2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c

General

Target

2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe
Size

1.9MB
MD5

77519071dfd38573937add8794bb23b2
SHA1

dae7ff3f0d6d5e9e6849b4f43badc04b3fe53d22
SHA256

2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c
SHA512

ad864e15705ebd45a68235709c644fce5c9d3683bde075bef322014e8becb5edd7426ec798d3b66b0aebaa1d50067255e6c1100d641fc041084080307a98057b
SSDEEP

49152:Ac//////ZTS0G7mtHaLGLrjCE9SFaEzJLDfVJPEv2T7DZi:Ac//////9Em9aLGOoGaEzJLDdJNT7E

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

tj1.exegamedmon.exe

pid process

4900 tj1.exe
3844 gamedmon.exe

pid	process
4900	tj1.exe
3844	gamedmon.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tj1.exe	upx
C:\Users\Admin\AppData\Local\Temp\tj1.exe	upx
behavioral2/memory/4900-140-0x00000000003B0000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4900-146-0x00000000003B0000-0x0000000000433000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tj1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tj1.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 2 IoCs

Processes:

tj1.exe

description ioc process

File created C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe tj1.exe
File created C:\Program Files (x86)\Æô¶¯\Uninstall.exe tj1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tj1.exe

description	ioc	process
File created	C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	tj1.exe
File created	C:\Program Files (x86)\Æô¶¯\Uninstall.exe	tj1.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

tj1.exegamedmon.exe

pid process

4900 tj1.exe
4900 tj1.exe
3844 gamedmon.exe
3844 gamedmon.exe
3844 gamedmon.exe
3844 gamedmon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tj1.exe

description pid process

Token: SeIncBasePriorityPrivilege 4900 tj1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

3136 OpenWith.exe

pid	process
4900	tj1.exe
4900	tj1.exe
3844	gamedmon.exe
3844	gamedmon.exe
3844	gamedmon.exe
3844	gamedmon.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4900	tj1.exe

pid	process
3136	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.execmd.exetj1.exe

description	pid	process	target process
PID 1508 wrote to memory of 1920	1508	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1508 wrote to memory of 1920	1508	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1508 wrote to memory of 1920	1508	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1508 wrote to memory of 1588	1508	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1508 wrote to memory of 1588	1508	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1508 wrote to memory of 1588	1508	2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe	cmd.exe
PID 1588 wrote to memory of 4900	1588	cmd.exe	tj1.exe
PID 1588 wrote to memory of 4900	1588	cmd.exe	tj1.exe
PID 1588 wrote to memory of 4900	1588	cmd.exe	tj1.exe
PID 4900 wrote to memory of 3844	4900	tj1.exe	gamedmon.exe
PID 4900 wrote to memory of 3844	4900	tj1.exe	gamedmon.exe
PID 4900 wrote to memory of 3844	4900	tj1.exe	gamedmon.exe
PID 4900 wrote to memory of 2008	4900	tj1.exe	cmd.exe
PID 4900 wrote to memory of 2008	4900	tj1.exe	cmd.exe
PID 4900 wrote to memory of 2008	4900	tj1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe
"C:\Users\Admin\AppData\Local\Temp\2183d48ef601d41b3b0a52952035695786d17ca742c14cc4d5ae4dd9e6b9468c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\xwzmxy3.rar"
2⤵
- Modifies registry class
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tj1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\tj1.exe
C:\Users\Admin\AppData\Local\Temp\tj1.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe -startgame
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\tj1.exe > nul
4⤵
PID:2008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
172KB

MD5
ceef802c5f0704313fa75ab44dfd2fdb

SHA1
e904aceee1b077a6d98cf80d0419c5b71ebd0a79

SHA256
21b6174a585d9388faa9561213982d08e88473e11b21a07deba2e70023e3e3c9

SHA512
029d2436d3f6bfb567b75799f48d423a09803094ff4a96c1e47b5ac2902c3d4abf552b6a666fdfe86c59f727546e93dd17361d6abe8b94c999a616cb0eb16743

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.exe

Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tj1.exe

Filesize
189KB

MD5
9381e74be11b04acfa7cac3ca62a359b

SHA1
7e1203c1b50022dcfe3ad4746ad210fe0c4a8915

SHA256
e94f229e151bd11070c564966cf04d692699071cf8b82d041fafaf0c4d7e1a2a

SHA512
be555c3389d20207af3edd01a67fe588dd7984879acf65adc3166a2ab09a1094e40c3c003a25de06e681e8b48197f734c4b7b8e54297f0d2a883ebfeef91dea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwzmxy3.rar

Filesize
1.6MB

MD5
23831a66183e42a5db58c712a095ba86

SHA1
2ababa57d5b323ae94eb057a6a12d0dea4c3ca1c

SHA256
e80bddda36f460eadcbed856b639165a2b55aa9faf1ba8803a9d465e3b50040c

SHA512
487bda1e5304f8da6b8add3869125fe7412db09a17a891128d2818e77c8503c0bed5c84b455ab1791f7e6f75acd4591b3a7539e8b27479537c3b72cf764bf9e1

Download Submit
memory/1588-136-0x0000000000000000-mapping.dmp

Download
memory/1920-135-0x0000000000000000-mapping.dmp

Download
memory/2008-145-0x0000000000000000-mapping.dmp

Download
memory/3844-142-0x0000000000000000-mapping.dmp

Download
memory/4900-137-0x0000000000000000-mapping.dmp

Download
memory/4900-140-0x00000000003B0000-0x0000000000433000-memory.dmp

Filesize
524KB

Download
memory/4900-146-0x00000000003B0000-0x0000000000433000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads