77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93

General

Target

77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe
Size

632KB
MD5

4b28174cf77108db61be02cd6d30f572
SHA1

677fa407724848e1311a8f87f7550463ffa2c07b
SHA256

77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93
SHA512

9e687e5c587eb4c64d31c124308afba76e7cf6c72245e0cc63beccdef0842874d60c9303bce91b857809d4aaa35774557e88731d2778592f06920cebf5d88ffd
SSDEEP

12288:mEORSX3X2VKcIgqqIZyOni1iv6Q3z0SPGjQ/1pfPnbTr+NwTYgkVY:lMSXaKypIZzni1zMzpOU/b7+F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

StarCraft 2 v2.0.6 Trainer.exe

pid process

1720 StarCraft 2 v2.0.6 Trainer.exe

pid	process
1720	StarCraft 2 v2.0.6 Trainer.exe

Loads dropped DLL 5 IoCs

Processes:

77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exeStarCraft 2 v2.0.6 Trainer.exe

pid	process
1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe
1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe
1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe
1720	StarCraft 2 v2.0.6 Trainer.exe
1720	StarCraft 2 v2.0.6 Trainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe

description	pid	process	target process
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe
PID 1552 wrote to memory of 1720	1552	77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe	StarCraft 2 v2.0.6 Trainer.exe

C:\Users\Admin\AppData\Local\Temp\77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe
"C:\Users\Admin\AppData\Local\Temp\77c395d14d27d9d8114892a7474b2e7ca02fc17464f05f5cb7262a858d324d93.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe
  "C:\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe

Filesize
1.4MB

MD5
915b64b81722ffc2472d16bf8df82b37

SHA1
6ccc85672937ac231daf86e796c2ca04d4feeb9b

SHA256
ff543982c8d16322eaa6f320c2179c95fdb02ecd3143a51da2b53e1f4f368b2c

SHA512
de137fe4690cf9ca9d513b4965921302e1bf03d6e45882860daecf4bed793b4c5eded684ac627f788fc8daed29f77ae9642ce4841656c8168654618733b2a7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe

Filesize
1.4MB

MD5
915b64b81722ffc2472d16bf8df82b37

SHA1
6ccc85672937ac231daf86e796c2ca04d4feeb9b

SHA256
ff543982c8d16322eaa6f320c2179c95fdb02ecd3143a51da2b53e1f4f368b2c

SHA512
de137fe4690cf9ca9d513b4965921302e1bf03d6e45882860daecf4bed793b4c5eded684ac627f788fc8daed29f77ae9642ce4841656c8168654618733b2a7aa

Download Submit
\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe

Filesize
1.4MB

MD5
915b64b81722ffc2472d16bf8df82b37

SHA1
6ccc85672937ac231daf86e796c2ca04d4feeb9b

SHA256
ff543982c8d16322eaa6f320c2179c95fdb02ecd3143a51da2b53e1f4f368b2c

SHA512
de137fe4690cf9ca9d513b4965921302e1bf03d6e45882860daecf4bed793b4c5eded684ac627f788fc8daed29f77ae9642ce4841656c8168654618733b2a7aa

Download Submit
\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe

Filesize
1.4MB

MD5
915b64b81722ffc2472d16bf8df82b37

SHA1
6ccc85672937ac231daf86e796c2ca04d4feeb9b

SHA256
ff543982c8d16322eaa6f320c2179c95fdb02ecd3143a51da2b53e1f4f368b2c

SHA512
de137fe4690cf9ca9d513b4965921302e1bf03d6e45882860daecf4bed793b4c5eded684ac627f788fc8daed29f77ae9642ce4841656c8168654618733b2a7aa

Download Submit
\Users\Admin\AppData\Local\Temp\StarCraft 2 v2.0.6 Trainer.exe

Filesize
1.4MB

MD5
915b64b81722ffc2472d16bf8df82b37

SHA1
6ccc85672937ac231daf86e796c2ca04d4feeb9b

SHA256
ff543982c8d16322eaa6f320c2179c95fdb02ecd3143a51da2b53e1f4f368b2c

SHA512
de137fe4690cf9ca9d513b4965921302e1bf03d6e45882860daecf4bed793b4c5eded684ac627f788fc8daed29f77ae9642ce4841656c8168654618733b2a7aa

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4656.tmp\AdvSplash.dll

Filesize
6KB

MD5
a1bba35c752b36f575350cb7ddf238e4

SHA1
9603b691ae71d4fbc7a14dbb837bd97cecac8aab

SHA256
0667863d71a3021ab844069b6dd0485f874bf638af478ab11c6fb8b7d6c834b6

SHA512
eb5d3498dd994bec42a437cf91343665d3c35bfe3f6277a7393af6a0b8348772c3166d9be48955edddf6ef79fa508ec8d4f96d7d5df37ecdc52c90042e0a2967

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4656.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1720-58-0x0000000000000000-mapping.dmp

Download
memory/1720-64-0x00000000010A0000-0x000000000120A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing