daf19df9cc77ae91f673963acf03182efddf675d76b9e2b5fbe09
SHA5123e715925ef1e1fc8f334a3deeaa350b6ab612f4d28f34a40f2a64c66b90e7205c5e4e09ad6a53a1769d4bacd6daf9b39cd72750b3798c4814506e9c0721eec2d
-
Filesize
322B
MD5c07c16a6b26dae261f6dd7f71d518a60
SHA16b28d59c6c8e8cc899d8df87a937d92a51dece56
SHA2567ddf730c56d0677a78f342b68e1e09172f845e6e1bdcfe6499b6649201e5f937
SHA51283de6133aab0943cab8487c32e84a865eecb93b25390fd62c57c8d94456a6efc26543f480d21e086efd34681d8501bf51e9533e1bba3f267f84a7ff49a8867a5
-
Filesize
3KB
MD521ce2d494785d4a9ba686ac0d9ca8889
SHA1480e9afef7079111be41595957fa94829b4d6772
SHA256350025b738ae04af11d976acd543745bc14e0b8682a1ae61add9c73bbc039fa5
SHA5127c88c5fe1d34a1a7b3fdba042050e777baa9174d4af1eca22e409b94a885e2d7c725fe8b96f37715a71c6bdf4af372644892f895fe5a1d11bdce30e7658d6d0c
-
Filesize
1KB
MD50e07a06c3e8444ac835774be6241cb51
SHA1220306a1863f5afb49610c9a3759b9116500095f
SHA2568010ae8b6b0e470b3483638d62a33d0cfb1ce8b1bc64fc087033dfcadb10e8eb
SHA5120e00155923230f7c2c5b820684aa1b2fd009b657e5d1c36f99245fddb31de79996df759573306dc2a06210c464fb2a94c82c6db99c858e832c1f62df36a478d7
-
Filesize
768KB
MD536068ea146ac14666058f3e4c3216a65
SHA1e569bdb88266cd4dad65417b832965c9e924a0d1
SHA2568cf1c9fd0310471c5406c6ef5f6738a7f4b8292e57f022ed23cbdd790e1e965a
SHA51257fb881187593e6746ec9451badfbb425b63c31fafa4b7852a58c4ce514d1e1f230b08f505570463a8bca2c8996946089f02af7dc10836cf7736754ecc858e14
-
Filesize
2.0MB
MD553ffc4c9e1606d4d8fa049d549651104
SHA170e3391efd38e137311bfd900360b94266d35dd4
SHA256af2f66ee7c753d237154fde0ef393481ce8594bcc2119d05930862e691a89cb6
SHA5121167878d5379dd434c0199432458e77966fa20e08422eea863c903a86882544735fcae5a0dcb99aca1befe200c4859615cd9f120f8847b1a0bffb3960aee06df
-
Filesize
701KB
MD58e351ee79205a497c5338e2522689eae
SHA1e34c89c1083f17d33a40a1ea04c40fd6e739fb7a
SHA256b2eaff76386dc8be5bb1abfda757cf0d8a5c75ec6f8bd0c82318167dac0c3274
SHA51222594fc910485a26dea022f90732cc250b690812229bf829c5a22fc0e1454d36a360c6166b9597b65f1afd53aba7f4594d8fe9f435583363bad25e8466252329
-
Filesize
477KB
MD533f8185d818139cdd47e823d82ce2ae8
SHA1812ebb69356be9cd40d66e739cea53c7b7132a1e
SHA2563365314de76adf2a09a5f24abf5662c7cf5e683371c2378b096aad77af615bfd
SHA5127456a5fe15fc19b29c3c4debbccc7d547d170e7bad8c502e4c9947c9d6dddc89686434d36991b6fd56cf078e9e361f746dd68489f7328b22f1ead63cd8d70651
-
Filesize
2.0MB
MD5fe034abedb912c83136ee03c6b7f3228
SHA14f28357c7b53ba2e1c5348b603de0c2cd0890428
SHA256600f5cd773b9ea340358f42c770bdaf3000570d35eddc3e260203b01115e8646
SHA5129e8b7df7238f3cd26f36a457c148581dcf3deace1c247c37aa1d5639ca6fa4de3c0e069f4c6e688b16e17bc684cd4b3054bf2cdb6ebc418ffcf5e12cd732feb1
-
Filesize
1.8MB
MD522ea6173cee9b8e95994a31dd9f2601d
SHA118c6967b806059f4e4939848506c4312f441e29c
SHA25600047008cd596aeeba177adb8a207609f9be9d1eaa883a666459c0d132dbabfb
SHA512c3bef7b88ba8a7562ffe0d6f1ea44f22410e9c9ae70c6d13cd89c88c9cd168caa8f2298f354957d6e74811623e13e4b2abdfacee9e07e5e9e1031e8e5b1b3838
-
Filesize
642KB
MD57278869cb30a2ded4d28be19dab225f7
SHA1ca0e3952e4ce7531bd573cde04b225514b5a5ebe
SHA25654177bbee9d2ccc4afa9c6d89ad10323f509bd4e9814480a7a33feac1c989e25
SHA512fdd0b261ce5ef5c67ed0bb008ee295d62cfc9164f6741063dfc906369ca321835891c0a19d1dfaedc44d65b89abc202c877b4aa039c110aebd20642900b93337
-
Filesize
357KB
MD59f9332b8f31e20781e4cfb6ca3d4b518
SHA1820d929847a131a53f7077f7d663de4b17190633
SHA256ad2198911a4522fb2bf80c0df2ab061ac59c9bb89d15fc30aa975327b76befb2
SHA512b0c5c8dd47c033b1b23e8240b51017361eb6a6fe4c73f7f5f61b8620d44f904d4bd9b292021663c373479fbd9b1d9f63a4a33c2a93eef70e63e1b514ff38f783
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD53824db8cba23d8e47761080c8ad5cd5c
SHA123c4effcf2a4c85d84344ce1f0508796044563c3
SHA25662d9a123332b6176cf4daa12736ed3492854fcbf894bf09e463db81baba58923
SHA5121b54cf18051b43faaccbdb0fbe80fbf0dce65b23634d82c256160ed479d76bbcd62aa777e34dfd2d5b22aafb06f80974add8a11b8447c23408aa0393bcac6708
-
Filesize
170B
MD598a828cb0e52d53e438e68cd0c2a00a6
SHA1f7967a8abb1cbfd2b1e11de409e4cc7701f4409c
SHA2563739a69f95125679b9812b5b63787c762da6aeea6497583d982ac6d2cdbe88b5
SHA512bfb1c7e23e69cba98dcfbc0ff2425b912a62337bc513c124fe436fa4947ea9368ad85b02ab563bf9f4d0ffcbefbc0501097453dc3dcaf77d2542555e709c0fc5
-
Filesize
315B
MD52f113dbdafdd6ae7b33ae2a99b21a4f0
SHA1c98de59de307a845925cf8507962141afdae969d
SHA2569046f78b82b01b20d03394786db1a2e8e4d1c2a15af52ce925c9d5a2072b2a69
SHA512d7bd6036197602f3ecc3e689c83f1c5844909279f605bb306bd4ea7c26397933a2236417efe65c500ab0d2068f92d0d16fa08060dc4d40171c90d50827f6b72c
-
Filesize
251B
MD55a691ac8421ca1c89289ab584e6c9170
SHA1569919b91c8ad2778191ff5d52da6126e9d99b04
SHA256cb760240e081da8e9a4c0d4930f330a2fdf5cdd0b08cf0cbb644a66d9aa26c0a
SHA51225c9e9ae6bbda88089b6f78da1d3dd03fd3e949c28d5ecfd9c321099039792183f38218d1174815961d557bb0e0a4f3bf376fc5be9c7e48d97ffa7427a342e92
-
Filesize
6B
MD5735b7aa55a14c0d07ce6f1526d7f4df0
SHA19dfa7a993fd31f56d476b30b75d0dcefc9973169
SHA2566af380b7b870a8a71defa84137d5e001dbcc8d9c6c09bbb79622098ae356d055
SHA51230e90632a86bc6c3eea8109063cb1b2dc813054bd00a5aa20e03dccfb07da5ac587bdbafefb8ec09bea648faab2b7a3fd24d159a52e2a90d49c5a0f4d5219ccd
-
Filesize
3KB
MD58e3d8ad3d3e32188981de1836199ceb5
SHA1d93d1203c2d83a0c7214ba552c62052a42eca7a6
SHA256e8af194a6255ca7c40a1a7f4419e0432b75d004344984774147566ce97ae9d60
SHA512da4580229cf074e6b22bd729909592ac25638dd0247b5e83e5c3ce5264d2a968afc1d7123fa11aa8c9e0d01521e6fcacdb16e0bc11e67f7fc2f023ae088f892c
