2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c

General

Target

2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe
Size

1.9MB
MD5

77519071dfd38573937add8794bb23b2
SHA1

dae7ff3f0d6d5e9e6849b4f43badc04b3fe53d22
SHA256

2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c
SHA512

ad864e15705ebd45a68235709c644fce5c9d3683bde075bef322014e8becb5edd7426ec798d3b66b0aebaa1d50067255e6c1100d641fc041084080307a98057b
SSDEEP

49152:Ac//////ZTS0G7mtHaLGLrjCE9SFaEzJLDfVJPEv2T7DZi:Ac//////9Em9aLGOoGaEzJLDdJNT7E

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tj1.exegamedmon.exe

pid process

776 tj1.exe
1792 gamedmon.exe

pid	process
776	tj1.exe
1792	gamedmon.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tj1.exe	upx
\Users\Admin\AppData\Local\Temp\tj1.exe	upx
C:\Users\Admin\AppData\Local\Temp\tj1.exe	upx
behavioral1/memory/776-66-0x0000000000B20000-0x0000000000BA3000-memory.dmp	upx
behavioral1/memory/776-72-0x0000000000B20000-0x0000000000BA3000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

cmd.exetj1.exe

pid process

564 cmd.exe
776 tj1.exe
776 tj1.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 2 IoCs

Processes:

tj1.exe

description ioc process

File created C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe tj1.exe
File created C:\Program Files (x86)\Æô¶¯\Uninstall.exe tj1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
564	cmd.exe
776	tj1.exe
776	tj1.exe

description	ioc	process
File created	C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	tj1.exe
File created	C:\Program Files (x86)\Æô¶¯\Uninstall.exe	tj1.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1748 vlc.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

tj1.exegamedmon.exe

pid process

776 tj1.exe
1792 gamedmon.exe
1792 gamedmon.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1748 vlc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tj1.exe

description pid process

Token: SeIncBasePriorityPrivilege 776 tj1.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

vlc.exe

pid process

1748 vlc.exe
1748 vlc.exe
1748 vlc.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

vlc.exe

pid process

1748 vlc.exe
1748 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1748 vlc.exe

pid	process
1748	vlc.exe

pid	process
776	tj1.exe
1792	gamedmon.exe
1792	gamedmon.exe

pid	process
1748	vlc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	776	tj1.exe

pid	process
1748	vlc.exe
1748	vlc.exe
1748	vlc.exe

pid	process
1748	vlc.exe
1748	vlc.exe

pid	process
1748	vlc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.execmd.execmd.exetj1.exerundll32.exe

description	pid	process	target process
PID 1772 wrote to memory of 1168	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 1168	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 1168	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 1168	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 564	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 564	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 564	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1772 wrote to memory of 564	1772	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 564 wrote to memory of 776	564	cmd.exe	tj1.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 1168 wrote to memory of 1776	1168	cmd.exe	rundll32.exe
PID 776 wrote to memory of 1792	776	tj1.exe	gamedmon.exe
PID 776 wrote to memory of 1792	776	tj1.exe	gamedmon.exe
PID 776 wrote to memory of 1792	776	tj1.exe	gamedmon.exe
PID 776 wrote to memory of 1792	776	tj1.exe	gamedmon.exe
PID 776 wrote to memory of 1668	776	tj1.exe	cmd.exe
PID 776 wrote to memory of 1668	776	tj1.exe	cmd.exe
PID 776 wrote to memory of 1668	776	tj1.exe	cmd.exe
PID 776 wrote to memory of 1668	776	tj1.exe	cmd.exe
PID 1776 wrote to memory of 1748	1776	rundll32.exe	vlc.exe
PID 1776 wrote to memory of 1748	1776	rundll32.exe	vlc.exe
PID 1776 wrote to memory of 1748	1776	rundll32.exe	vlc.exe
PID 1776 wrote to memory of 1748	1776	rundll32.exe	vlc.exe

C:\Users\Admin\AppData\Local\Temp\2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe
"C:\Users\Admin\AppData\Local\Temp\2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\xwzmxy3.rar"
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xwzmxy3.rar
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\xwzmxy3.rar"
4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tj1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\tj1.exe
C:\Users\Admin\AppData\Local\Temp\tj1.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe -startgame
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\tj1.exe > nul
4⤵
PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.exe

Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.exe

Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwzmxy3.rar

Filesize
1.6MB

MD5
23831a66183e42a5db58c712a095ba86

SHA1
2ababa57d5b323ae94eb057a6a12d0dea4c3ca1c

SHA256
e80bddda36f460eadcbed856b639165a2b55aa9faf1ba8803a9d465e3b50040c

SHA512
487bda1e5304f8da6b8add3869125fe7412db09a17a891128d2818e77c8503c0bed5c84b455ab1791f7e6f75acd4591b3a7539e8b27479537c3b72cf764bf9e1

Download Submit
\Program Files (x86)\Æô¶¯\Uninstall.exe

Filesize
198KB

MD5
255397a0bde4c291da77d608653d111c

SHA1
8eac18bda6daabe84d67eca026fed8f8aaaf095b

SHA256
e266d81cb01770d95932f7c6f987f9eab03bf8d73cd5aa5899888a4f3e7067c1

SHA512
8df5774b58fdd5d1f6383dfb66468313c3ca5586464094b0f0b01afc052c27bb7e4e8b5bfe0defa5f6d55eb576179f20bb87e76378aed2b506a1e032e7c94016

Download Submit
\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
\Users\Admin\AppData\Local\Temp\tj1.exe

Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
memory/564-65-0x0000000001F10000-0x0000000001F93000-memory.dmp

Filesize
524KB

Download
memory/564-55-0x0000000000000000-mapping.dmp

Download
memory/776-59-0x0000000000000000-mapping.dmp

Download
memory/776-66-0x0000000000B20000-0x0000000000BA3000-memory.dmp

Filesize
524KB

Download
memory/776-72-0x0000000000B20000-0x0000000000BA3000-memory.dmp

Filesize
524KB

Download
memory/1168-54-0x0000000000000000-mapping.dmp

Download
memory/1168-56-0x0000000075651000-0x0000000075653000-memory.dmp

Filesize
8KB

Download
memory/1668-71-0x0000000000000000-mapping.dmp

Download
memory/1748-74-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/1748-73-0x0000000000000000-mapping.dmp

Download
memory/1776-63-0x0000000000000000-mapping.dmp

Download
memory/1792-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads