Analysis

  • max time kernel
    219s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2023, 21:01

General

  • Target

    GOG_Galaxy_2.0.exe

  • Size

    960KB

  • MD5

    2900d9fb03f39b76fbe897f9780add5c

  • SHA1

    3a1390d2e5398d6db00aaa08b969c2e1bd7f3fb8

  • SHA256

    3a19fd486163e03d64d375cc71897e833b9f86a2f3935c8578c277eb6227a49a

  • SHA512

    ee1bb00488ec4de1d2ecb03f5c933ffae79f03a018c20517cee380320607243e72d0197fcdf6cbcd945897bcae5165e94505674838b5ba0f7e143b83f9144746

  • SSDEEP

    12288:T27p5j8DPeuUSFHqLV+JjY4UW61O4RAxDleFbWQCQTFgSYyAzB+Q/uLnK3:T27EDFHqLy826My+QiyGJyAV+muLK3

Score
8/10
upx

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\GOG_Galaxy_2.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe
        "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp" /SL5="$8003E,272048901,1268224,C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe" /lang=en_US /campaign="eyJjYW1wYWlnbiI6eyJvcmlnaW4iOiJodHRwOi8vZ2FsYXh5Mi1zaWdudXAuZ29nLnByb2QvZW4vP2VtYmVkZGFibGU9dHJ1ZSIsIm9yaWdpbl91c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMS4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi85Ny4wLjAuMCIsInVuaXF1ZV9pZCI6IjE2ODI4ODgwOTctODNlRGdJbC9KZW1oeW1QZ1l4SDBEQT09In0sImxvZ2luX3BhcmFtZXRlcnMiOiJvcmlnaW49aHR0cCUzQSUyRiUyRmdhbGF4eTItc2lnbnVwLmdvZy5wcm9kJTJGZW4lMkYlM0ZlbWJlZGRhYmxlJTNEdHJ1ZSZvcmlnaW5fdXNlcl9hZ2VudD1Nb3ppbGxhJTJGNS4wKyUyOFdpbmRvd3MrTlQrMTAuMCUzQitXaW42NCUzQit4NjQlMjkrQXBwbGVXZWJLaXQlMkY1MzcuMzYrJTI4S0hUTUwlMkMrbGlrZStHZWNrbyUyOStDaHJvbWUlMkYxMTEuMC4wLjArU2FmYXJpJTJGNTM3LjM2K09QUiUyRjk3LjAuMC4wJnVuaXF1ZV9pZD0xNjgyODg4MDk3LTgzZURnSWwlMkZKZW1oeW1QZ1l4SDBEQSUzRCUzRCJ9"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1952

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxyInstaller.exe

          Filesize

          566KB

          MD5

          26d02cc778b804689bda1aafa9a76fb1

          SHA1

          5452c96593478f59471730366c682da19881051d

          SHA256

          61eadf4a0bb3710671f5b6f1db10c522a2d0a07177d3b79eb844d7f69d8f8635

          SHA512

          047ecfb6df19e39579dd2a7359fec312f4dcf2293e9e4f232a22acd37a3c22707ecbf53d6ed0fe44989b8a52502fd43f525e20b85b83f29223205ade6a7aee90

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

          Filesize

          263.1MB

          MD5

          b60970dfb43bbee8f7dd8f785b06e513

          SHA1

          ff3f3ef0c44ffa4120b2f30023573c57dec4d71e

          SHA256

          793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6

          SHA512

          98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

          Filesize

          263.1MB

          MD5

          b60970dfb43bbee8f7dd8f785b06e513

          SHA1

          ff3f3ef0c44ffa4120b2f30023573c57dec4d71e

          SHA256

          793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6

          SHA512

          98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\GalaxySetup.exe

          Filesize

          263.1MB

          MD5

          b60970dfb43bbee8f7dd8f785b06e513

          SHA1

          ff3f3ef0c44ffa4120b2f30023573c57dec4d71e

          SHA256

          793227a3a9a7e30a80d7d2f623ffa0d68c63c9ea2fd0f0e8fbe1d9adbbbae0d6

          SHA512

          98601a93b6df844a315c2d45429aef54640948ceafa75e3e19d46aa490aa4bac5fb07d3974840e929f256f25b86c9e751546a7ac4c11e09c36516d7f42a555af

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\icon.ico

          Filesize

          480KB

          MD5

          391cf634b3ccf3971811be5ef016fe32

          SHA1

          8e3023466d02dfb8f2e1b48555b998532dc9a377

          SHA256

          de9a2072df66c11af8cc255788c4c572f7b45ba7ab19524ad2e01a23f55e9ca8

          SHA512

          c1594a33efcfac7c6e6935e76ed030855886453b6397ba53a63225efbeb513a1ccb39ea7d528cc43bb1e2b56fd0e02b306e0e65dc6896613c2b4ca6c4a165d9a

