Analysis
-
max time kernel
18s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
29-10-2024 17:38
General
-
Target
gta6.exe
-
Size
55KB
-
MD5
aaff8d22681e8bdee3c3ba55007f673f
-
SHA1
aa94b52ee5290629165387bb0e7bdf3600e7a073
-
SHA256
512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb
-
SHA512
7e097d80b931aaa992b47f76c01eaa7e13c95fcc9d62d0b899216e0309563f32a6b0cb609e4540d81f8a4d3590f7fa277c124d2d6430f9409cf8f5c43f15792a
-
SSDEEP
1536:T4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNs2:T4dzVTaer344JzthRZijQ1Js
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Possible privilege escalation attempt 20 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies file permissions 1 TTPs 20 IoCs
-
Modifies system executable filetype association 2 TTPs 45 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gta6.exe"C:\Users\Admin\AppData\Local\Temp\gta6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FED8.tmp\FEE9.tmp\FEEA.bat C:\Users\Admin\AppData\Local\Temp\gta6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\hal.dll /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\hal.dll /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\winload.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\winload.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\winresume.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\winresume.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\wininit.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\wininit.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\regedit.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\regedit.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\taskmgr.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\consent.exe /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\consent.exe /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /f C:\Windows\System32\drivers /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeicacls C:\Windows\System32\drivers /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\reg.exereg delete HKLM /f3⤵
- Boot or Logon Autostart Execution: Active Setup
- Manipulates Digital Signatures
- Modifies system executable filetype association
- Installs/modifies Browser Helper Object
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies registry key
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5786dba0c5b6539cf40382e1d6a31941e
SHA123dd0dfdbb1a2584744979a146346726b9577d9c
SHA2560d539203223fb2a353189c36748edbad1c33ade0158f72c3ca4b14dec0aafcdb
SHA5127ea197c07aeb76b22fcf813d779a708680d98dc68e0117c46d637d88952ef686a87e329fcec21b8d0d43860f3481611bfab104e7390906486882890d57d3e4c3
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB