Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 07:33

General

  • Target

    42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe

  • Size

    3.2MB

  • MD5

    3f2d772ee9e420732d5abdabd357a499

  • SHA1

    f2627c87d88cb903c0bd8024880252d4b6cef46d

  • SHA256

    42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be

  • SHA512

    93d52ab002b0a4a52fe86a9e4ba0e0c2bb53495a32e43b4c3cdcf25146a581f7a8dd60d7e2df2e1d645e70bdaf7d55136aa645d10d09c6bc50a5a03ada201ddc

  • SSDEEP

    49152:z2gPu/65UFT4zAygZRZ8ruPAqxT51VUBM:m/PpxOuTZVUBM

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
    "C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\AppData\Local\Temp\gametcp.exe
      "C:\Users\Admin\AppData\Local\Temp\gametcp.exe" 42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Users\Admin\appdata\local\temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
        "C:\Users\Admin\appdata\local\temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\42a824ecdfdace498cc08dbf101092f79bdf8d8049fbe129d972ba236706e9be.exe
    Filesize

    1.5MB

    MD5

    14768590b995f933919d86c4c68d04fa

    SHA1

    593201c82a9c512c6a2290cd247e2d768c240999

    SHA256

    c682dc66cf266e926bf8fe99e96510a0ab4615767180aaae3d358d8de50859e1

    SHA512

    4bcd77befd3acdb285ed0f61462564dc48501f69a89ac72d5d992d0e1f32c0d5ccb76d4706ed373864f94d3271d2c33dc7f342d3d720c7d399e27e3a44c4bd0b

  • C:\Users\Admin\AppData\Local\Temp\gamecap.ini
    Filesize

    539B

    MD5

    04c3f898e3e9c27b5e55e9db11f7e1fe

    SHA1

    a051468932b45d1bbd2ade21a18151210e4b3aad

    SHA256

    ade741c631aa677c8da12c635cbf218664bd4610059972d4f022c8b8dad93b66

    SHA512

    23c1fbcc20696a7b4d1d9576c4d5a00fb6fa4b982a201c9537bf32b961e71fc2c4063eb12b616dffbe1e0b1b248c911fc1302ef473f7014edd92d1108c741ba8

  • C:\Users\Admin\AppData\Local\Temp\gamecap.ini
    Filesize

    670B

    MD5

    c4f905491c1ba5f0c179a997433f3d30

    SHA1

    49f24d5418efc9937dd7bd7bfb1627accffce594

    SHA256

    91863126f4c02c9e3ca71c39137ba65438defe93012bb9fb677ab8100829f1d6

    SHA512

    09bbcadd2d2dea6e312444e53f5f08a640d813476c921c09fa827da068ce32f76838b899eee8c08bc87fff3a386c2f31058990c1015c8e523f4d73ebd4cea666

  • C:\Users\Admin\AppData\Local\Temp\gametcp.dll
    Filesize

    106KB

    MD5

    4ce646681eb745dabd8061948bc988e5

    SHA1

    240495e42ad8ca40fef00d0544a81e8925a01c77

    SHA256

    108258ad36bba562fee46341a11e7a1b09db43ba7291c6f5d44a0ad31826a041

    SHA512

    9104cb123c6357f828c16795cc4114403d2b4dc9f9fc9d807f31b139201472c8777346cdd27e75a9e970650ffa12ef43849cff4bc81dd1c65649d88dfa9be739

  • C:\Users\Admin\AppData\Local\Temp\gametcp.exe
    Filesize

    108KB

    MD5

    f37a19932537349f282de537f99ee55d

    SHA1

    cb2d6fb4a074c2cc77b3a14d47cae44aa26c266e

    SHA256

    215390a2f20e1136c9204922d17f6bc63e3451f77eda9b28f3fedf6aaf763429

    SHA512

    42742f7b454dbb2c3e0649975f35b60f14876b67fec2b2acca3f2fa243ac0c46ec46a1870674d52456a7b505cdc5c1b6c992e808b91c81c04f0eacf3a9aff81f

  • C:\Users\Admin\AppData\Local\Temp\gametcp.exe
    Filesize

    108KB

    MD5

    f37a19932537349f282de537f99ee55d

    SHA1

    cb2d6fb4a074c2cc77b3a14d47cae44aa26c266e

    SHA256

    215390a2f20e1136c9204922d17f6bc63e3451f77eda9b28f3fedf6aaf763429

    SHA512

    42742f7b454dbb2c3e0649975f35b60f14876b67fec2b2acca3f2fa243ac0c46ec46a1870674d52456a7b505cdc5c1b6c992e808b91c81c04f0eacf3a9aff81f

