11fcfb85b14ada095946bcfc39a3a3ef96a72fee8bdfa673ed7500e9e83c3648

Analysis

max time kernel
23s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gs10050w64.exe
Size

61.7MB
MD5

80fe17dcfba9e0600e99a8051c56ac35
SHA1

ba97604b19fde8f41abba892aa79264d3f94cd24
SHA256

11fcfb85b14ada095946bcfc39a3a3ef96a72fee8bdfa673ed7500e9e83c3648
SHA512

4756b4bf2647695f65d6088528f04202907112e577110543497bc2e6494d121db1dde511edb08cd701b00acd34008cf60b5ae01d17686ba99056c4ff888fb446
SSDEEP

1572864:u3Hpzd+rhCAwwnhe3G9duoAo5fxEv1d7YpMXY7xSCfrFvvUYE:uZpoCAhnyGDUmf+78pK6gCfrRMYE

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\gs\gs10.05.0\doc\src\Fonts.rst	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\GBTpc-EUC-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\Identity-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\Psfiles.rst	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\_static\ghostscript-white-plus-text.png	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\gsnup.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\stcolor.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\KSC-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniJIS-UCS2-HW-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\ZUGFeRD.rst	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\ghostpdf.README	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\gssetgs32.bat	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\EUC-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\Hiragana	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniHojo-UTF16-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\Init\gs_wan_e.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\colormanage\figures\proof_link.pdf	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\DeviceSubclassing.rst	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\doretree.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\waterfal.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\Info-macos.plist	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\pdf2ps.bat	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\pf2afm	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\Adobe-CNS1-0	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\gs_lgx_e.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\gsdj500.bat	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\cjk\gscjk_aj.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\ps2ascii.cmd	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniJIS-UCS2-HW-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\GPDL.rst	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\_static\favicon.ico	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniJISPro-UCS2-HW-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\Decoding\Latin1	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\C-style.rst	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\ridt91.eps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\gs_il2_e.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\stc_h.upp	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\viewmiff.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\viewrgb.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\Font\NimbusMonoPS-BoldItalic	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\Font\NimbusRoman-Bold	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\Init\gs_statd.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\alphabet.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\viewps2a.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\GB-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\GBT-EUC-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniGB-UTF16-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\conf.py	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\requirements.txt	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\doc\src\_static\cm-fig5.png	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\golfer.eps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\docie.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\lpr2.bat	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\prfont.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\st640pg.upp	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\examples\cjk\all_ag1.ps	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\CNS2-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\Hojo-H	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\Hojo-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniJIS-UTF16-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\CMap\UniJIS2004-UTF16-V	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\IdiomSet\PPI_CUtils	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\Resource\Init\Fontmap.GS	gs10050w64.exe
File created	C:\Program Files\gs\gs10.05.0\lib\cdj690.upp	gs10050w64.exe

Executes dropped EXE 3 IoCs

pid	Process
5064	vcredist_x64.exe
4644	vcredist_x64.exe
3708	gswin64c.exe

Loads dropped DLL 6 IoCs

pid	Process
1400	gs10050w64.exe
1400	gs10050w64.exe
4644	vcredist_x64.exe
1400	gs10050w64.exe
3708	gswin64c.exe
1400	gs10050w64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gs10050w64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 5064	1400	gs10050w64.exe	84
PID 1400 wrote to memory of 5064	1400	gs10050w64.exe	84
PID 1400 wrote to memory of 5064	1400	gs10050w64.exe	84
PID 5064 wrote to memory of 4644	5064	vcredist_x64.exe	85
PID 5064 wrote to memory of 4644	5064	vcredist_x64.exe	85
PID 5064 wrote to memory of 4644	5064	vcredist_x64.exe	85
PID 1400 wrote to memory of 3708	1400	gs10050w64.exe	86
PID 1400 wrote to memory of 3708	1400	gs10050w64.exe	86

C:\Users\Admin\AppData\Local\Temp\gs10050w64.exe
"C:\Users\Admin\AppData\Local\Temp\gs10050w64.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files\gs\gs10.05.0\vcredist_x64.exe
  "C:\Program Files\gs\gs10.05.0\vcredist_x64.exe" /norestart /install /quiet
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\Temp\{F468DCB9-FDFC-4D55-8D37-BCE19B8C5E57}\.cr\vcredist_x64.exe
    "C:\Windows\Temp\{F468DCB9-FDFC-4D55-8D37-BCE19B8C5E57}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\gs\gs10.05.0\vcredist_x64.exe" -burn.filehandle.attached=732 -burn.filehandle.self=736 /norestart /install /quiet
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4644
- C:\Program Files\gs\gs10.05.0\bin\gswin64c.exe
  "C:\Program Files\gs\gs10.05.0\bin\gswin64c.exe" -q -dNOSAFER -dBATCH "-sFONTDIR=C:/Windows/Fonts" "-sCIDFMAP=C:/Program Files/gs/gs10.05.0/lib/cidfmap" "C:/Program Files/gs/gs10.05.0/lib/mkcidfm.ps"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\gs\gs10.05.0\bin\gsdll64.dll

Filesize
23.1MB

MD5
372ef55713ddea312e9c6e72ca3d2b3f

SHA1
24b932b3bf95e5b6083a5ebad4a87beca5b4df1e

SHA256
14f05a6920f16f72126f1fe24c9573ac83143856c53b7326788f848f4b69a2f3

SHA512
72872841d8716562a85020e10042d8eb41c84a046fef65c448911a9537c9aa69b2b678a3ea6f582e49e7c566c3636315abe95e49ab51aa645c2121d7a6650f93

Download Submit
C:\Program Files\gs\gs10.05.0\bin\gswin64c.exe

Filesize
91KB

MD5
67501f3a02ee0f644eb920e8090c03b9

SHA1
40c0c2b2b1c5ced3acdf42f78c9dfb93a63db97f

SHA256
add20a35305a012080d3397382381ccc346755ebf0e979450a90ea8bd9b313ce

SHA512
2ebb09c06db94859392a033e69ceb24fa16e59b5aecd9b78236277538df4b0712172b58b115fddfa3ca775ed6a97b41debafccf538c1cb3454af6edd32a171e4

Download Submit
C:\Program Files\gs\gs10.05.0\lib\mkcidfm.ps

Filesize
21KB

MD5
8c30e8f093b1481e3469aa4e1b8eed71

SHA1
fc67d01c3c5a5d00d8b4ee9091176136a4e79ec8

SHA256
c14f4987a3ef74707893417f8b058b2402835eeb3c80fc06413c2ec9456abca8

SHA512
7dd1618fa0f04665761d532b3306fddfc92df8ad642a32b4f6abacc0ea9d915f5b321a83584b8024809265be57df521ccc6d310f2ae8c5894a82f687ed99f75e

Download Submit
C:\Program Files\gs\gs10.05.0\vcredist_x64.exe

Filesize
24.1MB

MD5
e091e9e5ede4161b45b880ccd6e140b0

SHA1
1a18b960482c2a242df0e891de9e3a125e439122

SHA256
cee28f29f904524b7f645bcec3dfdfe38f8269b001144cd909f5d9232890d33b

SHA512
fa8627055bbeb641f634b56059e7b5173e7c64faaa663e050c20d01d708a64877e71cd0b974282c70cb448e877313b1cf0519cf6128c733129b045f2b961a09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\EnVar.dll

Filesize
9KB

MD5
be49b6624c7e6582d29e85b44fbe0f87

SHA1
09fcaaf4cbd14e0af09b0e49fbb4effb65fccd93

SHA256
29e346d9262afddf4a500d972ac25fb56cef8ff1fab3c634a2f2c0b074e68264

SHA512
21a398eefdee68235a9eaa2dcb99d89e936c0a888655586b54a2a52015d3bf89c98ff938073f9767319a450b97d21d1396ed8f9954e217d8bcf904d96796f7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4E41.tmp\nsExec.dll

Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit
C:\Windows\Temp\{9DDA2A23-4FC1-476A-9D91-A7DDDAC2030D}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{9DDA2A23-4FC1-476A-9D91-A7DDDAC2030D}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{F468DCB9-FDFC-4D55-8D37-BCE19B8C5E57}\.cr\vcredist_x64.exe

Filesize
634KB

MD5
cb264f7d256b42a54b2129b7a02c1ce3

SHA1
d71459e24185f70b0c8647758663b1116a898412

SHA256
d6aaee30c9b7edeac6939f78f4a55683c6358d9cc03dac487880d01f18700e83

SHA512
4f623f5d21bc216f3dd040e6d0c663a8ea37efe5d0ce5f4aeb1ef5c1f7c873e19d1abc979d3e40d4dc70e2e4f0fc9a1b114b17d9eb852ea9a41d0f84356cd7cb

Download Submit