Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 07:33
Static task
static1
Behavioral task
behavioral1
Sample
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
Resource
win7-20230220-en
General
-
Target
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
-
Size
3.2MB
-
MD5
3f2d772ee9e420732d5abdabd357a499
-
SHA1
f2627c87d88cb903c0bd8024880252d4b6cef46d
-
SHA256
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be
-
SHA512
93d52ab002b0a4a52fe86a9e4ba0e0c2bb53495a32e43b4c3cdcf25146a581f7a8dd60d7e2df2e1d645e70bdaf7d55136aa645d10d09c6bc50a5a03ada201ddc
-
SSDEEP
49152:z2gPu/65UFT4zAygZRZ8ruPAqxT51VUBM:m/PpxOuTZVUBM
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exegametcp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation gametcp.exe -
Executes dropped EXE 2 IoCs
Processes:
gametcp.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exepid process 672 gametcp.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Processes:
resource yara_rule \??\c:\users\admin\appdata\local\temp\update upx C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe upx behavioral2/memory/4244-306-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-347-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-349-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-350-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-351-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-352-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-353-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-354-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-355-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-356-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-357-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-358-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-359-0x0000000000400000-0x000000000073D000-memory.dmp upx behavioral2/memory/4244-360-0x0000000000400000-0x000000000073D000-memory.dmp upx -
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Drops file in System32 directory 3 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exedescription ioc process File created C:\Windows\SysWOW64\gamelsp.dll 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe File created C:\Windows\system32\gamelsp.dll 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe File opened for modification C:\Windows\SysWOW64\gamelsp.dll 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exegametcp.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exepid process 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 672 gametcp.exe 672 gametcp.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exedescription pid process Token: SeDebugPrivilege 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe Token: SeDebugPrivilege 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exepid process 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exepid process 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exepid process 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe 4244 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exegametcp.exedescription pid process target process PID 4740 wrote to memory of 672 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe gametcp.exe PID 4740 wrote to memory of 672 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe gametcp.exe PID 4740 wrote to memory of 672 4740 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe gametcp.exe PID 672 wrote to memory of 4244 672 gametcp.exe 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe PID 672 wrote to memory of 4244 672 gametcp.exe 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe PID 672 wrote to memory of 4244 672 gametcp.exe 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe"C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gametcp.exe"C:\Users\Admin\AppData\Local\Temp\gametcp.exe" 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\appdata\local\temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe"C:\Users\Admin\appdata\local\temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exeFilesize
1.5MB
MD514768590b995f933919d86c4c68d04fa
SHA1593201c82a9c512c6a2290cd247e2d768c240999
SHA256c682dc66cf266e926bf8fe99e96510a0ab4615767180aaae3d358d8de50859e1
SHA5124bcd77befd3acdb285ed0f61462564dc48501f69a89ac72d5d992d0e1f32c0d5ccb76d4706ed373864f94d3271d2c33dc7f342d3d720c7d399e27e3a44c4bd0b
-
C:\Users\Admin\AppData\Local\Temp\gamecap.iniFilesize
539B
MD504c3f898e3e9c27b5e55e9db11f7e1fe
SHA1a051468932b45d1bbd2ade21a18151210e4b3aad
SHA256ade741c631aa677c8da12c635cbf218664bd4610059972d4f022c8b8dad93b66
SHA51223c1fbcc20696a7b4d1d9576c4d5a00fb6fa4b982a201c9537bf32b961e71fc2c4063eb12b616dffbe1e0b1b248c911fc1302ef473f7014edd92d1108c741ba8
-
C:\Users\Admin\AppData\Local\Temp\gamecap.iniFilesize
670B
MD5c4f905491c1ba5f0c179a997433f3d30
SHA149f24d5418efc9937dd7bd7bfb1627accffce594
