Overview

overview

10

Static

static

RunGame.exe

windows7_x64

1

RunGame.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    21-02-2022 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RunGame.exe

  • Size

    544KB

  • MD5

    17f9b91cebebf7572306fd0ba41614d8

  • SHA1

    a7c82813a2883fa7ffa096c9d1593dab3295d8f1

  • SHA256

    0ffe907b5c97c43c881a2dd2d3208eb040ef2fba3a980fd6893cd8d122947e77

  • SHA512

    c19d8f7ac625ffc100b93fa721f4538a80de80e09605d0bc69d69e5493a03831b07d9bc392632ffa79a002192c2796992b127a04b012c87209aabb52bdddab8b

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RunGame.exe
    "C:\Users\Admin\AppData\Local\Temp\RunGame.exe"
    1⤵
      PID:1396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 444
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 452
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1396 -ip 1396
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:2000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1396 -ip 1396
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:4864
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1424

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1396-130-0x00000000022E0000-0x0000000002340000-memory.dmp
      Filesize

      384KB

      Download
    • memory/1424-131-0x000001C091530000-0x000001C091540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1424-132-0x000001C091590000-0x000001C0915A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1424-133-0x000001C094270000-0x000001C094274000-memory.dmp
      Filesize

      16KB

      Download