Overview
overview
10Static
static
10The-MALWAR...ot.exe
windows7-x64
10The-MALWAR...ot.exe
windows10-2004-x64
10The-MALWAR...ll.exe
windows7-x64
10The-MALWAR...ll.exe
windows10-2004-x64
10The-MALWAR...BS.exe
windows7-x64
10The-MALWAR...BS.exe
windows10-2004-x64
10The-MALWAR...in.exe
windows7-x64
7The-MALWAR...in.exe
windows10-2004-x64
7The-MALWAR....A.exe
windows7-x64
7The-MALWAR....A.exe
windows10-2004-x64
7The-MALWAR....A.exe
windows7-x64
10The-MALWAR....A.exe
windows10-2004-x64
10The-MALWAR...us.exe
windows7-x64
6The-MALWAR...us.exe
windows10-2004-x64
6The-MALWAR....a.exe
windows7-x64
3The-MALWAR....a.exe
windows10-2004-x64
3The-MALWAR....a.exe
windows7-x64
7The-MALWAR....a.exe
windows10-2004-x64
7The-MALWAR...ok.exe
windows7-x64
10The-MALWAR...ok.exe
windows10-2004-x64
1The-MALWAR...ft.exe
windows7-x64
4The-MALWAR...ft.exe
windows10-2004-x64
4The-MALWAR...en.exe
windows7-x64
6The-MALWAR...en.exe
windows10-2004-x64
6The-MALWAR...min.js
windows7-x64
3The-MALWAR...min.js
windows10-2004-x64
3The-MALWAR...ul.exe
windows7-x64
1The-MALWAR...ul.exe
windows10-2004-x64
3The-MALWAR....a.exe
windows7-x64
8The-MALWAR....a.exe
windows10-2004-x64
7The-MALWAR...99.exe
windows7-x64
5The-MALWAR...99.exe
windows10-2004-x64
5Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Email-Worm/Amus.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Email-Worm/Amus.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Email-Worm/Emin.js
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Email-Worm/Emin.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Email-Worm/Funsoul.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Email-Worm/Funsoul.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Email-Worm/Gruel.a.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Email-Worm/Gruel.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/Email-Worm/Happy99.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/Email-Worm/Happy99.exe
Resource
win10v2004-20241007-en
General
-
Target
The-MALWARE-Repo-master/Email-Worm/Gruel.a.exe
-
Size
100KB
-
MD5
b0feccddd78039aed7f1d68dae4d73d3
-
SHA1
8fcffb3ae7af33b9b83af4c5acbb044f888eeabf
-
SHA256
5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6
-
SHA512
b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d
-
SSDEEP
1536:ThBfyxwMz14BSSQGRwmkwmGDAzGC6TaPAlbv/g:1BKxwMz14wSQGGUDAATaPAlbv/g
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MediaPath = "C:\\Rundll32.exe" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32 = "C:\\Rundll32.exe" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEX\DevicePath = "C:\\Rundll32.exe" Gruel.a.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Gruel.a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe Gruel.a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gruel.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gruel.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gruel.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies Control Panel 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\CursorBlinkRate = "530" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Keyboard\KeyboardSpeed = "31" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Keyboard\KeyboardDelay = "1" rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Privacy rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\ContinuousBrowsing\Enabled = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\ContinuousBrowsing rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit = "0" rundll32.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "about:NewsFeed" rundll32.exe -
Modifies registry class 37 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip = "kIlLeRgUaTe 1.03" Gruel.a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes = 00000000 Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB} Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ = "Shell32.dll" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel = "Apartment" Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32 Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0" Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB} Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ = "kIlLeRgUaTe 1.03" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3940 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5940 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5940 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3940 explorer.exe 2128 Gruel.a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2128 Gruel.a.exe 4496 Gruel.a.exe 4080 Gruel.a.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1008 2128 Gruel.a.exe 85 PID 2128 wrote to memory of 1008 2128 Gruel.a.exe 85 PID 2128 wrote to memory of 1008 2128 Gruel.a.exe 85 PID 2128 wrote to memory of 2608 2128 Gruel.a.exe 86 PID 2128 wrote to memory of 2608 2128 Gruel.a.exe 86 PID 2128 wrote to memory of 2608 2128 Gruel.a.exe 86 PID 2608 wrote to memory of 552 2608 rundll32.exe 87 PID 2608 wrote to memory of 552 2608 rundll32.exe 87 PID 2128 wrote to memory of 1032 2128 Gruel.a.exe 88 PID 2128 wrote to memory of 1032 2128 Gruel.a.exe 88 PID 2128 wrote to memory of 1032 2128 Gruel.a.exe 88 PID 2128 wrote to memory of 1308 2128 Gruel.a.exe 89 PID 2128 wrote to memory of 1308 2128 Gruel.a.exe 89 PID 2128 wrote to memory of 1308 2128 Gruel.a.exe 89 PID 2128 wrote to memory of 2780 2128 Gruel.a.exe 90 PID 2128 wrote to memory of 2780 2128 Gruel.a.exe 90 PID 2128 wrote to memory of 2780 2128 Gruel.a.exe 90 PID 2128 wrote to memory of 4072 2128 Gruel.a.exe 91 PID 2128 wrote to memory of 4072 2128 Gruel.a.exe 91 PID 2128 wrote to memory of 4072 2128 Gruel.a.exe 91 PID 2128 wrote to memory of 1448 2128 Gruel.a.exe 93 PID 2128 wrote to memory of 1448 2128 Gruel.a.exe 93 PID 2128 wrote to memory of 1448 2128 Gruel.a.exe 93 PID 2780 wrote to memory of 4496 2780 rundll32.exe 94 PID 2780 wrote to memory of 4496 2780 rundll32.exe 94 PID 2780 wrote to memory of 4496 2780 rundll32.exe 94 PID 2128 wrote to memory of 628 2128 Gruel.a.exe 97 PID 2128 wrote to memory of 628 2128 Gruel.a.exe 97 PID 2128 wrote to memory of 628 2128 Gruel.a.exe 97 PID 1448 wrote to memory of 4080 1448 rundll32.exe 98 PID 1448 wrote to memory of 4080 1448 rundll32.exe 98 PID 1448 wrote to memory of 4080 1448 rundll32.exe 98 PID 2128 wrote to memory of 1608 2128 Gruel.a.exe 99 PID 2128 wrote to memory of 1608 2128 Gruel.a.exe 99 PID 2128 wrote to memory of 1608 2128 Gruel.a.exe 99 PID 2128 wrote to memory of 1680 2128 Gruel.a.exe 100 PID 2128 wrote to memory of 1680 2128 Gruel.a.exe 100 PID 2128 wrote to memory of 1680 2128 Gruel.a.exe 100 PID 2128 wrote to memory of 2100 2128 Gruel.a.exe 102 PID 2128 wrote to memory of 2100 2128 Gruel.a.exe 102 PID 2128 wrote to memory of 2100 2128 Gruel.a.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL mmsys.cpl @12⤵
- System Location Discovery: System Language Discovery
PID:1008
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL netcpl.cpl2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL netcpl.cpl3⤵PID:552
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,02⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL main.cpl @02⤵
- System Location Discovery: System Language Discovery
PID:1308
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL modem.cpl2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe" C:\Windows\system32\rundll32.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL main.cpl @12⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:4072
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL sysdm.cpl @12⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe" C:\Windows\System32\SystemPropertiesComputerName.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4080
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,12⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:628
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL timedate.cpl2⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL desk.cpl,,02⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
PID:1680
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,02⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2100
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:3940
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5b0feccddd78039aed7f1d68dae4d73d3
SHA18fcffb3ae7af33b9b83af4c5acbb044f888eeabf
SHA2565714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6
SHA512b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d
-
Filesize
1KB
MD5655f5f1b4d6cf7ced404bc124fc20add
SHA104708a29173e559df20960c69a082a3529e63fa1
SHA256b69c725f50c14af634d1ab1665be19bc970a3c14a83f3b255fc5783e2684ed52
SHA5122413a895c4b6d090c4016403338c260bc513dd0cdddec5e5bfd79e2b1fdc367651b243b176e7c40798586e17032e30f870c4ef76349c88d59a6f63729706ce7a
-
Filesize
1KB
MD53f461bdc45071b239c92324337e882c7
SHA1dc313c69551a4f930d6c9646e99f3d835c2d9147
SHA25624e7d9d7267babcfdf758ab58c36f764f8333057fb6e5aa37f2d271a18d1a6e8
SHA512665c03f8d7e67ebc38c2c7a6c6e71ebb3e2673cc6da642da8e5e7f3c9326b3870fbc1dc9a0041d0a5b488bee6af2d9fea47930158014f07790f58c36cadfb40d