Overview

overview

10

Static

static

GamerLand.exe

windows7-x64

10

GamerLand.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GamerLand.exe

  • Size

    2.0MB

  • MD5

    c5009a0d61af20e1b65995658e11ccd1

  • SHA1

    64fa8d4f68bdb72bb0c2c006b20a7c0872e6a2c5

  • SHA256

    8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb

  • SHA512

    b6e630ca8a4b16b5dc4de75cb8745917b6249ab7fc3c3f8494ac20685254cdf7d8f4e5db8a05a2423a0b360daa57fe1d2675208367a135b35cf804696c8788d9

Score
10/10
icexloaderloader

Malware Config

Signatures

  • Detects IceXLoader v3.0 4 IoCs
  • icexloader

    IceXLoader is a downloader used to deliver other malware families.

    loadericexloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GamerLand.exe
    "C:\Users\Admin\AppData\Local\Temp\GamerLand.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4672
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\inN\.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2208
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:444
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\GamerLand.exe" "C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe"
      2⤵
        PID:2316

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      57e0e91710c2e04ba3f3e2fde0449062

      SHA1

      fcd3ada38fce79406eb211085b5f00fa80d254fc

      SHA256

      e7d3c444d6f075814421425c364da2e98909496a5d251a2483beb879a4d36dc8

      SHA512

      b89f0a89e5da1ed8b2c2c3256803ca67b0ae8a651310b792acb7fd6e5854cc1723d19bdbc9591bef8378dcd5e43ae2b0f236b8e79189ed4069aac2cdc62a44a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      e976b9226eb0da72d1c5c547a6e4f894

      SHA1

      71971e6afaf5e06e629b0497feb45c1a6cb0bc2d

      SHA256

      7fc8eaa3b31f6a4d40c695c4ce5ed168d20079a98c23a37247fb8f2bb62af46b

      SHA512

      3379e91cb9bdd9f0ac98c349913aee956b17e691e16f2af1c0b709a66d30641f5e3f213961470ae155340bc59f05bced7d369d18fcfe24000596fd0f4f94e77f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\file.bat
      Filesize

      237B

      MD5

      2a3a80629926e8af2f9c970639634f55

      SHA1

      cfc4917692f475460a5123eb91708938d4c6a374

      SHA256

      36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

      SHA512

      827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

      Download Submit

    • memory/396-138-0x0000000000000000-mapping.dmp

      Download

    • memory/444-148-0x0000000000000000-mapping.dmp

      Download

    • memory/1000-147-0x0000000000000000-mapping.dmp

      Download

    • memory/2208-164-0x00000000706B0000-0x00000000706FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2208-161-0x0000000000000000-mapping.dmp

      Download

    • memory/2316-149-0x0000000000000000-mapping.dmp

      Download

    • memory/4400-134-0x0000000006230000-0x00000000062C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4400-130-0x00000000004E0000-0x000000000058A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/4400-131-0x0000000005BE0000-0x0000000006184000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4672-140-0x0000000000000000-mapping.dmp

      Download

    • memory/4672-155-0x0000000007A60000-0x0000000007A6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4672-146-0x0000000006700000-0x000000000671E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4672-144-0x0000000006050000-0x00000000060B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4672-143-0x0000000005740000-0x0000000005762000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4672-142-0x00000000058B0000-0x0000000005ED8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4672-150-0x00000000078B0000-0x00000000078E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4672-151-0x00000000700A0000-0x00000000700EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4672-152-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4672-153-0x0000000008040000-0x00000000086BA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4672-154-0x0000000007A00000-0x0000000007A1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4672-145-0x00000000060C0000-0x0000000006126000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4672-156-0x0000000007C90000-0x0000000007D26000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4672-157-0x0000000007C30000-0x0000000007C3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4672-141-0x0000000005140000-0x0000000005176000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4672-159-0x0000000007D50000-0x0000000007D6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4672-160-0x0000000007C80000-0x0000000007C88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4776-158-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/4776-137-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/4776-136-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/4776-133-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/4776-132-0x0000000000000000-mapping.dmp

      Download

    • memory/5020-165-0x0000000000000000-mapping.dmp

      Download

    • memory/5020-167-0x0000000070690000-0x00000000706DC000-memory.dmp

      Filesize

      304KB

      Download