3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
Size

208KB
MD5

53e48d35baa6602c78be92c1b6746f10
SHA1

5edfa4ea46bb0b1eca7203aaeea78d8bc224fd7a
SHA256

3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5
SHA512

ed941e573b7ce84811767ca69f670b10dfad26338885d581ce3e31de671d028bec10a3e3bfb2695e8ea9958b7eb32a58e1ebb64fab2d70f58bb75de6bbf8125b
SSDEEP

3072:P/gPWDqdQqW569iBKgccmSYqtpEG6w7o4NLthEjQT6c:36Qq469iYvc7YKuGEQEj+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	GJS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\GJS.exe	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
File opened for modification	C:\windows\GJS.exe	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
File created	C:\windows\GJS.exe.bat	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GJS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
2836	GJS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
2836	GJS.exe
2836	GJS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2980	2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe	28
PID 2408 wrote to memory of 2980	2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe	28
PID 2408 wrote to memory of 2980	2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe	28
PID 2408 wrote to memory of 2980	2408	3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe	28
PID 2980 wrote to memory of 2836	2980	cmd.exe	30
PID 2980 wrote to memory of 2836	2980	cmd.exe	30
PID 2980 wrote to memory of 2836	2980	cmd.exe	30
PID 2980 wrote to memory of 2836	2980	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
"C:\Users\Admin\AppData\Local\Temp\3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\GJS.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\windows\GJS.exe
    C:\windows\GJS.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GJS.exe.bat

Filesize
52B

MD5
576836d5ba5069e8d6464fec906a5edb

SHA1
08340ad9722e14bd768ad7a71ac5ba584c52a0e7

SHA256
7405c031b4e9e947f3d89b738e56dfbf6e21d65c9fa9476037d0c6f171da6fe5

SHA512
ec65a1aa99fc2608511e31cc404b4a6160ced98c8c3d4ce0f68c3e545ca9a79c7cb0e6ac9d832c2deed58e9d06107c9474abce987761ca3220e3df8e766e72ce

Download Submit
C:\windows\GJS.exe

Filesize
208KB

MD5
d9be5c5cb74b8d84197e750a1f0b0f21

SHA1
a2e4304a71ecf7edb773b7e75a104b9d3dc3976a

SHA256
5381f190b137b261243da2c4552941959d1ccaa3010dfcd568c96a79bcd9af46

SHA512
2c57b991dd983ef360839f566933838b4fb94c3adb4aa01938aca99b80def67c0c3277a28499b1e2ec3124b53235953b38a7671e68dca9b914c40c66cf977c11

Download Submit
memory/2408-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2836-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2980-17-0x0000000000110000-0x0000000000148000-memory.dmp

Filesize
224KB

Download
memory/2980-15-0x0000000000110000-0x0000000000148000-memory.dmp

Filesize
224KB

Download