Overview

overview

8

Static

static

Game Loader.bin.exe

windows7_x64

8

Game Loader.bin.exe

windows10_x64

8

Analysis

  • max time kernel
    146s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    27-07-2021 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Game Loader.bin.exe

  • Size

    164KB

  • MD5

    2db4d78b81c809eecfa43b9dadfa21cb

  • SHA1

    c2c2b5e93a51d59594fc81b912fdb579f78b3c24

  • SHA256

    26cce10b3769c83798a2b6a000ca438f2e8fd98817bee9fad223157543b97483

  • SHA512

    41de2a56a7f19bf5cbe0b2050fc1bd1ab835372adf6e15bd3ca36f68b120d4ceafb6c574b9dbeb9f11e9a99fcbbf20edd3280218c5df12478ca69989c59b5f24

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Game Loader.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Game Loader.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe" 0
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Adds Run key to start application
        PID:1768
    • C:\Users\Admin\AppData\Local\Temp\Game Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Game Loader.exe" 0
      2⤵
      • Executes dropped EXE
      PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Game Loader.exe
    MD5

    eb307312f004e6ad7edd5661642b3bfe

    SHA1

    05eb1032f6d0f11584772da4b137560772032ea4

    SHA256

    cc2d343d43eb76e982a829aeb884d781e10c28a00661e1d3fd3875c2bd9bb357

    SHA512

    d483a9594205b176712c52bd91c7534b885ad4d51b281159d564f5ec50e4a96dfaa4807efc27cf1af49ad57f086fa61ed54b838f96bcdfdbbd2b784eebdc3c95

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Game Loader.exe
    MD5

    eb307312f004e6ad7edd5661642b3bfe

    SHA1

    05eb1032f6d0f11584772da4b137560772032ea4

    SHA256

    cc2d343d43eb76e982a829aeb884d781e10c28a00661e1d3fd3875c2bd9bb357

    SHA512

    d483a9594205b176712c52bd91c7534b885ad4d51b281159d564f5ec50e4a96dfaa4807efc27cf1af49ad57f086fa61ed54b838f96bcdfdbbd2b784eebdc3c95

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    MD5

    c66034653c7c07a3d91486a7773cb630

    SHA1

    3ff37b07cb6e6838b65bf678ec0df5c19a20e3aa

    SHA256

    eb2c4c21eb7f6080a1fcb4ad84a7526497254138c9b2f60506cb346b97a19147

    SHA512

    2de8eb0ae57660fc306ea5cde383b4774f16f8ca7613aa74f892b2378998bfd9515138fbaeabd7b00c05505b8ac9b69f137a7f92d4e7c3be2f8616e0370eeadc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    MD5

    c66034653c7c07a3d91486a7773cb630

    SHA1

    3ff37b07cb6e6838b65bf678ec0df5c19a20e3aa

    SHA256

    eb2c4c21eb7f6080a1fcb4ad84a7526497254138c9b2f60506cb346b97a19147

    SHA512

    2de8eb0ae57660fc306ea5cde383b4774f16f8ca7613aa74f892b2378998bfd9515138fbaeabd7b00c05505b8ac9b69f137a7f92d4e7c3be2f8616e0370eeadc

    Download Submit
  • C:\Windows\SysWOW64\Windows\taskhost.exe
    MD5

    c66034653c7c07a3d91486a7773cb630

    SHA1

    3ff37b07cb6e6838b65bf678ec0df5c19a20e3aa

    SHA256

    eb2c4c21eb7f6080a1fcb4ad84a7526497254138c9b2f60506cb346b97a19147

    SHA512

    2de8eb0ae57660fc306ea5cde383b4774f16f8ca7613aa74f892b2378998bfd9515138fbaeabd7b00c05505b8ac9b69f137a7f92d4e7c3be2f8616e0370eeadc

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Game Loader.exe
    MD5

    eb307312f004e6ad7edd5661642b3bfe

    SHA1

    05eb1032f6d0f11584772da4b137560772032ea4

    SHA256

    cc2d343d43eb76e982a829aeb884d781e10c28a00661e1d3fd3875c2bd9bb357

    SHA512

    d483a9594205b176712c52bd91c7534b885ad4d51b281159d564f5ec50e4a96dfaa4807efc27cf1af49ad57f086fa61ed54b838f96bcdfdbbd2b784eebdc3c95

    Download Submit
  • \Users\Admin\AppData\Local\Temp\server.exe
    MD5

    c66034653c7c07a3d91486a7773cb630

    SHA1

    3ff37b07cb6e6838b65bf678ec0df5c19a20e3aa

    SHA256

    eb2c4c21eb7f6080a1fcb4ad84a7526497254138c9b2f60506cb346b97a19147

    SHA512

    2de8eb0ae57660fc306ea5cde383b4774f16f8ca7613aa74f892b2378998bfd9515138fbaeabd7b00c05505b8ac9b69f137a7f92d4e7c3be2f8616e0370eeadc

    Download Submit
  • \Users\Admin\AppData\Local\Temp\server.exe
    MD5

    c66034653c7c07a3d91486a7773cb630

    SHA1

    3ff37b07cb6e6838b65bf678ec0df5c19a20e3aa

    SHA256

    eb2c4c21eb7f6080a1fcb4ad84a7526497254138c9b2f60506cb346b97a19147

    SHA512

    2de8eb0ae57660fc306ea5cde383b4774f16f8ca7613aa74f892b2378998bfd9515138fbaeabd7b00c05505b8ac9b69f137a7f92d4e7c3be2f8616e0370eeadc

    Download Submit
  • memory/1140-61-0x0000000075D41000-0x0000000075D43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1568-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-71-0x00000000013B0000-0x00000000013B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-77-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-79-0x0000000000DA5000-0x0000000000DB6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1744-80-0x0000000000DB6000-0x0000000000DB7000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1768-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1768-76-0x0000000010000000-0x000000001004D000-memory.dmp
    Filesize

    308KB

    Download