-
Filesize
231KB
MD55494165b1384faeefdd3d5133df92f5a
SHA1b7b82805f1a726c4eee39152d1a6a59031d7798c
SHA256ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055
SHA512ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613
-
Filesize
1KB
MD55e2752a2bbd3da9f12caa27b4151d9e3
SHA1b6a7b833a8a50e6e0c399c31d6d22af31610c468
SHA256e20f4916f745e989346a1ba910f89ecab8cab95e9ef31ef6d17e8a2cb487383b
SHA512b4fe67892667a70b259656b83016d4d259047c4d4dbae92d58db2e1aaddf3ab13faa810a0295cc1ccde68fd0bd1a331829655df330a9dfffa408cbfabab17dcb
-
Filesize
8KB
MD500accf06a60f20f00533ded5e71a27ec
SHA186e84fae745d684d40b3195cd076dce6551e4b07
SHA25612f3b27e5470b1fc723065c87220414b88dde8ad9e3cb7a2d4bbb019273cdc9f
SHA512c79d7f79bd57e92e7d197a714ce753aba73932a49cf75ac71129f6e28b6921b2e35f79c07264226f14de7a26e4ded01461c64ef5ba65684c51a20c7ccbfa8032
-
Filesize
19.5MB
MD53e0e430226b9781f0a71356d6b6b8d78
SHA1cdfc7317daca37e7e0ad6b6091d9284cd6b18dea
SHA25642c1db18694a798a9248ac6b771fcf7701c6a38a70bd2efbe93828abd896305d
SHA5124655e4a764ac56a49d45b876bd6717aea18fbea4741b649fa441721937fef23c67e4bc3d2067497c9a91bfb9f0004b06d8473e56fd78656b2e343092f3f5971a
-
Filesize
12.8MB
MD5e2c28ea58426b903dfd9deda695b93d4
SHA1f1bbad4f43834edb7e5df33d68bf0f2a8e0ef87d
SHA256a5f4f299ad5ca4c40c42a4a53cce358dd08b9f26d67d3f9733e1b005046e754a
SHA512328f351de34b23ec2efcd5e64a06815dbdbfe400798eaff184a5856dc47535d785695b83cfd56593dc6bee3001d8c2aeeee790d68b8f70b5fd2b664168fb3879
-
Filesize
6KB
MD521c1c8403a21bdec93bbd11aaa725aa4
SHA16edead3faa73673ab909c60b7f105e2a8a637976
SHA256bc548354eeb68b57764c6d45bf0db1dc99edde0ba6efbaca56d1e2a5f24267ad
SHA5125160b80b4d0061b50a3319665bfe27e23587e73e2eb242b384d2819ff54e9bd5d47a14db171194e88af2947a5b22795adee68a856a57fcbeead32bbb4bbe81aa
-
Filesize
652B
MD5b79b9b254640db4c86d077db2f67cbee
SHA1887acca7ad1c6c1cff3a789ed1cddc2caf25078c
SHA25659c57da6cb824587e7da7acf8f9cdb110426f2dae464889da9fd2a113b58cdfc
SHA5120371c1733125ef77024ffb537edb431c9c368f16ce08e62c12814973653c786b6d1d928c0323d897bc4405a18e16df0cb958a584c053ba2a7f6906bfd0b384d1
-
Filesize
10KB
MD5746d24216504d6ff4e7ab4a8e3d1faa2
SHA143b29b62d031065867ccf840ed39a1359ca34e93
SHA25618aa2e150811632d4d96adb64e146388812bd7e225b5396a356696bce86ee8ff
SHA512030ed080197e4fcd90ede6a140b4c10a6d02db562967ad354884fc05e089109d8c515834879454d25a4045ed64f343291b6d8a98961248cba51544e64559eee3
-
Filesize
412B
MD5ed5f79c78432c0c3e30f1f79bbcb20ac
SHA12140910bcdd3445497f0c95e7a3bede9176cbae5
SHA256b51cad9f8fda25641137b0ad0d060f5f87027f02a70ef42755c98ffe23716afb
SHA51287837be140608ec316dc7de168f0d09b67ae693c3e2570b5069225a05c802e1d57d13307b7a5f3a06e4167df6e88b628da7e3335e36a5feedbc838d1bd01de41