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\payload.campaign

          Filesize

          585B

          MD5

          0069f49d053b0b56ef449c4cc8b861f9

          SHA1

          fdbe0f50827c022017f17be3db3afd986228e266

          SHA256

          72211501de8490d22aa4ec45710737ca980624fd31563b400b497534e3a36599

          SHA512

          7b35f3ae4505e10fc554e063d3220493d657aea511bd632465db9d344e4ddffaaef0fe13c802c892fcf7e3df1281a11d6f369de9ba5787e84292de3ecd3208fb

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\remoteconfig.json

          Filesize

          555B

          MD5

          77f0ebc2ec5ecd47916207bf510904e2

          SHA1

          514dd58f5379932360f32dfa41d5706c0bf56076

          SHA256

          c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1

          SHA512

          0d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5

        • C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_Ytztp\remoteconfig.json

          Filesize

          555B

          MD5

          77f0ebc2ec5ecd47916207bf510904e2

          SHA1

          514dd58f5379932360f32dfa41d5706c0bf56076

          SHA256

          c6a6618fa0bb69a977b8e5e6985fed76575e8671015f53f6bf3c21e2707917c1

          SHA512

          0d3fedfc364961872e605dcab3865172636a4fa9b6b5e4897c11dc342cff108551589eb2f88f2653ac0e1d4306600642217ccb0b6ed0cbaa6d147d264aacadb5

        • C:\Users\Admin\AppData\Local\Temp\is-03TVJ.tmp\_isetup\_isdecmp.dll

          Filesize

          28KB

          MD5

          077cb4461a2767383b317eb0c50f5f13

          SHA1

          584e64f1d162398b7f377ce55a6b5740379c4282

          SHA256

          8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

          SHA512

          b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

        • C:\Users\Admin\AppData\Local\Temp\is-03TVJ.tmp\_isetup\_isdecmp.dll

          Filesize

          28KB

          MD5

          077cb4461a2767383b317eb0c50f5f13

          SHA1

          584e64f1d162398b7f377ce55a6b5740379c4282

          SHA256

          8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

          SHA512

          b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

        • C:\Users\Admin\AppData\Local\Temp\is-RKH34.tmp\GalaxySetup.tmp

          Filesize

          3.3MB

          MD5

          ebda4a669acd86def15d9389e3c408ff

          SHA1

          88c7f3cdccb377397fa295efd5dbf5af3c5d1bdd

          SHA256

          399092911144baf021d14ccd882ad8ab8d312e579b8e11fbac1dfb16e72c5740

          SHA512

          9a406d7fb6827bd992baf4c1c26a84187dafa89dd1afce51f97953c5f4f29319021043f860ddd1d94346265fcec8663581112af9455b0da1dd3a75da6102105a

        • memory/1952-217-0x0000000000400000-0x0000000000765000-memory.dmp

          Filesize

          3.4MB

        • memory/1952-215-0x0000000000920000-0x0000000000921000-memory.dmp

          Filesize

          4KB

        • memory/1952-206-0x0000000000400000-0x0000000000765000-memory.dmp

          Filesize

          3.4MB

        • memory/1952-204-0x0000000000400000-0x0000000000765000-memory.dmp

          Filesize

          3.4MB

        • memory/1952-200-0x0000000000920000-0x0000000000921000-memory.dmp

          Filesize

          4KB

        • memory/1952-199-0x0000000000400000-0x0000000000765000-memory.dmp

          Filesize

          3.4MB

        • memory/2336-147-0x000000001B310000-0x000000001B320000-memory.dmp

          Filesize

          64KB

        • memory/2336-159-0x000000001E7B0000-0x000000001E972000-memory.dmp

          Filesize

          1.8MB

        • memory/2336-146-0x0000000000710000-0x00000000007A0000-memory.dmp

          Filesize

          576KB

        • memory/2336-164-0x000000001B310000-0x000000001B320000-memory.dmp

          Filesize

          64KB

        • memory/2336-166-0x000000001B310000-0x000000001B320000-memory.dmp

          Filesize

          64KB

        • memory/2336-160-0x000000001EEB0000-0x000000001F3D8000-memory.dmp

          Filesize

          5.2MB

        • memory/2336-168-0x000000001B310000-0x000000001B320000-memory.dmp

          Filesize

          64KB

        • memory/4544-165-0x0000000000400000-0x0000000000641000-memory.dmp

          Filesize

          2.3MB

        • memory/4544-133-0x0000000000400000-0x0000000000641000-memory.dmp

          Filesize

          2.3MB

        • memory/4616-193-0x0000000000400000-0x0000000000543000-memory.dmp

          Filesize

          1.3MB

        • memory/4616-203-0x0000000000400000-0x0000000000543000-memory.dmp

          Filesize

          1.3MB

        • memory/4616-196-0x0000000000400000-0x0000000000543000-memory.dmp

          Filesize

          1.3MB

        • memory/4616-189-0x0000000000400000-0x0000000000543000-memory.dmp

          Filesize

          1.3MB