Overview

overview

10

Static

static

GamerLand.exe

windows7-x64

10

GamerLand.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GamerLand.exe

  • Size

    2.0MB

  • MD5

    c5009a0d61af20e1b65995658e11ccd1

  • SHA1

    64fa8d4f68bdb72bb0c2c006b20a7c0872e6a2c5

  • SHA256

    8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb

  • SHA512

    b6e630ca8a4b16b5dc4de75cb8745917b6249ab7fc3c3f8494ac20685254cdf7d8f4e5db8a05a2423a0b360daa57fe1d2675208367a135b35cf804696c8788d9

Score
10/10
icexloaderloader

Malware Config

Signatures

  • Detects IceXLoader v3.0 18 IoCs
  • icexloader

    IceXLoader is a downloader used to deliver other malware families.

    loadericexloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GamerLand.exe
    "C:\Users\Admin\AppData\Local\Temp\GamerLand.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1828
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1756
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\GamerLand.exe" "C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe"
      2⤵
        PID:364
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {411B7635-A693-493F-8A5A-F81B5E791CCE} S-1-5-21-3440072777-2118400376-1759599358-1000:NKWDSIWE\Admin:Interactive:[1]
      1⤵
        PID:1380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\file.bat
        Filesize

        237B

        MD5

        2a3a80629926e8af2f9c970639634f55

        SHA1

        cfc4917692f475460a5123eb91708938d4c6a374

        SHA256

        36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

        SHA512

        827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

        Download Submit
      • memory/364-87-0x0000000000000000-mapping.dmp
        Download
      • memory/900-54-0x0000000000C30000-0x0000000000CDA000-memory.dmp
        Filesize

        680KB

        Download
      • memory/900-55-0x00000000754C1000-0x00000000754C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1332-89-0x0000000000000000-mapping.dmp
        Download
      • memory/1700-85-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-65-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-79-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-62-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-66-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-68-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-70-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-71-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-73-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-74-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-75-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-76-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-77-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-78-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-64-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-80-0x00000000004010BA-mapping.dmp
        Download
      • memory/1736-82-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-60-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-94-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-59-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-88-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-57-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1736-56-0x0000000000400000-0x0000000000451000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1756-86-0x0000000000000000-mapping.dmp
        Download
      • memory/1828-91-0x0000000000000000-mapping.dmp
        Download
      • memory/1828-93-0x0000000073280000-0x000000007382B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1828-95-0x0000000073280000-0x000000007382B000-memory.dmp
        Filesize

        5.7MB

        Download