0e8c3d3ae016a8766cafc836ba890cfeda8ec0e1d4257665b5a500b675d23926

Analysis

max time kernel
70s
max time network
138s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOG_Galaxy_2.0 (1).exe
Size

960KB
MD5

e461e9c635415ab2b8ac94090d281aec
SHA1

6b205492de457c2b997e44fd9eea43468c29c897
SHA256

0e8c3d3ae016a8766cafc836ba890cfeda8ec0e1d4257665b5a500b675d23926
SHA512

d0756b0706c2f10f3e640d01c65676bb8dabc43925f61e1f5081993efda76279192305ef5c85a5956af9c333efeb37e9a77eb3ba8b2b5bb64a2fd1cd8cdd58fb
SSDEEP

12288:T27p5j8DPeuUSFHqLV+JjY4UW61O4RAxDleFbWQCQTFgSYyAzB+Q/uLnK3:T27EDFHqLy826My+QiyGJyAV+muLK3

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1400	GalaxyInstaller.exe
1872	GalaxySetup.exe
832	GalaxySetup.tmp

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1108-55-0x0000000000400000-0x0000000000641000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1108	GOG_Galaxy_2.0 (1).exe
1108	GOG_Galaxy_2.0 (1).exe
1108	GOG_Galaxy_2.0 (1).exe
1108	GOG_Galaxy_2.0 (1).exe
1872	GalaxySetup.exe
832	GalaxySetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	GOG_Galaxy_2.0 (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	GOG_Galaxy_2.0 (1).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	GalaxyInstaller.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1400	1108	GOG_Galaxy_2.0 (1).exe	30
PID 1108 wrote to memory of 1400	1108	GOG_Galaxy_2.0 (1).exe	30
PID 1108 wrote to memory of 1400	1108	GOG_Galaxy_2.0 (1).exe	30
PID 1108 wrote to memory of 1400	1108	GOG_Galaxy_2.0 (1).exe	30
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1400 wrote to memory of 1872	1400	GalaxyInstaller.exe	31
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32
PID 1872 wrote to memory of 832	1872	GalaxySetup.exe	32

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0 (1).exe
"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0 (1).exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEwOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTY3MzE4NjY4OS1oU0lmOUtRTzVDY05CQjVOMGtZNGxnPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEwOC4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE2NzMxODY2ODktaFNJZjlLUU81Q2NOQkI1TjBrWTRsZyUzRCUzRCJ9"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\is-52J4U.tmp\GalaxySetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-52J4U.tmp\GalaxySetup.tmp" /SL5="$1016C,270291346,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEwOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTY3MzE4NjY4OS1oU0lmOUtRTzVDY05CQjVOMGtZNGxnPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEwOC4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE2NzMxODY2ODktaFNJZjlLUU81Q2NOQkI1TjBrWTRsZyUzRCUzRCJ9"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxySetup.exe

Filesize
261.4MB

MD5
508cca84b90a3b88323483865c2afa12

SHA1
1bda0bc7222121d1b03619eb3f016ba4bb14e2c4

SHA256
c69dd42407fed0761cf2110f8dc89d65279c5fac0d5642c8ddac889a0136d5f5

SHA512
57f20fa666a70b736aa306ede0092b46351704b668733d57de2f7d7dae33c9588d51e5e1549930e854c8e276748be227092b557c3416d61cd935579f4659d439

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxySetup.exe

Filesize
261.4MB

MD5
508cca84b90a3b88323483865c2afa12

SHA1
1bda0bc7222121d1b03619eb3f016ba4bb14e2c4

SHA256
c69dd42407fed0761cf2110f8dc89d65279c5fac0d5642c8ddac889a0136d5f5

SHA512
57f20fa666a70b736aa306ede0092b46351704b668733d57de2f7d7dae33c9588d51e5e1549930e854c8e276748be227092b557c3416d61cd935579f4659d439

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\icon.ico

Filesize
480KB

MD5
391cf634b3ccf3971811be5ef016fe32

SHA1
8e3023466d02dfb8f2e1b48555b998532dc9a377

SHA256
de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8

SHA512
c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\payload.campaign

Filesize
555B

MD5
10e136ee600663cbc863123e5771e739

SHA1
38e20c6e0f37870399ed14b40c41ae555529c97b

SHA256
7a8e1b3978c78de67693412560e111d93b5ea12aa7df0033022503b3261ffa23

SHA512
f37b1b8af7f34705d2a98e74bd8d0698a01049fcd2fe565071aff748586c0a0c807ca1e8a7063fcd842492ced1564c49c304a770c7bf7b2d9b0421617516db15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\remoteconfig.json

Filesize
555B

MD5
fe8d4b837d6efbd0167a2d1efb315ec3

SHA1
39ef184cc8d4a528c970c7598a6b0593c64554c8

SHA256
65fcc2b5f1ae99d443b48c2934d1b941600db6203c8a32c1ab8f1a816234e1b1

SHA512
58ec3be9fcb74501dc2fcea4ae8adfbb128b2c9933e6c4be2cb3d8775541b0668ea6a50bab387076b95454cdafc78be574f4d5aadc336643547155f8c9d6de51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-52J4U.tmp\GalaxySetup.tmp

Filesize
3.3MB

MD5
81653044fa1d638147a3d67661ec9c56

SHA1
95741798121e0362a28cc57f2f31b54a2c76de11

SHA256
ffc85f53ba01af179c15dccc77240f0d4e0d01bbc69be1ead2cd0eec3d1f4bb6

SHA512
0f90ebd6d45d148ed9cbfaa477d33e85730ae6662a29eb388c3273983d7375c5fa9a3569b28f7fe7d835053cc48f7094019afc4bd78eff10de6ffe66f18d638d

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_pgtGo\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
\Users\Admin\AppData\Local\Temp\is-52J4U.tmp\GalaxySetup.tmp

Filesize
3.3MB

MD5
81653044fa1d638147a3d67661ec9c56

SHA1
95741798121e0362a28cc57f2f31b54a2c76de11

SHA256
ffc85f53ba01af179c15dccc77240f0d4e0d01bbc69be1ead2cd0eec3d1f4bb6

SHA512
0f90ebd6d45d148ed9cbfaa477d33e85730ae6662a29eb388c3273983d7375c5fa9a3569b28f7fe7d835053cc48f7094019afc4bd78eff10de6ffe66f18d638d

Download Submit
\Users\Admin\AppData\Local\Temp\is-TJNHT.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/1108-55-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/1108-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1400-68-0x000000001B276000-0x000000001B295000-memory.dmp

Filesize
124KB

Download
memory/1400-67-0x000000001B276000-0x000000001B295000-memory.dmp

Filesize
124KB

Download
memory/1400-63-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1400-62-0x0000000000EC0000-0x0000000000F50000-memory.dmp

Filesize
576KB

Download
memory/1872-72-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1872-75-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1872-80-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download