Analysis
-
max time kernel
219s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2023, 21:01
Behavioral task
behavioral1
Sample
GOG_Galaxy_2.0.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
GOG_Galaxy_2.0.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20230220-en
General
-
Target
GOG_Galaxy_2.0.exe
-
Size
960KB
-
MD5
2900d9fb03f39b76fbe897f9780add5c
-
SHA1
3a1390d2e5398d6db00aaa08b969c2e1bd7f3fb8
-
SHA256
3a19fd486163e03d64d375cc71897e833b9f86a2f3935c8578c277eb6227a49a
-
SHA512
ee1bb00488ec4de1d2ecb03f5c933ffae79f03a018c20517cee380320607243e72d0197fcdf6cbcd945897bcae5165e94505674838b5ba0f7e143b83f9144746
-
SSDEEP
12288:T27p5j8DPeuUSFHqLV+JjY4UW61O4RAxDleFbWQCQTFgSYyAzB+Q/uLnK3:T27EDFHqLy826My+QiyGJyAV+muLK3
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation GOG_Galaxy_2.0.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation GalaxyInstaller.exe -
Executes dropped EXE 3 IoCs
pid Process 2336 GalaxyInstaller.exe 4616 GalaxySetup.exe 1952 GalaxySetup.tmp -
Loads dropped DLL 2 IoCs
pid Process 1952 GalaxySetup.tmp 1952 GalaxySetup.tmp -
resource yara_rule behavioral2/memory/4544-133-0x0000000000400000-0x0000000000641000-memory.dmp upx behavioral2/memory/4544-165-0x0000000000400000-0x0000000000641000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2336 GalaxyInstaller.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4544 wrote to memory of 2336 4544 GOG_Galaxy_2.0.exe 82 PID 4544 wrote to memory of 2336 4544 GOG_Galaxy_2.0.exe 82 PID 2336 wrote to memory of 4616 2336 GalaxyInstaller.exe 91 PID 2336 wrote to memory of 4616 2336 GalaxyInstaller.exe 91 PID 2336 wrote to memory of 4616 2336 GalaxyInstaller.exe 91 PID 4616 wrote to memory of 1952 4616 GalaxySetup.exe 92 PID 4616 wrote to memory of 1952 4616 GalaxySetup.exe 92 PID 4616 wrote to memory of 1952 4616 GalaxySetup.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe"C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe"C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp" /SL5="$8003E,272048901,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
566KB
MD526d02cc778b804689bda1aafa9a76fb1
SHA15452c96593478f59471730366c682da19881051d
SHA25661eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635
SHA512047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90
-
Filesize
263.1MB
MD5b60970dfb43bbee8f7dd8f785b06e513
SHA1ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA51298601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af
-
Filesize
263.1MB
MD5b60970dfb43bbee8f7dd8f785b06e513
SHA1ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA51298601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af
-
Filesize
263.1MB
MD5b60970dfb43bbee8f7dd8f785b06e513
SHA1ff3f3ef0c44ffa4120b2f30023573c57dec4d71e
SHA256793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6
SHA51298601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af
-
Filesize
480KB
MD5391cf634b3ccf3971811be5ef016fe32
SHA18e3023466d02dfb8f2e1b48555b998532dc9a377
SHA256de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8
SHA512c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a
-
Filesize
585B
MD50069f49d053b0b56ef449c4cc8b861f9
SHA1fdbe0f50827c022017f17be3db3afd986228e266
SHA25672211501de8490d22aa4ec45710737ca980624fd31563b400b497534e3a36599
SHA5127b35f3ae4505e10fc554e063d3220493d657aea511bd632465db9d344e4ddffaaef0fe13c802c892fcf7e3df1281a11d6f369de9ba5787e84292de3ecd3208fb
-
Filesize
555B
MD577f0ebc2ec5ecd47916207bf510904e2
SHA1514dd58f5379932360f32dfa41d5706c0bf56076
SHA256c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1
SHA5120d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5
-
Filesize
555B
MD577f0ebc2ec5ecd47916207bf510904e2
SHA1514dd58f5379932360f32dfa41d5706c0bf56076
SHA256c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1
SHA5120d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
3.3MB
MD5ebda4a669acd86def15d9389e3c408ff
SHA188c7f3cdccb377397fa295efd5dbf5af3c5d1bdd
SHA256399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740
SHA5129a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a