3c806eec38fc8565c942fe0a79331bf3215989d494bb3d5fa8d8057dcef58e03

Resubmissions

03-08-2023 07:22

230803-h7h8fsbh93 8

24-10-2022 20:50

221024-zmn2msaeen 10

Analysis

max time kernel
890s
max time network
897s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-10-2022 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
Size

10.6MB
MD5

69ed233958e8c23382060102217b22d4
SHA1

5084e3104dd3da0b3614aba1e2d7c1357a9dcc14
SHA256

fcd4dd0cd7f49f879cb94cdb263af2ab149e1b817ce59b10a13db9f338f47cfa
SHA512

5e157735442f1ed596a7faeea66ee5e5cd2f1546a036962f7d349e71196810fa07ff3201113a9f90db8878272099ab05d5e2be88efa0470e982c238bf382c272
SSDEEP

196608:wuDdEGOylRlbMN34CJAk6t5/ooYzxVAruqZY/5slZSFOW6sqgCkujAnZZ:wqdxOqJQ4Xk6tivzzYNq5slcOBsbyjAf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

pid process

1476 Warcraft III Reforged™ Setup.exe
1476 Warcraft III Reforged™ Setup.exe
Drops file in Program Files directory 1 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

description ioc process

File created C:\Program Files (x86)\Warcraft III Reforged™\_ci_gentee Warcraft III Reforged™ Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

pid process

1476 Warcraft III Reforged™ Setup.exe
1476 Warcraft III Reforged™ Setup.exe
1476 Warcraft III Reforged™ Setup.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

description pid process

Token: SeDebugPrivilege 1476 Warcraft III Reforged™ Setup.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

pid process

1476 Warcraft III Reforged™ Setup.exe

pid	process
1476	Warcraft III Reforged™ Setup.exe
1476	Warcraft III Reforged™ Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Warcraft III Reforged™\_ci_gentee	Warcraft III Reforged™ Setup.exe

pid	process
1476	Warcraft III Reforged™ Setup.exe
1476	Warcraft III Reforged™ Setup.exe
1476	Warcraft III Reforged™ Setup.exe

description	pid	process
Token: SeDebugPrivilege	1476	Warcraft III Reforged™ Setup.exe

pid	process
1476	Warcraft III Reforged™ Setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

description	pid	process	target process
PID 1476 wrote to memory of 1152	1476	Warcraft III Reforged™ Setup.exe	cmd.exe
PID 1476 wrote to memory of 1152	1476	Warcraft III Reforged™ Setup.exe	cmd.exe
PID 1476 wrote to memory of 1152	1476	Warcraft III Reforged™ Setup.exe	cmd.exe
PID 1476 wrote to memory of 1152	1476	Warcraft III Reforged™ Setup.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Warcracft III Reforged\Warcraft III Reforged™ Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Warcracft III Reforged\Warcraft III Reforged™ Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "
2⤵
PID:1152

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deldll.bat
Filesize
200B

MD5
ea190ef9b139757a890cd48bdd44b0ee

SHA1
95c684e41bf7919408816aafab881621fface202

SHA256
9131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4

SHA512
22802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteert.dll
Filesize
60KB

MD5
6ce814fd1ad7ae07a9e462c26b3a0f69

SHA1
15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

SHA256
54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

SHA512
e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

Download Submit
\Users\Admin\AppData\Local\Temp\gentee81\guig.dll
Filesize
20KB

MD5
d3f8c0334c19198a109e44d074dac5fd

SHA1
167716989a62b25e9fcf8e20d78e390a52e12077

SHA256
005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

SHA512
9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

Download Submit
\Users\Admin\AppData\Local\Temp\genteert.dll
Filesize
60KB

MD5
6ce814fd1ad7ae07a9e462c26b3a0f69

SHA1
15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

SHA256
54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

SHA512
e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

Download Submit
memory/1152-58-0x0000000000000000-mapping.dmp

Download
memory/1476-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1476-57-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download