Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2025, 14:56

General

  • Target

    The-MALWARE-Repo-master/Email-Worm/Gruel.a.exe

  • Size

    100KB

  • MD5

    b0feccddd78039aed7f1d68dae4d73d3

  • SHA1

    8fcffb3ae7af33b9b83af4c5acbb044f888eeabf

  • SHA256

    5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6

  • SHA512

    b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d

  • SSDEEP

    1536:ThBfyxwMz14BSSQGRwmkwmGDAzGC6TaPAlbv/g:1BKxwMz14wSQGGUDAATaPAlbv/g

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"
    1⤵
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\system32\RunDll32.exe
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL netcpl.cpl
        3⤵
          PID:552
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1032
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL main.cpl @0
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1308
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL modem.cpl
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
          "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe" C:\Windows\system32\rundll32.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4496
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL main.cpl @1
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        PID:4072
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @1
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
          "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe" C:\Windows\System32\SystemPropertiesComputerName.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4080
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,1
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:628
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL timedate.cpl
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1608
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        PID:1680
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        PID:2100
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      PID:3940
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x504 0x4fc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Rundll32.exe

      Filesize

      100KB

      MD5

      b0feccddd78039aed7f1d68dae4d73d3

      SHA1

      8fcffb3ae7af33b9b83af4c5acbb044f888eeabf

      SHA256

      5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6

      SHA512

      b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

      Filesize

      1KB

      MD5

      655f5f1b4d6cf7ced404bc124fc20add

      SHA1

      04708a29173e559df20960c69a082a3529e63fa1

      SHA256

      b69c725f50c14af634d1ab1665be19bc970a3c14a83f3b255fc5783e2684ed52

      SHA512

      2413a895c4b6d090c4016403338c260bc513dd0cdddec5e5bfd79e2b1fdc367651b243b176e7c40798586e17032e30f870c4ef76349c88d59a6f63729706ce7a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

      Filesize

      1KB

      MD5

      3f461bdc45071b239c92324337e882c7

      SHA1

      dc313c69551a4f930d6c9646e99f3d835c2d9147

      SHA256

      24e7d9d7267babcfdf758ab58c36f764f8333057fb6e5aa37f2d271a18d1a6e8

      SHA512

      665c03f8d7e67ebc38c2c7a6c6e71ebb3e2673cc6da642da8e5e7f3c9326b3870fbc1dc9a0041d0a5b488bee6af2d9fea47930158014f07790f58c36cadfb40d