  • C:\Users\Admin\AppData\Local\Temp\gametcp.exe
    Filesize

    108KB

    MD5

    f37a19932537349f282de537f99ee55d

    SHA1

    cb2d6fb4a074c2cc77b3a14d47cae44aa26c266e

    SHA256

    215390a2f20e1136c9204922d17f6bc63e3451f77eda9b28f3fedf6aaf763429

    SHA512

    42742f7b454dbb2c3e0649975f35b60f14876b67fec2b2acca3f2fa243ac0c46ec46a1870674d52456a7b505cdc5c1b6c992e808b91c81c04f0eacf3a9aff81f

  • C:\Users\Admin\AppData\Local\Temp\gametcp.ini
    Filesize

    1KB

    MD5

    1ecbc7793cf3fef46724885301feafe0

    SHA1

    621eea1267a1b37b8f6ab8411e71eb9f47fd0179

    SHA256

    b5c9f6fe27c361fd38695bcd0e0a71d5de05cb2dd387127df4838111acbea69a

    SHA512

    3bfab3ae75062303d003710ad405569f073c71530e3a044b48a828b30852523fd146c713a851d84f31e72c447478a0406f326b62610dd3873aaf01a61d2890a0

  • C:\Users\Admin\AppData\Local\Temp\gameudp.dll
    Filesize

    124KB

    MD5

    2b0f87d2145773c2ca8642e5034c7e4a

    SHA1

    0bc043c95aada9d02444b43f90d9845ae84a805d

    SHA256

    42fbbda16e6084e0c151f802548fc5603a9d247bbbc9336c7b677123a8f93b24

    SHA512

    8a88b374a4a05663e2e22f5360ce6706aa596f0f43ad4d32140f3e5dccad0c433e60c115f747ed15284dc46163d87b97b2f96485267adc6e8c2b5b16c0a40910

  • C:\Users\Admin\AppData\Local\Temp\versiontest.dll
    Filesize

    625KB

    MD5

    eccf28d7e5ccec24119b88edd160f8f4

    SHA1

    98509587a3d37a20b56b50fd57f823a1691a034c

    SHA256

    820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

    SHA512

    c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

  • C:\Users\Admin\appdata\local\temp\gamecap.ini
    Filesize

    680B

    MD5

    83507c3e98047c8ed6e2dfee60efa902

    SHA1

    69e4095e752e64e0bbd63c75315034b78caee46e

    SHA256

    b989706d34e25ad8955f5cac698abe0591ec2774160bccb3b37d40c0636b4922

    SHA512

    b283698e8211610c32652009d70dfb9115977ce9159cb6c83d1c68474bca82686e159a8935b4649a28fc6018b34c7799dfc28abd52767985e8a825093d458678

  • C:\Users\Admin\appdata\local\temp\gamener.jpg
    Filesize

    14KB

    MD5

    8797970732ae180a6846c5d3cd6e5048

    SHA1

    59e015117844a27686990835074d35bcee2a1fbb

    SHA256

    3cd9d764768dd87e774fd317c3fa024515b16e876883c031affe0f06bab594ce

    SHA512

    1e3b4bf0c80d67395624c6b3beb247601a3e27c5674fac0c04af8e7946db45a7f8c5979ee025c2456b0000f8078258ef9e5d8c38b7611f685cbaf40d7ac72138

  • C:\Users\Admin\appdata\local\temp\gametcp.ini
    Filesize

    1KB

    MD5

    1ecbc7793cf3fef46724885301feafe0

    SHA1

    621eea1267a1b37b8f6ab8411e71eb9f47fd0179

    SHA256

    b5c9f6fe27c361fd38695bcd0e0a71d5de05cb2dd387127df4838111acbea69a

    SHA512

    3bfab3ae75062303d003710ad405569f073c71530e3a044b48a828b30852523fd146c713a851d84f31e72c447478a0406f326b62610dd3873aaf01a61d2890a0

  • \??\c:\users\admin\appdata\local\temp\update
    Filesize

    1.5MB

    MD5

    14768590b995f933919d86c4c68d04fa

    SHA1

    593201c82a9c512c6a2290cd247e2d768c240999

    SHA256

    c682dc66cf266e926bf8fe99e96510a0ab4615767180aaae3d358d8de50859e1

    SHA512

    4bcd77befd3acdb285ed0f61462564dc48501f69a89ac72d5d992d0e1f32c0d5ccb76d4706ed373864f94d3271d2c33dc7f342d3d720c7d399e27e3a44c4bd0b

  • memory/4244-353-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-352-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-306-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-360-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-347-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-348-0x00000000009F0000-0x00000000009F1000-memory.dmp
    Filesize

    4KB

  • memory/4244-349-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-350-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-351-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-307-0x00000000009F0000-0x00000000009F1000-memory.dmp
    Filesize

    4KB

  • memory/4244-359-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-354-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-355-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-356-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-357-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4244-358-0x0000000000400000-0x000000000073D000-memory.dmp
    Filesize

    3.2MB

  • memory/4740-133-0x0000000000D20000-0x0000000000D21000-memory.dmp
    Filesize

    4KB

  • memory/4740-296-0x0000000000400000-0x0000000000732000-memory.dmp
    Filesize

    3.2MB