Analysis
-
max time kernel
191s -
max time network
190s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 00:08
Static task
static1
Behavioral task
behavioral1
Sample
gdifuncs.exe
Resource
win11-20240611-en
Errors
General
-
Target
gdifuncs.exe
-
Size
120KB
-
MD5
e254e9598ee638c01e5ccc40e604938b
-
SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
-
SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
-
SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb
-
SSDEEP
1536:DKOz5I1MSx56Hj2UItX85ljPQIe9RoSbGF4q2L6OBIyHwPSYxLanv9QD2i:vteMSMHj/rj1SbGFl2L6CIIw5gv9Qy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gdifuncs.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 944 takeown.exe 2260 icacls.exe 4532 takeown.exe 4732 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 944 takeown.exe 2260 icacls.exe 4532 takeown.exe 4732 icacls.exe -
Drops file in Windows directory 2 IoCs
Processes:
gdifuncs.execmd.exedescription ioc process File created C:\windows\WinAttr.gci gdifuncs.exe File opened for modification \??\c:\windows\WinAttr.gci cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 644 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4936 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gdifuncs.exepid process 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe 1124 gdifuncs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
gdifuncs.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1124 gdifuncs.exe Token: SeDebugPrivilege 1124 gdifuncs.exe Token: SeTakeOwnershipPrivilege 944 takeown.exe Token: SeTakeOwnershipPrivilege 4532 takeown.exe Token: SeDebugPrivilege 4936 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
gdifuncs.execmd.exedescription pid process target process PID 1124 wrote to memory of 944 1124 gdifuncs.exe takeown.exe PID 1124 wrote to memory of 944 1124 gdifuncs.exe takeown.exe PID 1124 wrote to memory of 944 1124 gdifuncs.exe takeown.exe PID 1124 wrote to memory of 2260 1124 gdifuncs.exe icacls.exe PID 1124 wrote to memory of 2260 1124 gdifuncs.exe icacls.exe PID 1124 wrote to memory of 2260 1124 gdifuncs.exe icacls.exe PID 1124 wrote to memory of 1896 1124 gdifuncs.exe cmd.exe PID 1124 wrote to memory of 1896 1124 gdifuncs.exe cmd.exe PID 1124 wrote to memory of 1896 1124 gdifuncs.exe cmd.exe PID 1896 wrote to memory of 4532 1896 cmd.exe takeown.exe PID 1896 wrote to memory of 4532 1896 cmd.exe takeown.exe PID 1896 wrote to memory of 4532 1896 cmd.exe takeown.exe PID 1896 wrote to memory of 4732 1896 cmd.exe icacls.exe PID 1896 wrote to memory of 4732 1896 cmd.exe icacls.exe PID 1896 wrote to memory of 4732 1896 cmd.exe icacls.exe PID 1896 wrote to memory of 644 1896 cmd.exe timeout.exe PID 1896 wrote to memory of 644 1896 cmd.exe timeout.exe PID 1896 wrote to memory of 644 1896 cmd.exe timeout.exe PID 1896 wrote to memory of 4936 1896 cmd.exe taskkill.exe PID 1896 wrote to memory of 4936 1896 cmd.exe taskkill.exe PID 1896 wrote to memory of 4936 1896 cmd.exe taskkill.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1124-0-0x000000007462E000-0x000000007462F000-memory.dmpFilesize
4KB
-
memory/1124-1-0x0000000000230000-0x0000000000252000-memory.dmpFilesize
136KB
-
memory/1124-2-0x00000000051C0000-0x0000000005766000-memory.dmpFilesize
5.6MB
-
memory/1124-3-0x0000000004CF0000-0x0000000004D82000-memory.dmpFilesize
584KB
-
memory/1124-4-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-5-0x00000000050C0000-0x00000000050CA000-memory.dmpFilesize
40KB
-
memory/1124-6-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-7-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-8-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-9-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-10-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-11-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-12-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-13-0x000000007462E000-0x000000007462F000-memory.dmpFilesize
4KB
-
memory/1124-14-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-15-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-16-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-17-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-18-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-19-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-20-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB
-
memory/1124-21-0x0000000074620000-0x0000000074DD1000-memory.dmpFilesize
7.7MB