f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e

General

Target

f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
Size

4.2MB
MD5

231014ad4a81f57c9fe1c0af63f90209
SHA1

d855eb8a1b66dbac5b42d2825747a686852f62f9
SHA256

f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e
SHA512

22c27c5fa29bc33eb25564865f63cbf4cc3aba1311ec331a5efa99a38e2322877c8cb549237419e23e6d1255fc8998c1dd6aba8be869e3bd2ddf8c1b7cf98370
SSDEEP

98304:/c//////TIWk179+7nzZJhUxr4fHsF0NsRAGizYKsLXppy4zrGJ8JOFUSOIlfmgy:N30nnsr4fMF0N+EYRjpp9r+xFJOPB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1100	gamedmon.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-54-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1708-58-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1708-59-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/1708-66-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
File created	C:\Program Files (x86)\Æô¶¯\Uninstall.exe	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
1100	gamedmon.exe
1100	gamedmon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27
PID 620 wrote to memory of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27
PID 620 wrote to memory of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27
PID 620 wrote to memory of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27
PID 620 wrote to memory of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27
PID 620 wrote to memory of 1708	620	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	27
PID 1708 wrote to memory of 1100	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	28
PID 1708 wrote to memory of 1100	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	28
PID 1708 wrote to memory of 1100	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	28
PID 1708 wrote to memory of 1100	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	28
PID 1708 wrote to memory of 1632	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	29
PID 1708 wrote to memory of 1632	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	29
PID 1708 wrote to memory of 1632	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	29
PID 1708 wrote to memory of 1632	1708	f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe	29

C:\Users\Admin\AppData\Local\Temp\f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
"C:\Users\Admin\AppData\Local\Temp\f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
  C:\Users\Admin\AppData\Local\Temp\f2d512849e4c1a3dffc3df480f2a7a9ba59e71ce2a6d5de4947cd35664d3932e.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
    C:\Users\Admin\AppData\Local\Temp\gamedmon.exe -startgame
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F2D512~1.EXE > nul
    3⤵
    - Deletes itself
    PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
\Program Files (x86)\Æô¶¯\Uninstall.exe

Filesize
198KB

MD5
255397a0bde4c291da77d608653d111c

SHA1
8eac18bda6daabe84d67eca026fed8f8aaaf095b

SHA256
e266d81cb01770d95932f7c6f987f9eab03bf8d73cd5aa5899888a4f3e7067c1

SHA512
8df5774b58fdd5d1f6383dfb66468313c3ca5586464094b0f0b01afc052c27bb7e4e8b5bfe0defa5f6d55eb576179f20bb87e76378aed2b506a1e032e7c94016

Download Submit
\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
memory/1708-54-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1708-58-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1708-57-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1708-59-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1708-66-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing