Overview
overview
10Static
static
-warcraft-...I7.exe
windows7-x64
10-warcraft-...I7.exe
windows10-2004-x64
10.............exe
windows7-x64
7.............exe
windows10-2004-x64
10Warcracft ...up.exe
windows7-x64
7Warcracft ...up.exe
windows10-2004-x64
1Warcracft ...up.exe
windows7-x64
7Warcracft ...up.exe
windows10-2004-x64
7Analysis
-
max time kernel
940s -
max time network
945s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2022 20:50
Static task
static1
Behavioral task
behavioral1
Sample
-warcraft-tft-keygen-F82Z5I7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
-warcraft-tft-keygen-F82Z5I7.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
.............exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
.............exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Warcracft III Reforged/StarCraft-Setup.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
Warcracft III Reforged/StarCraft-Setup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
Resource
win10v2004-20220901-en
General
-
Target
Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
-
Size
10.6MB
-
MD5
69ed233958e8c23382060102217b22d4
-
SHA1
5084e3104dd3da0b3614aba1e2d7c1357a9dcc14
-
SHA256
fcd4dd0cd7f49f879cb94cdb263af2ab149e1b817ce59b10a13db9f338f47cfa
-
SHA512
5e157735442f1ed596a7faeea66ee5e5cd2f1546a036962f7d349e71196810fa07ff3201113a9f90db8878272099ab05d5e2be88efa0470e982c238bf382c272
-
SSDEEP
196608:wuDdEGOylRlbMN34CJAk6t5/ooYzxVAruqZY/5slZSFOW6sqgCkujAnZZ:wqdxOqJQ4Xk6tivzzYNq5slcOBsbyjAf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Warcraft III Reforged™ Setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Warcraft III Reforged™ Setup.exe -
Loads dropped DLL 3 IoCs
Processes:
Warcraft III Reforged™ Setup.exepid process 3664 Warcraft III Reforged™ Setup.exe 3664 Warcraft III Reforged™ Setup.exe 3664 Warcraft III Reforged™ Setup.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Warcraft III Reforged™ Setup.exedescription ioc process File created C:\Program Files (x86)\Warcraft III Reforged™\_ci_gentee Warcraft III Reforged™ Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Warcraft III Reforged™ Setup.exepid process 3664 Warcraft III Reforged™ Setup.exe 3664 Warcraft III Reforged™ Setup.exe 3664 Warcraft III Reforged™ Setup.exe 3664 Warcraft III Reforged™ Setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Warcraft III Reforged™ Setup.exedescription pid process Token: SeDebugPrivilege 3664 Warcraft III Reforged™ Setup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Warcraft III Reforged™ Setup.exepid process 3664 Warcraft III Reforged™ Setup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Warcraft III Reforged™ Setup.execmd.exedescription pid process target process PID 3664 wrote to memory of 4652 3664 Warcraft III Reforged™ Setup.exe cmd.exe PID 3664 wrote to memory of 4652 3664 Warcraft III Reforged™ Setup.exe cmd.exe PID 3664 wrote to memory of 4652 3664 Warcraft III Reforged™ Setup.exe cmd.exe PID 4652 wrote to memory of 4720 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 4720 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 4720 4652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Warcracft III Reforged\Warcraft III Reforged™ Setup.exe"C:\Users\Admin\AppData\Local\Temp\Warcracft III Reforged\Warcraft III Reforged™ Setup.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 -w 1000 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\deldll.batFilesize
200B
MD5ea190ef9b139757a890cd48bdd44b0ee
SHA195c684e41bf7919408816aafab881621fface202
SHA2569131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4
SHA51222802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad
-
C:\Users\Admin\AppData\Local\Temp\gentee82\guig.dllFilesize
20KB
MD5d3f8c0334c19198a109e44d074dac5fd
SHA1167716989a62b25e9fcf8e20d78e390a52e12077
SHA256005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
SHA5129c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51
-
C:\Users\Admin\AppData\Local\Temp\gentee82\guig.dllFilesize
20KB
MD5d3f8c0334c19198a109e44d074dac5fd
SHA1167716989a62b25e9fcf8e20d78e390a52e12077
SHA256005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
SHA5129c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51
-
C:\Users\Admin\AppData\Local\Temp\genteert.dllFilesize
60KB
MD56ce814fd1ad7ae07a9e462c26b3a0f69
SHA115f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7
SHA25654c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831
SHA512e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556
-
C:\Users\Admin\AppData\Local\Temp\genteert.dllFilesize
60KB
MD56ce814fd1ad7ae07a9e462c26b3a0f69
SHA115f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7
SHA25654c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831
SHA512e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556
-
memory/4652-135-0x0000000000000000-mapping.dmp
-
memory/4720-138-0x0000000000000000-mapping.dmp