Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 06:46
Behavioral task
behavioral1
Sample
4962575a2378d5c72e7a836ea766e2ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4962575a2378d5c72e7a836ea766e2ad.exe
Resource
win10v2004-20241007-en
General
-
Target
4962575a2378d5c72e7a836ea766e2ad.exe
-
Size
431KB
-
MD5
4962575a2378d5c72e7a836ea766e2ad
-
SHA1
549964178b12017622d3cbdda6dbfdef0904e7e2
-
SHA256
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
-
SHA512
911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
-
SSDEEP
12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 25 5100 rundll32.exe 27 5100 rundll32.exe 28 2812 rundll32.exe 29 2812 rundll32.exe 44 2776 rundll32.exe 45 2776 rundll32.exe 46 924 rundll32.exe 47 924 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 4962575a2378d5c72e7a836ea766e2ad.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Gxtuum.exe -
Executes dropped EXE 3 IoCs
pid Process 5064 Gxtuum.exe 1944 Gxtuum.exe 1384 Gxtuum.exe -
Loads dropped DLL 6 IoCs
pid Process 2100 rundll32.exe 5100 rundll32.exe 2232 rundll32.exe 2812 rundll32.exe 2776 rundll32.exe 924 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Gxtuum.job 4962575a2378d5c72e7a836ea766e2ad.exe -
pid Process 1316 powershell.exe 3152 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4962575a2378d5c72e7a836ea766e2ad.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2916 netsh.exe 2464 netsh.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 5100 rundll32.exe 1316 powershell.exe 1316 powershell.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 2812 rundll32.exe 3152 powershell.exe 3152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 3152 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4968 wrote to memory of 5064 4968 4962575a2378d5c72e7a836ea766e2ad.exe 82 PID 4968 wrote to memory of 5064 4968 4962575a2378d5c72e7a836ea766e2ad.exe 82 PID 4968 wrote to memory of 5064 4968 4962575a2378d5c72e7a836ea766e2ad.exe 82 PID 5064 wrote to memory of 2100 5064 Gxtuum.exe 90 PID 5064 wrote to memory of 2100 5064 Gxtuum.exe 90 PID 5064 wrote to memory of 2100 5064 Gxtuum.exe 90 PID 2100 wrote to memory of 5100 2100 rundll32.exe 91 PID 2100 wrote to memory of 5100 2100 rundll32.exe 91 PID 5100 wrote to memory of 2916 5100 rundll32.exe 92 PID 5100 wrote to memory of 2916 5100 rundll32.exe 92 PID 5100 wrote to memory of 1316 5100 rundll32.exe 94 PID 5100 wrote to memory of 1316 5100 rundll32.exe 94 PID 5064 wrote to memory of 2232 5064 Gxtuum.exe 96 PID 5064 wrote to memory of 2232 5064 Gxtuum.exe 96 PID 5064 wrote to memory of 2232 5064 Gxtuum.exe 96 PID 2232 wrote to memory of 2812 2232 rundll32.exe 97 PID 2232 wrote to memory of 2812 2232 rundll32.exe 97 PID 2812 wrote to memory of 2464 2812 rundll32.exe 98 PID 2812 wrote to memory of 2464 2812 rundll32.exe 98 PID 2812 wrote to memory of 3152 2812 rundll32.exe 100 PID 2812 wrote to memory of 3152 2812 rundll32.exe 100 PID 5064 wrote to memory of 2776 5064 Gxtuum.exe 104 PID 5064 wrote to memory of 2776 5064 Gxtuum.exe 104 PID 5064 wrote to memory of 2776 5064 Gxtuum.exe 104 PID 5064 wrote to memory of 924 5064 Gxtuum.exe 105 PID 5064 wrote to memory of 924 5064 Gxtuum.exe 105 PID 5064 wrote to memory of 924 5064 Gxtuum.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4962575a2378d5c72e7a836ea766e2ad.exe"C:\Users\Admin\AppData\Local\Temp\4962575a2378d5c72e7a836ea766e2ad.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\050598569159_Desktop.zip' -CompressionLevel Optimal5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\050598569159_Desktop.zip' -CompressionLevel Optimal5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:924
-
-
-
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe1⤵
- Executes dropped EXE
PID:1944
-
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe1⤵
- Executes dropped EXE
PID:1384
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fe3aab3ae544a134b68e881b82b70169
SHA1926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA5123fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280
-
Filesize
1KB
MD5fd252dc779057e73982ed35b2bd253da
SHA16c3bf7b1dedf640fc90de7bdf3b456d1ffdb1e8c
SHA256372e07ccd9023096ccdff5c060084973b7c21f41179ec95cef0514854fbf05bd
SHA512e2cdd4c229e3a543409db13bb0b40b0e00f642edb2ad50a9108662937ea190ce1212c165dfafdbd0ad2a58b83836afc8e289bd52f3381deffb66caa3b38c68f0
-
Filesize
18KB
MD50d3aa00f3e5d2a8a54419990aa2eaa8c
SHA11d384a03d5c358fba8c89c63bbb2ec77964b7215
SHA2565e7059ecca471bc1990a51b78a9546f87dd60e38bb730509d64dd662bd3374b4
SHA512baa0fc556c3e7fcf0bda171c6bf7ecbf461a6b86641f3e90492a00391dee4ee3970f6832a2c4210e3021575b49419f9f06cf294e04e4cbcdb81ad9f69136ae37
-
Filesize
11KB
MD51f8ef0b2e7a4d9d46aaf737c5359ba4a
SHA18b85491094058b37beb0344d86eecdf8c246f99b
SHA2564bad34ef4b7b0cb230c756b60cd6a661d6fa0a2615e9dcde0b7326971f986ce5
SHA5127dced85f1e4eddebeb73171665ab7de1e5988173de6328ec9303a557e617b21c12c63e89f4f2bd2164c9347e4a0ecd145ba1859ba700f32a36da6d1d9b907a65
-
Filesize
11KB
MD53509278bfa9b5a6344f158100e9920bb
SHA1455405dd8041ff6bcbec3f65e7d43e5f0657f8bc
SHA25639e3881b76986002284d1d3fff9571d5549c4ce257b1b66889e21227bec6a865
SHA5129071c65e1ecb9411c34ce6267468ccdefa4ca51523241971d9b3b38318aa43b10e0b6123d473d7385ab10655a00095c6a9d630fe536f2378bc18e45d0fadf19e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
431KB
MD54962575a2378d5c72e7a836ea766e2ad
SHA1549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
-
Filesize
124KB
MD5c2f3fbbbe6d5f48a71b6b168b1485866
SHA11cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
SHA512e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a
-
Filesize
1.2MB
MD5c6aabb27450f1a9939a417e86bf53217
SHA1b8ef3bb7575139fd6997379415d7119e452b5fc4
SHA256b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35
SHA512e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944