Analysis
-
max time kernel
20s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
GG(ÖLÜM)GG.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
GG(ÖLÜM)GG.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ölüm-safety.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
ölüm-safety.exe
Resource
win10v2004-20241007-en
General
-
Target
GG(ÖLÜM)GG.exe
-
Size
283KB
-
MD5
2b1e9226d7e1015552a21faca891ec41
-
SHA1
f87fcbe10fa9312048214d4473498ad4f9f331ce
-
SHA256
7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada
-
SHA512
1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e
-
SSDEEP
3072:HZVUJ58IAelkapH3shY6iEwgaBZP5pHQpYR95WPNpNMl3:nUJ5PzB5ZPPHQpY35WPNpGl3
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
GG(ÖLÜM)GG.exedescription ioc process File opened for modification \??\PhysicalDrive0 GG(ÖLÜM)GG.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
GG(ÖLÜM)GG.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GG(ÖLÜM)GG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1484 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
GG(ÖLÜM)GG.execmd.exedescription pid process target process PID 884 wrote to memory of 4032 884 GG(ÖLÜM)GG.exe cmd.exe PID 884 wrote to memory of 4032 884 GG(ÖLÜM)GG.exe cmd.exe PID 884 wrote to memory of 4032 884 GG(ÖLÜM)GG.exe cmd.exe PID 4032 wrote to memory of 1828 4032 cmd.exe reg.exe PID 4032 wrote to memory of 1828 4032 cmd.exe reg.exe PID 4032 wrote to memory of 1828 4032 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GG(ÖLÜM)GG.exe"C:\Users\Admin\AppData\Local\Temp\GG(ÖLÜM)GG.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1828
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484