b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
149s
max time network
162s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-01-2025 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Email-Worm/Gruel.a.exe
Size

100KB
MD5

b0feccddd78039aed7f1d68dae4d73d3
SHA1

8fcffb3ae7af33b9b83af4c5acbb044f888eeabf
SHA256

5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6
SHA512

b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d
SSDEEP

1536:ThBfyxwMz14BSSQGRwmkwmGDAzGC6TaPAlbv/g:1BKxwMz14wSQGGUDAATaPAlbv/g

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MediaPath = "C:\\Rundll32.exe"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32 = "C:\\Rundll32.exe"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEX\DevicePath = "C:\\Rundll32.exe"	Gruel.a.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Gruel.a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe	Gruel.a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gruel.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gruel.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gruel.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\Keyboard\KeyboardDelay = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\Desktop\CursorBlinkRate = "530"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\Keyboard\KeyboardSpeed = "31"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Internet Explorer\Privacy	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Software\Microsoft\Internet Explorer\ContinuousBrowsing	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\ContinuousBrowsing\Enabled = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"	Gruel.a.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:NewsFeed"	rundll32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open	Gruel.a.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ = "kIlLeRgUaTe 1.03"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ = "Shell32.dll"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel = "Apartment"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes = 00000000	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip = "kIlLeRgUaTe 1.03"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0"	Gruel.a.exe
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0"	Gruel.a.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
844	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1940	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4412	Gruel.a.exe
844	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4412	Gruel.a.exe
3168	Gruel.a.exe
2432	Gruel.a.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4616	4412	Gruel.a.exe	86
PID 4412 wrote to memory of 4616	4412	Gruel.a.exe	86
PID 4412 wrote to memory of 4616	4412	Gruel.a.exe	86
PID 4412 wrote to memory of 4196	4412	Gruel.a.exe	87
PID 4412 wrote to memory of 4196	4412	Gruel.a.exe	87
PID 4412 wrote to memory of 4196	4412	Gruel.a.exe	87
PID 4196 wrote to memory of 4864	4196	rundll32.exe	88
PID 4196 wrote to memory of 4864	4196	rundll32.exe	88
PID 4412 wrote to memory of 1108	4412	Gruel.a.exe	89
PID 4412 wrote to memory of 1108	4412	Gruel.a.exe	89
PID 4412 wrote to memory of 1108	4412	Gruel.a.exe	89
PID 4412 wrote to memory of 4788	4412	Gruel.a.exe	90
PID 4412 wrote to memory of 4788	4412	Gruel.a.exe	90
PID 4412 wrote to memory of 4788	4412	Gruel.a.exe	90
PID 4412 wrote to memory of 1232	4412	Gruel.a.exe	91
PID 4412 wrote to memory of 1232	4412	Gruel.a.exe	91
PID 4412 wrote to memory of 1232	4412	Gruel.a.exe	91
PID 4412 wrote to memory of 4704	4412	Gruel.a.exe	92
PID 4412 wrote to memory of 4704	4412	Gruel.a.exe	92
PID 4412 wrote to memory of 4704	4412	Gruel.a.exe	92
PID 1232 wrote to memory of 3168	1232	rundll32.exe	93
PID 1232 wrote to memory of 3168	1232	rundll32.exe	93
PID 1232 wrote to memory of 3168	1232	rundll32.exe	93
PID 4412 wrote to memory of 4904	4412	Gruel.a.exe	95
PID 4412 wrote to memory of 4904	4412	Gruel.a.exe	95
PID 4412 wrote to memory of 4904	4412	Gruel.a.exe	95
PID 4412 wrote to memory of 5040	4412	Gruel.a.exe	96
PID 4412 wrote to memory of 5040	4412	Gruel.a.exe	96
PID 4412 wrote to memory of 5040	4412	Gruel.a.exe	96
PID 4904 wrote to memory of 2432	4904	rundll32.exe	97
PID 4904 wrote to memory of 2432	4904	rundll32.exe	97
PID 4904 wrote to memory of 2432	4904	rundll32.exe	97
PID 4412 wrote to memory of 1996	4412	Gruel.a.exe	98
PID 4412 wrote to memory of 1996	4412	Gruel.a.exe	98
PID 4412 wrote to memory of 1996	4412	Gruel.a.exe	98
PID 4412 wrote to memory of 1212	4412	Gruel.a.exe	99
PID 4412 wrote to memory of 1212	4412	Gruel.a.exe	99
PID 4412 wrote to memory of 1212	4412	Gruel.a.exe	99
PID 4412 wrote to memory of 2440	4412	Gruel.a.exe	100
PID 4412 wrote to memory of 2440	4412	Gruel.a.exe	100
PID 4412 wrote to memory of 2440	4412	Gruel.a.exe	100

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL netcpl.cpl
    3⤵
    PID:4864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL main.cpl @0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL modem.cpl
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe" C:\Windows\system32\rundll32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3168
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL main.cpl @1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:4704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe" C:\Windows\System32\SystemPropertiesComputerName.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2432
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL timedate.cpl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:1212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Rundll32.exe

Filesize
100KB

MD5
b0feccddd78039aed7f1d68dae4d73d3

SHA1
8fcffb3ae7af33b9b83af4c5acbb044f888eeabf

SHA256
5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6

SHA512
b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
e9ebee0ddbddbb9bbad21a707a08f2b2

SHA1
92b2f08f1ed5ff8ab87ad1bbb05e85e8776e1183

SHA256
8fffc79b161ef27a8a0a871f110c358a284425f4f5319836abbf48fe4cbbedba

SHA512
3c688c8d443b274f2b19df394116651164e77e78e0e972bb5385308f76197ac2ba073f58d145230fbce5fcc1a0571233f462b35a022976154428d6373155f7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
2b067e6304acacbff7da6acd7f2d1b22

SHA1
885e5a34e1a522712db0b5beaa041eec1efc4917

SHA256
dd34a41516eaab2900e44f8b559ecf768c4ad09275ec534d97871b0e55923010

SHA512
4dd4d53dcbc00ac1f6fb9219710619b04f2441c2be276a557fc0cbed2a94f6fc25c3002ece16775ac7be36d3c7b6e4a0f2efe911b3a3bd061283053c8508e32e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads