b385ce3e5717c49e2f61516c9f9e68449e111a557979a1f1ac28798d5fba9dc5

Resubmissions

03-10-2022 12:20

221003-phxswafbe5 8

03-10-2022 11:32

221003-nnhqgadhgk 8

Analysis

max time kernel
123s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pitch Black/Game.exe
Size

154KB
MD5

0be6d562ad1226912a929c9f5494e660
SHA1

17028bf0dbdba42a904543cad1ec9da1278aca3b
SHA256

c0f23f8c188c04cced5d8295b773e6bbc6c78afe9050cf0ef13176e26e783a96
SHA512

35d497c5782a0a7cf20d20bdf10cc5840004752dff16d6d05d559596875e498b8819ed5477188abbdea0a17c9c4b38b4bf7596732dc4a4d293f986abb4696a7e
SSDEEP

3072:5WK+I+/wslzo5PaLpe5rWhKri38yR8K+:5WK+xZAaqKMi3W

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Game.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Game.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Game.exe

Modifies registry class 3 IoCs

Processes:

Game.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Game.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Game.exe

pid process

1080 Game.exe

pid	process
1080	Game.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	936	AUDIODG.EXE
Token: 33	936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	936	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Game.exe

pid process

1080 Game.exe

pid	process
1080	Game.exe

C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.exe
"C:\Users\Admin\AppData\Local\Temp\Pitch Black\Game.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x448
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1080-55-0x0000000010000000-0x0000000010324000-memory.dmp

Filesize
3.1MB

Download
memory/1080-56-0x0000000002050000-0x0000000002054000-memory.dmp

Filesize
16KB

Download
memory/1080-57-0x0000000010000000-0x0000000010324000-memory.dmp

Filesize
3.1MB

Download