3cc03de0ddea408c9411f50251d308c51e21f1df7a39d8fba70620696c87eb5b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.3MB
MD5

1d5451b6204c0a4cff11890174a4dbbe
SHA1

f375940bbcdf0b479d2c94571e63b9edeaa004b5
SHA256

802c7e9495a7c8a7ce0fca8ba353ddf64f15a0558a74ff68b27a0e7adb1ab159
SHA512

e5f383dfc1ca6483354e24fac752562e3d677698242c5ed1afa0cc80f63ba7d6bfffff992436fae4ef87eb27704ffc21d42b672c60948eab43f7b9120e225626
SSDEEP

49152:kcLO8IueYNiWE7w7XXHiFPfVK76tjzYk6LnKIsJHgAHUndnVSOc7J:kcL5hNp7XXEtanDoV5HUnVVZU

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

gcftmusye.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gcftmusye.exe
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

76 1756 WScript.exe
78 1756 WScript.exe
80 1756 WScript.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gcftmusye.exe

flow	pid	process
76	1756	WScript.exe
78	1756	WScript.exe
80	1756	WScript.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gcftmusye.exedcaogonuasm.exeSmartClock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gcftmusye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gcftmusye.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dcaogonuasm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dcaogonuasm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exefile.exegcftmusye.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	gcftmusye.exe

Drops startup file 1 IoCs

Processes:

dcaogonuasm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk dcaogonuasm.exe
Executes dropped EXE 3 IoCs

Processes:

gcftmusye.exedcaogonuasm.exeSmartClock.exe

pid process

4432 gcftmusye.exe
2128 dcaogonuasm.exe
1592 SmartClock.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

gcftmusye.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine gcftmusye.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

75 iplogger.org
76 iplogger.org
48 bitbucket.org
49 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

71 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

file.exegcftmusye.exe

pid process

3004 file.exe
3004 file.exe
3004 file.exe
3004 file.exe
3004 file.exe
3004 file.exe
3004 file.exe
4432 gcftmusye.exe
3004 file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	dcaogonuasm.exe

pid	process
4432	gcftmusye.exe
2128	dcaogonuasm.exe
1592	SmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	gcftmusye.exe

flow	ioc
75	iplogger.org
76	iplogger.org
48	bitbucket.org
49	bitbucket.org

flow	ioc
71	ip-api.com

pid	process
3004	file.exe
3004	file.exe
3004	file.exe
3004	file.exe
3004	file.exe
3004	file.exe
3004	file.exe
4432	gcftmusye.exe
3004	file.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4780 timeout.exe
1612 timeout.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1592 SmartClock.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

gcftmusye.exe

pid process

4432 gcftmusye.exe
4432 gcftmusye.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

file.exe

pid process

3004 file.exe

pid	process
4780	timeout.exe
1612	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	cmd.exe

pid	process
1592	SmartClock.exe

pid	process
4432	gcftmusye.exe
4432	gcftmusye.exe

pid	process
3004	file.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

file.execmd.execmd.exedcaogonuasm.exegcftmusye.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3004 wrote to memory of 3776	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 3776	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 3776	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 3212	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 3212	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 3212	3004	file.exe	cmd.exe
PID 3212 wrote to memory of 4432	3212	cmd.exe	gcftmusye.exe
PID 3212 wrote to memory of 4432	3212	cmd.exe	gcftmusye.exe
PID 3212 wrote to memory of 4432	3212	cmd.exe	gcftmusye.exe
PID 3004 wrote to memory of 2616	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 2616	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 2616	3004	file.exe	cmd.exe
PID 2616 wrote to memory of 2128	2616	cmd.exe	dcaogonuasm.exe
PID 2616 wrote to memory of 2128	2616	cmd.exe	dcaogonuasm.exe
PID 3004 wrote to memory of 2264	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 2264	3004	file.exe	cmd.exe
PID 3004 wrote to memory of 2264	3004	file.exe	cmd.exe
PID 2128 wrote to memory of 1592	2128	dcaogonuasm.exe	SmartClock.exe
PID 2128 wrote to memory of 1592	2128	dcaogonuasm.exe	SmartClock.exe
PID 4432 wrote to memory of 4804	4432	gcftmusye.exe	cmd.exe
PID 4432 wrote to memory of 4804	4432	gcftmusye.exe	cmd.exe
PID 4432 wrote to memory of 4804	4432	gcftmusye.exe	cmd.exe
PID 4804 wrote to memory of 4780	4804	cmd.exe	timeout.exe
PID 4804 wrote to memory of 4780	4804	cmd.exe	timeout.exe
PID 4804 wrote to memory of 4780	4804	cmd.exe	timeout.exe
PID 2264 wrote to memory of 1756	2264	cmd.exe	WScript.exe
PID 2264 wrote to memory of 1756	2264	cmd.exe	WScript.exe
PID 2264 wrote to memory of 1756	2264	cmd.exe	WScript.exe
PID 4432 wrote to memory of 852	4432	gcftmusye.exe	cmd.exe
PID 4432 wrote to memory of 852	4432	gcftmusye.exe	cmd.exe
PID 4432 wrote to memory of 852	4432	gcftmusye.exe	cmd.exe
PID 852 wrote to memory of 1612	852	cmd.exe	timeout.exe
PID 852 wrote to memory of 1612	852	cmd.exe	timeout.exe
PID 852 wrote to memory of 1612	852	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jgrkjgcjmm.exe"
2⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe
"C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\khtrvkdpwgd & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\khtrvkdpwgd & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe
"C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe"
3⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\dnnfcoo.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dnnfcoo.vbs"
3⤵
- Blocklisted process makes network request
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\khtrvkdpwgd\46173476.txt
Filesize
45B

