Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Kryptik.GDSR

Trojan.Kryptik.GDSR

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Kryptik.GDSR
Signature status: No Signature

Known Samples

MD5: 9cb1af6b7f771011151747b34e617eb9
SHA1: d2a7bcbf908507af3d7d3b0ae9dbaadd141810a4
SHA256: E695EAFB035D9A54BF6B22BC27DBAAD4C02CB4CD3011952E0CA77EB78E7C688C
File Size: 557.06 KB, 557056 bytes
MD5: 7ae5e6a53b8e6999fe80f7ae075a01eb
SHA1: 1651633b967dcae54a28a7005a449ccf6a9014b9
SHA256: 3B501F1509AA68A8C9780FA70C99FEEA17293A45C8A757B3CE4B8F664CC7652A
File Size: 1.86 MB, 1857024 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Igor Pavlov
  • Microsoft Corporation
File Description
  • 7-Zip Console
  • Microsoft Windows Media Configuration Utility
File Version
  • 23.01
  • 12.0.19041.3636 (WinBuild.160101.0800)
Internal Name
  • 7z
  • setup_wm.exe
Legal Copyright
  • Copyright (c) 1999-2023 Igor Pavlov
  • © Microsoft Corporation. All rights reserved.
Original Filename
  • 7z.exe
  • setup_wm.exe
Product Name
  • 7-Zip
  • Microsoft® Windows® Operating System
Product Version
  • 23.01
  • 12.0.19041.3636

File Traits

  • HighEntropy
  • Installer Manifest
  • Installer Version
  • ntdll
  • x64

Block Information

Total Blocks: 35
Potentially Malicious Blocks: 4
Whitelisted Blocks: 27
Unknown Blocks: 4

Visual Map

0 0 0 0 0 0 x x x ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 2 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Kryptik.GDSR

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134206865469159751.6812.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134206865495246361.308.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134206865503544956.3780.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134206865511874456.7796.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_4q1cjdl1.vnp.psm1 Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\__psscriptpolicytest_5wqgozkg.tsf.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bs0hpp2j.ful.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ccswwdfy.ewc.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_cy3n2mpk.53c.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_goq2r5qs.jxo.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ywcasygz.dhp.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_zkzzj43i.xdf.psm1 Generic Write,Read Attributes
c:\users\user\appdata\roaming\systemservices\svc_host.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\run::systemserviceshost C:\Users\Vbmfvktb\AppData\Roaming\SystemServices\svc_host.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 챮ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䞷챮ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ک챮ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
Show More
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCopyFileChunk
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDebugContinue
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushInstructionCache
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtIsProcessInJob
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveProcessDebug
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetContextThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl

12 additional items are not displayed above.

User Data Access
  • GetComputerNameEx
Process Manipulation Evasion
  • NtUnmapViewOfSection

Trending

Most Viewed

Loading...