4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63

Analysis

max time kernel
191s
max time network
172s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 00:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

gdifuncs.exe
Size

120KB
MD5

e254e9598ee638c01e5ccc40e604938b
SHA1

541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
SHA256

4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
SHA512

92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb
SSDEEP

1536:DKOz5I1MSx56Hj2UItX85ljPQIe9RoSbGF4q2L6OBIyHwPSYxLanv9QD2i:vteMSMHj/rj1SbGFl2L6CIIw5gv9Qy

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gdifuncs.exe
Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

2164 icacls.exe
2304 takeown.exe
968 icacls.exe
4904 takeown.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4904 takeown.exe
2164 icacls.exe
2304 takeown.exe
968 icacls.exe
Drops file in Windows directory 2 IoCs

Processes:

gdifuncs.execmd.exe

description ioc process

File created C:\windows\WinAttr.gci gdifuncs.exe
File opened for modification \??\c:\windows\WinAttr.gci cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

416 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2284 taskkill.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gdifuncs.exe

pid	process
2164	icacls.exe
2304	takeown.exe
968	icacls.exe
4904	takeown.exe

pid	process
4904	takeown.exe
2164	icacls.exe
2304	takeown.exe
968	icacls.exe

description	ioc	process
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe

pid	process
416	timeout.exe

pid	process
2284	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gdifuncs.exe

pid	process
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe
2796	gdifuncs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

gdifuncs.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2796	gdifuncs.exe
Token: SeDebugPrivilege	2796	gdifuncs.exe
Token: SeTakeOwnershipPrivilege	4904	takeown.exe
Token: SeTakeOwnershipPrivilege	2304	takeown.exe
Token: SeDebugPrivilege	2284	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

gdifuncs.execmd.exe

description	pid	process	target process
PID 2796 wrote to memory of 4904	2796	gdifuncs.exe	takeown.exe
PID 2796 wrote to memory of 4904	2796	gdifuncs.exe	takeown.exe
PID 2796 wrote to memory of 4904	2796	gdifuncs.exe	takeown.exe
PID 2796 wrote to memory of 2164	2796	gdifuncs.exe	icacls.exe
PID 2796 wrote to memory of 2164	2796	gdifuncs.exe	icacls.exe
PID 2796 wrote to memory of 2164	2796	gdifuncs.exe	icacls.exe
PID 2796 wrote to memory of 412	2796	gdifuncs.exe	cmd.exe
PID 2796 wrote to memory of 412	2796	gdifuncs.exe	cmd.exe
PID 2796 wrote to memory of 412	2796	gdifuncs.exe	cmd.exe
PID 412 wrote to memory of 2304	412	cmd.exe	takeown.exe
PID 412 wrote to memory of 2304	412	cmd.exe	takeown.exe
PID 412 wrote to memory of 2304	412	cmd.exe	takeown.exe
PID 412 wrote to memory of 968	412	cmd.exe	icacls.exe
PID 412 wrote to memory of 968	412	cmd.exe	icacls.exe
PID 412 wrote to memory of 968	412	cmd.exe	icacls.exe
PID 412 wrote to memory of 416	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 416	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 416	412	cmd.exe	timeout.exe
PID 412 wrote to memory of 2284	412	cmd.exe	taskkill.exe
PID 412 wrote to memory of 2284	412	cmd.exe	taskkill.exe
PID 412 wrote to memory of 2284	412	cmd.exe	taskkill.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796

C:\windows\SysWOW64\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\windows\SysWOW64\icacls.exe
"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\takeown.exe
takeown /f LogonUI.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\icacls.exe
icacls LogonUI.exe /granted "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:968

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:416

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "tobi0a0c.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x0000000000770000-0x0000000000792000-memory.dmp

Filesize
136KB

Download
memory/2796-2-0x00000000056E0000-0x0000000005C86000-memory.dmp

Filesize
5.6MB

Download
memory/2796-3-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/2796-4-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-5-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/2796-6-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-7-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-8-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-9-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-10-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-11-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-12-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-13-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2796-14-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-15-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-16-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-17-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-18-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-19-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-20-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-21-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2796-22-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads