3c806eec38fc8565c942fe0a79331bf3215989d494bb3d5fa8d8057dcef58e03

Resubmissions

03-08-2023 07:22

230803-h7h8fsbh93 8

24-10-2022 20:50

221024-zmn2msaeen 10

Analysis

max time kernel
940s
max time network
945s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2022 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Warcracft III Reforged/Warcraft III Reforged™ Setup.exe
Size

10.6MB
MD5

69ed233958e8c23382060102217b22d4
SHA1

5084e3104dd3da0b3614aba1e2d7c1357a9dcc14
SHA256

fcd4dd0cd7f49f879cb94cdb263af2ab149e1b817ce59b10a13db9f338f47cfa
SHA512

5e157735442f1ed596a7faeea66ee5e5cd2f1546a036962f7d349e71196810fa07ff3201113a9f90db8878272099ab05d5e2be88efa0470e982c238bf382c272
SSDEEP

196608:wuDdEGOylRlbMN34CJAk6t5/ooYzxVAruqZY/5slZSFOW6sqgCkujAnZZ:wqdxOqJQ4Xk6tivzzYNq5slcOBsbyjAf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Warcraft III Reforged™ Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Warcraft III Reforged™ Setup.exe

Loads dropped DLL 3 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

pid process

3664 Warcraft III Reforged™ Setup.exe
3664 Warcraft III Reforged™ Setup.exe
3664 Warcraft III Reforged™ Setup.exe
Drops file in Program Files directory 1 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

description ioc process

File created C:\Program Files (x86)\Warcraft III Reforged™\_ci_gentee Warcraft III Reforged™ Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4720 PING.EXE

description	ioc	process
File created	C:\Program Files (x86)\Warcraft III Reforged™\_ci_gentee	Warcraft III Reforged™ Setup.exe

pid	process
4720	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

pid	process
3664	Warcraft III Reforged™ Setup.exe
3664	Warcraft III Reforged™ Setup.exe
3664	Warcraft III Reforged™ Setup.exe
3664	Warcraft III Reforged™ Setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

description pid process

Token: SeDebugPrivilege 3664 Warcraft III Reforged™ Setup.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Warcraft III Reforged™ Setup.exe

pid process

3664 Warcraft III Reforged™ Setup.exe

description	pid	process
Token: SeDebugPrivilege	3664	Warcraft III Reforged™ Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Warcraft III Reforged™ Setup.execmd.exe

description	pid	process	target process
PID 3664 wrote to memory of 4652	3664	Warcraft III Reforged™ Setup.exe	cmd.exe
PID 3664 wrote to memory of 4652	3664	Warcraft III Reforged™ Setup.exe	cmd.exe
PID 3664 wrote to memory of 4652	3664	Warcraft III Reforged™ Setup.exe	cmd.exe
PID 4652 wrote to memory of 4720	4652	cmd.exe	PING.EXE
PID 4652 wrote to memory of 4720	4652	cmd.exe	PING.EXE
PID 4652 wrote to memory of 4720	4652	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Warcracft III Reforged\Warcraft III Reforged™ Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Warcracft III Reforged\Warcraft III Reforged™ Setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deldll.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\PING.EXE
ping -n 2 -w 1000 127.0.0.1
3⤵
- Runs ping.exe
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deldll.bat
Filesize
200B

MD5
ea190ef9b139757a890cd48bdd44b0ee

SHA1
95c684e41bf7919408816aafab881621fface202

SHA256
9131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4

SHA512
22802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee82\guig.dll
Filesize
20KB

MD5
d3f8c0334c19198a109e44d074dac5fd

SHA1
167716989a62b25e9fcf8e20d78e390a52e12077

SHA256
005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

SHA512
9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\gentee82\guig.dll
Filesize
20KB

MD5
d3f8c0334c19198a109e44d074dac5fd

SHA1
167716989a62b25e9fcf8e20d78e390a52e12077

SHA256
005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa

SHA512
9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteert.dll
Filesize
60KB

MD5
6ce814fd1ad7ae07a9e462c26b3a0f69

SHA1
15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

SHA256
54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

SHA512
e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

Download Submit
C:\Users\Admin\AppData\Local\Temp\genteert.dll
Filesize
60KB

MD5
6ce814fd1ad7ae07a9e462c26b3a0f69

SHA1
15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7

SHA256
54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831

SHA512
e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

Download Submit
memory/4652-135-0x0000000000000000-mapping.dmp

Download
memory/4720-138-0x0000000000000000-mapping.dmp

Download