SHA25691863126f4c02c9e3ca71c39137ba65438defe93012bb9fb677ab8100829f1d6
SHA51209bbcadd2d2dea6e312444e53f5f08a640d813476c921c09fa827da068ce32f76838b899eee8c08bc87fff3a386c2f31058990c1015c8e523f4d73ebd4cea666
-
C:\Users\Admin\AppData\Local\Temp\gametcp.dllFilesize
106KB
MD54ce646681eb745dabd8061948bc988e5
SHA1240495e42ad8ca40fef00d0544a81e8925a01c77
SHA256108258ad36bba562fee46341a11e7a1b09db43ba7291c6f5d44a0ad31826a041
SHA5129104cb123c6357f828c16795cc4114403d2b4dc9f9fc9d807f31b139201472c8777346cdd27e75a9e970650ffa12ef43849cff4bc81dd1c65649d88dfa9be739
-
C:\Users\Admin\AppData\Local\Temp\gametcp.exeFilesize
108KB
MD5f37a19932537349f282de537f99ee55d
SHA1cb2d6fb4a074c2cc77b3a14d47cae44aa26c266e
SHA256215390a2f20e1136c9204922d17f6bc63e3451f77eda9b28f3fedf6aaf763429
SHA51242742f7b454dbb2c3e0649975f35b60f14876b67fec2b2acca3f2fa243ac0c46ec46a1870674d52456a7b505cdc5c1b6c992e808b91c81c04f0eacf3a9aff81f
-
C:\Users\Admin\AppData\Local\Temp\gametcp.exeFilesize
108KB
MD5f37a19932537349f282de537f99ee55d
SHA1cb2d6fb4a074c2cc77b3a14d47cae44aa26c266e
SHA256215390a2f20e1136c9204922d17f6bc63e3451f77eda9b28f3fedf6aaf763429
SHA51242742f7b454dbb2c3e0649975f35b60f14876b67fec2b2acca3f2fa243ac0c46ec46a1870674d52456a7b505cdc5c1b6c992e808b91c81c04f0eacf3a9aff81f
-
C:\Users\Admin\AppData\Local\Temp\gametcp.exeFilesize
108KB
MD5f37a19932537349f282de537f99ee55d
SHA1cb2d6fb4a074c2cc77b3a14d47cae44aa26c266e
SHA256215390a2f20e1136c9204922d17f6bc63e3451f77eda9b28f3fedf6aaf763429
SHA51242742f7b454dbb2c3e0649975f35b60f14876b67fec2b2acca3f2fa243ac0c46ec46a1870674d52456a7b505cdc5c1b6c992e808b91c81c04f0eacf3a9aff81f
-
C:\Users\Admin\AppData\Local\Temp\gametcp.iniFilesize
1KB
MD51ecbc7793cf3fef46724885301feafe0
SHA1621eea1267a1b37b8f6ab8411e71eb9f47fd0179
SHA256b5c9f6fe27c361fd38695bcd0e0a71d5de05cb2dd387127df4838111acbea69a
SHA5123bfab3ae75062303d003710ad405569f073c71530e3a044b48a828b30852523fd146c713a851d84f31e72c447478a0406f326b62610dd3873aaf01a61d2890a0
-
C:\Users\Admin\AppData\Local\Temp\gameudp.dllFilesize
124KB
MD52b0f87d2145773c2ca8642e5034c7e4a
SHA10bc043c95aada9d02444b43f90d9845ae84a805d
SHA25642fbbda16e6084e0c151f802548fc5603a9d247bbbc9336c7b677123a8f93b24
SHA5128a88b374a4a05663e2e22f5360ce6706aa596f0f43ad4d32140f3e5dccad0c433e60c115f747ed15284dc46163d87b97b2f96485267adc6e8c2b5b16c0a40910
-
C:\Users\Admin\AppData\Local\Temp\versiontest.dllFilesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
C:\Users\Admin\appdata\local\temp\gamecap.iniFilesize
680B
MD583507c3e98047c8ed6e2dfee60efa902
SHA169e4095e752e64e0bbd63c75315034b78caee46e
SHA256b989706d34e25ad8955f5cac698abe0591ec2774160bccb3b37d40c0636b4922
SHA512b283698e8211610c32652009d70dfb9115977ce9159cb6c83d1c68474bca82686e159a8935b4649a28fc6018b34c7799dfc28abd52767985e8a825093d458678
-
C:\Users\Admin\appdata\local\temp\gamener.jpgFilesize
14KB
MD58797970732ae180a6846c5d3cd6e5048
SHA159e015117844a27686990835074d35bcee2a1fbb
SHA2563cd9d764768dd87e774fd317c3fa024515b16e876883c031affe0f06bab594ce
SHA5121e3b4bf0c80d67395624c6b3beb247601a3e27c5674fac0c04af8e7946db45a7f8c5979ee025c2456b0000f8078258ef9e5d8c38b7611f685cbaf40d7ac72138
-
C:\Users\Admin\appdata\local\temp\gametcp.iniFilesize
1KB
MD51ecbc7793cf3fef46724885301feafe0
SHA1621eea1267a1b37b8f6ab8411e71eb9f47fd0179
SHA256b5c9f6fe27c361fd38695bcd0e0a71d5de05cb2dd387127df4838111acbea69a
SHA5123bfab3ae75062303d003710ad405569f073c71530e3a044b48a828b30852523fd146c713a851d84f31e72c447478a0406f326b62610dd3873aaf01a61d2890a0
-
\??\c:\users\admin\appdata\local\temp\updateFilesize
1.5MB
MD514768590b995f933919d86c4c68d04fa
SHA1593201c82a9c512c6a2290cd247e2d768c240999
SHA256c682dc66cf266e926bf8fe99e96510a0ab4615767180aaae3d358d8de50859e1
SHA5124bcd77befd3acdb285ed0f61462564dc48501f69a89ac72d5d992d0e1f32c0d5ccb76d4706ed373864f94d3271d2c33dc7f342d3d720c7d399e27e3a44c4bd0b
-
memory/4244-353-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-352-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-306-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-360-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-347-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-348-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/4244-349-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-350-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-351-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-307-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/4244-359-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-354-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-355-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-356-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-357-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4244-358-0x0000000000400000-0x000000000073D000-memory.dmpFilesize
3.2MB
-
memory/4740-133-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/4740-296-0x0000000000400000-0x0000000000732000-memory.dmpFilesize
3.2MB