40ca65c09dbf43cc0347e37ec9e6df2445ad889521195413ba48ed2819531db4

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GOG_Galaxy_2.0.exe
Size

960KB
MD5

144333edb0fc2aa2bba06c871583fd4d
SHA1

e281e2b271921db04084722d3cd8ced9ec7d7d81
SHA256

40ca65c09dbf43cc0347e37ec9e6df2445ad889521195413ba48ed2819531db4
SHA512

4a6856d6b84f0bf97aba93199b7838c50d1bd9abbf5b2078e232e27a4572e3f2b0e35538189cf7af27ffecef201ea894b293b888038357f3183609048dd182bf
SSDEEP

12288:T27p5j8DPeuUSFHqLV+JjY4UW61O4RAxDleFbWQCQTFgSYyAzB+Q/uLnK3:T27EDFHqLy826My+QiyGJyAV+muLK3

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GOG_Galaxy_2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GalaxyInstaller.exe

Executes dropped EXE 3 IoCs

pid	Process
4336	GalaxyInstaller.exe
5016	GalaxySetup.exe
3532	GalaxySetup.tmp

Loads dropped DLL 2 IoCs

pid	Process
3532	GalaxySetup.tmp
3532	GalaxySetup.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2736-132-0x0000000000400000-0x0000000000641000-memory.dmp	upx
behavioral2/memory/2736-142-0x0000000000400000-0x0000000000641000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	GalaxyInstaller.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4336	2736	GOG_Galaxy_2.0.exe	81
PID 2736 wrote to memory of 4336	2736	GOG_Galaxy_2.0.exe	81
PID 4336 wrote to memory of 5016	4336	GalaxyInstaller.exe	92
PID 4336 wrote to memory of 5016	4336	GalaxyInstaller.exe	92
PID 4336 wrote to memory of 5016	4336	GalaxyInstaller.exe	92
PID 5016 wrote to memory of 3532	5016	GalaxySetup.exe	93
PID 5016 wrote to memory of 3532	5016	GalaxySetup.exe	93
PID 5016 wrote to memory of 3532	5016	GalaxySetup.exe	93

C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe
"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxyInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxyInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEwOS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTY3NTM0MjM2MC0wSCtMcDBGQmtXbVh1amRwMkxSRHlnPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEwOS4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE2NzUzNDIzNjAtMEglMkJMcDBGQmtXbVh1amRwMkxSRHlnJTNEJTNEIn0="
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\is-DC7A4.tmp\GalaxySetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DC7A4.tmp\GalaxySetup.tmp" /SL5="$501DA,271023674,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEwOS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidW5pcXVlX2lkIjoiMTY3NTM0MjM2MC0wSCtMcDBGQmtXbVh1amRwMkxSRHlnPT0ifSwibG9naW5fcGFyYW1ldGVycyI6Im9yaWdpbj1odHRwJTNBJTJGJTJGZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QlMkZlbiUyRiUzRmVtYmVkZGFibGUlM0R0cnVlJm9yaWdpbl91c2VyX2FnZW50PU1vemlsbGElMkY1LjArJTI4V2luZG93cytOVCsxMC4wJTNCK1dpbjY0JTNCK3g2NCUyOStBcHBsZVdlYktpdCUyRjUzNy4zNislMjhLSFRNTCUyQytsaWtlK0dlY2tvJTI5K0Nocm9tZSUyRjEwOS4wLjAuMCtTYWZhcmklMkY1MzcuMzYmdW5pcXVlX2lkPTE2NzUzNDIzNjAtMEglMkJMcDBGQmtXbVh1amRwMkxSRHlnJTNEJTNEIn0="
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxyInstaller.exe

Filesize
566KB

MD5
26d02cc778b804689bda1aafa9a76fb1

SHA1
5452c96593478f59471730366c682da19881051d

SHA256
61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

SHA512
047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxySetup.exe

Filesize
262.1MB

MD5
e40aa157a738fad8d7dd566bef99842a

SHA1
1096ca91cc115daddd4d3db024a7c952a4f23ef1

SHA256
5caf8e14622c5c10e74b492079ba77e742ccb3e1165204298e0c270009d32690

SHA512
9512c5e7dc05cdacde1a2fb940f2a68f54c1aecfb41a589de232b5e70f73d2f071751ea2f47599c36611a4cf999ab3d6eade899560599525d62c5b424b65f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\GalaxySetup.exe

Filesize
262.1MB

MD5
e40aa157a738fad8d7dd566bef99842a

SHA1
1096ca91cc115daddd4d3db024a7c952a4f23ef1

SHA256
5caf8e14622c5c10e74b492079ba77e742ccb3e1165204298e0c270009d32690

SHA512
9512c5e7dc05cdacde1a2fb940f2a68f54c1aecfb41a589de232b5e70f73d2f071751ea2f47599c36611a4cf999ab3d6eade899560599525d62c5b424b65f3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\icon.ico

Filesize
480KB

MD5
391cf634b3ccf3971811be5ef016fe32

SHA1
8e3023466d02dfb8f2e1b48555b998532dc9a377

SHA256
de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8

SHA512
c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\payload.campaign

Filesize
557B

MD5
774f68dfa808a1816ac53a46daede5cd

SHA1
f129f8aa2dac7dd3a987c77e547e2295c55d78c9

SHA256
8691136e52ce9445a434a333dcb6df77bfda5c286121ef119979396ecad9dc48

SHA512
cd522bb1cbf254a7ab3ebc7af6acd9ef09ba889492b80544d9c56390b7d6a07cdc93f1fd46066a85d6920de9cf85e8e5f9f7afd88e81cb918a96f73e03f54afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_ZmWws\remoteconfig.json

Filesize
549B

MD5
39c819f0a75d4d41fabda672da2a1acb

SHA1
d781d4da81c602141443d15cd5c7de6e84a81c88

SHA256
9d6be72cb6b03ec03a91be639166217cddeb86f7c464f83de7ea16f595ac558a

SHA512
3a78585e9e77054087075080112a5aa593fa474c3518128c06f96b35a1199cf8ec969aabe4da02521d3a2a093e25dfbdb58acbdfe7fe90cb95efe3c2d17f2113

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DC7A4.tmp\GalaxySetup.tmp

Filesize
3.3MB

MD5
535ab20e27eabb5d62c8a2c5541073f4

SHA1
f7cc0ee54f2880497ba052cb88034da51b5f0fb5

SHA256
50ef981294d82d98e75709af74a63616accc252a3e40373d6b85c04062118c94

SHA512
8f0d9974a6b15eb85842a21b2be3fe2470f6606e07eda74c2aa2fdf8dd947c7ba9ab3417743ac6fb5196b75841f3acf73aae618a00dd904be1e4e3e019d50a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S3VAU.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S3VAU.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/2736-132-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2736-142-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/3532-153-0x0000000003611000-0x0000000003613000-memory.dmp

Filesize
8KB

Download
memory/4336-141-0x00007FF883A20000-0x00007FF8844E1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-135-0x0000000000160000-0x00000000001F0000-memory.dmp

Filesize
576KB

Download
memory/4336-143-0x00007FF883A20000-0x00007FF8844E1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-140-0x000000001E920000-0x000000001EE48000-memory.dmp

Filesize
5.2MB

Download
memory/4336-139-0x000000001E220000-0x000000001E3E2000-memory.dmp

Filesize
1.8MB

Download
memory/5016-146-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/5016-154-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download