MD5
165716c892b58d18428cfee5e65b7e3f

SHA1
6032e93b647c33df7819ccf01dc85c81ce1b5b6a

SHA256
1e435784ee927613aee15106e58a100334cb7cb1093d07caa77f8765910b625a

SHA512
8b7662bedd264c16520ab353eec8dabe9fe9c87083d789e3da5b9819e4542c30f1d1974e10f3d26523dba16ef66923bd54f66cce5e8f35a55af018f8ecdf9450

Download Submit
C:\ProgramData\khtrvkdpwgd\8372422.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\khtrvkdpwgd\Files\_INFOR~1.TXT
Filesize
111B

MD5
62dbe5579c1059f7d9cce7dd24211ec8

SHA1
959e4edc8226a69162a4d018040999206940c8fe

SHA256
b98bb247d8f1fa2b3b22d51331c9b09ea21a17ed52894a83bd5b6703f5e532c0

SHA512
36ba528cbcc237eeb6004a9cba75fd2d45e4c10ddeb6a95b7f021955871a5fa7147c4462c8f88ac8ae99f927053f3034b8c53c849b7e29b981627c73ee1ab444

Download Submit
C:\ProgramData\khtrvkdpwgd\GB_202~1.ZIP
Filesize
258B

MD5
9141dd3e68bf7b7661207ab3c4038222

SHA1
a4e080ae4a00762695d3cded2cd3047d45255f09

SHA256
f148191cc1544cf208e45c8cf85c5d2eaa34df367f9d50d4433dab2342356946

SHA512
12d1a24db1851fdf145b3076e28e2bb6fefc89ee25bfbecbefc9e2c78e9dca161874b35268cfcc995ab603716e8bd459bbf9ae2156a1428df3d4efd311365998

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe
Filesize
2.7MB

MD5
a4370362a9e4a76731652138df7305dd

SHA1
75cada3b14ac062d723146adca3f8cefdbb075e5

SHA256
b49fe3670551020b4d28f8ad6c4271e19a8d0b83ae2bf47fe40643a749f29dba

SHA512
fe83c0c8df44cedcc29b99c5b5f0d145a0026844c6f5f536caa986169e2c4dbcc5ee3d1571bbbaa0e8953c2e2d9140a0c948d70fee30d3db5fe6177375bd824d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnnfcoo.vbs
Filesize
133B

MD5
f4b2d83cdf7ef38f97c9b39b86958b5e

SHA1
f1dd7d6ea1bca8e2af36a6bf9ee24e85d185a7c6

SHA256
d66bf7638458249316847ac91513b992ff4c7cbaf852d7092af15b2f46086751

SHA512
e91e379881774f2bd2a99ea4ad1fb1606932af792a3aa4234530c8c3b5e0a9c23a12371fc488411cd3036cdbeae3f360d34e53e2e8acd792c6e50417052cabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe
Filesize
1.7MB

MD5
93d471d1d3bb5260ef5c547a67d97231

SHA1
464937ea7052d10f4c0f04a5d3a9ff10dff7fcdd

SHA256
70720bfd26ae21f7df6fb235f802d766db27fa104f5e7b42bbb24a6a808d034e

SHA512
850a0deae8a4d3f3b7213a0218142a499e8fdf9f75f2195b5d61b1119e6d1d78933d7d596d49dd0da65431c04861c92ef31ab2132d90a2c7fe586c4d7ddfde49

Download Submit
memory/1592-96-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-97-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-104-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-103-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-102-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-101-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-100-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-99-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-76-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/1592-98-0x00007FF747990000-0x00007FF748003000-memory.dmp

Filesize
6.4MB

Download
memory/2128-66-0x00007FF64E500000-0x00007FF64EB73000-memory.dmp

Filesize
6.4MB

Download
memory/2128-75-0x00007FF64E500000-0x00007FF64EB73000-memory.dmp

Filesize
6.4MB

Download
memory/3004-5-0x000000007F680000-0x000000007FA51000-memory.dmp

Filesize
3.8MB

Download
memory/3004-4-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-1-0x000000007F680000-0x000000007FA51000-memory.dmp

Filesize
3.8MB

Download
memory/3004-30-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-95-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-0-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-3-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-2-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-8-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-6-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/3004-7-0x0000000000530000-0x0000000000E93000-memory.dmp

Filesize
9.4MB

Download
memory/4432-38-0x0000000000760000-0x0000000000BD6000-memory.dmp

Filesize
4.5MB

Download
memory/4432-39-0x0000000077574000-0x0000000077576000-memory.dmp

Filesize
8KB

Download
memory/4432-88-0x0000000000760000-0x0000000000BD6000-memory.dmp

Filesize
4.5MB

Download