065308e696cf3e97073c9875fd54344aca6ea9dd9d9af39587319c6f71f62beb

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/06/2023, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ARK Survival Evolved/ArkDownloader.bat
Size

760B
MD5

1be16aa4ff86085769da648371ced408
SHA1

490222e3768e9add2e6aee07e2b2d33c0417d591
SHA256

db2b72fbe6d51e7294861fcd7a0dec9589a068989a4a50546e76c010f3acc938
SHA512

718bdc4f067de7fa4e3a2ba098bbed0f3e9a65bf76e993cd92bb0f1549017d3e975b099b54620b5fa8996639c8c1a2f70433bb6ce2c9652010c531a539a5977e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1204	steamcmd.exe
1508	steamcmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	steamcmd.exe
1508	steamcmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamcmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamcmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1204	steamcmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1204	1216	cmd.exe	29
PID 1216 wrote to memory of 1204	1216	cmd.exe	29
PID 1216 wrote to memory of 1204	1216	cmd.exe	29
PID 1216 wrote to memory of 1204	1216	cmd.exe	29
PID 1204 wrote to memory of 1508	1204	steamcmd.exe	31
PID 1204 wrote to memory of 1508	1204	steamcmd.exe	31
PID 1204 wrote to memory of 1508	1204	steamcmd.exe	31
PID 1204 wrote to memory of 1508	1204	steamcmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ARK Survival Evolved\ArkDownloader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Games\cmd\steamcmd.exe
  C:\Games\cmd\steamcmd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Games\cmd\steamcmd.exe
    "C:\Games\cmd\steamcmd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\cmd\crashhandler.dll

Filesize
370KB

MD5
1d6c027a8c44b7bbe8631eb2fe59c7dd

SHA1
c03c8ba8b4ac9a58407598e3ad90412ca52eafa4

SHA256
d4488cf706c291042508eeda5b05645d948115bac599555fd10991d1d85b93d9

SHA512
608db630bb0317f77df970583baf2f6c54c100e15a919c218ba6ddeeab49ad2a0dbc6908f63e83caac7ccbd2b8b312b2f021c1db6b1ad9fa301f0f1b578a0e45

Download Submit
C:\Games\cmd\logs\bootstrap_log.txt

Filesize
8KB

MD5
a4eef591bbed51cc563a5749e6122886

SHA1
e5880935f0831ac13aebc0c32c5cac24c20f50c3

SHA256
31d580fb9abb902fb32875a180ec092024782784b54dbbdade2f587d92292c86

SHA512
02a0d1b1bc1a1266e5764b98160a75ffa591011d3b333871fb3b3e97ddc1dc88e87b4099d4ac88ae9f83a744e2949e1b4d1bf391cb25c270ceb35e9565487338

Download Submit
C:\Games\cmd\package\steam_cmd_win32.manifest

Filesize
2KB

MD5
208424ca7cc9bb811f4e315a98616e61

SHA1
23766fa2b179df2eceb60036404df2ca50a0ea7d

SHA256
d2b94e843463b27f3fd1d3ab44d5735143eeb7239c56e7d92d4a688c8874066f

SHA512
d5f5bab32496e29adc7431609610c3d499b930dcde62137621bfaf908cc9945da593d01f49b312588504e202c314ad1f94c0099e639a7ffd4986b61d6423e7ab

Download Submit
C:\Games\cmd\package\steam_cmd_win32.manifest

Filesize
2KB

MD5
208424ca7cc9bb811f4e315a98616e61

SHA1
23766fa2b179df2eceb60036404df2ca50a0ea7d

SHA256
d2b94e843463b27f3fd1d3ab44d5735143eeb7239c56e7d92d4a688c8874066f

SHA512
d5f5bab32496e29adc7431609610c3d499b930dcde62137621bfaf908cc9945da593d01f49b312588504e202c314ad1f94c0099e639a7ffd4986b61d6423e7ab

Download Submit
C:\Games\cmd\package\steamcmd_bins_win32.zip.545074623e7622958d904f7e693f35902f1d9423

Filesize
9.8MB

MD5
98e58f3c15bad2f27846cada7575d4c2

SHA1
545074623e7622958d904f7e693f35902f1d9423

SHA256
d5381625b943893b18e7b8c5e295b3d427e95279010d93d1a8f20577dc29e044

SHA512
a56aeda1e6609a77af000f968fa14afa72a65751e9b137c8117c1eecbd71325e210ce7ef077e74ad20b6a9e32415e1ef3a132cf3cb4fd3dc258e9c0153ad6996

Download Submit
C:\Games\cmd\package\steamcmd_public_all.zip.1d1ebd7e14d5f786a1c77d8857231565c51afc35

Filesize
48KB

MD5
779a4dadcbe540b363ac708affd73675

SHA1
1d1ebd7e14d5f786a1c77d8857231565c51afc35

SHA256
4b3a6efc6e99a9c856df594c806ddaa69716ad0d16aaf00e0223a38e01891b7a

SHA512
96f6b18c9985485762d715f00fcd1d90a9b54078339a8dea67473017aa90c689aedca583000584e9d47547e5e3351dd59aa730bc961637a1cba37527ec7a9df5

Download Submit
C:\Games\cmd\package\steamcmd_siteserverui_win32.zip.9102453189df7594c91b08d4a4a3f22a7bef18a3

Filesize
48.8MB

MD5
75e72f798c7dbe85b3c5eb8ff058a980

SHA1
9102453189df7594c91b08d4a4a3f22a7bef18a3

SHA256
b1f435a340bb5d97c628f34d28e426296e8dd3158d670f36af9ebc9c0bde62d8

SHA512
2529bf12e5a69f74e4c0249ef02b939b5e4ef45ad7af8a3e35633bee5d3df3bba8ba89b426305bec640be870db74612217cddc497693c66d8e8568b356a47b5d

Download Submit
C:\Games\cmd\package\steamcmd_steamerrorreporter_win32.zip.62efa74ce7d778a83e13e54de2e6440870a7c5ae

Filesize
180KB

MD5
c589f10d3b8ff0a58a1976d5042bff06

SHA1
62efa74ce7d778a83e13e54de2e6440870a7c5ae

SHA256
3bc8169071380ae393b2dd7a7ede0d1e72a354d1ee1afb0784140fdb1597c552

SHA512
bf2c508abe2138e19ae6c069a203a2804e88dcab9774f2cff4bf9e3f65a02366ba45eb9e97e107a106e44fbcd8660baededdc4ec3ad470d8faa895f734fb8e43

Download Submit
C:\Games\cmd\package\steamcmd_steamservice_win32.zip.34ec36b8b58db0887f042365f28fd2ef6833a8fc

Filesize
2.9MB

MD5
e1fff58a3e81d0bd5b975ae25af75595

SHA1
34ec36b8b58db0887f042365f28fd2ef6833a8fc

SHA256
4eedde8b53a11580349fb307c15b53be17be44e98935e226af01edfac7dc4a8e

SHA512
5cf12e0a58bac653375d293729c64eb74aab30d0adbb3cd048bdb26d8ad682a1615f39cc70a0d75c2d7036150732a4944ba9535d2640a3e2dbb7dd09e1ce1450

Download Submit
C:\Games\cmd\package\steamcmd_win32.zip.564e732e1b81d9f66891c357e7783b55681c0486

Filesize
2.0MB

MD5
dbfa848a7e52d05ce9a234dc49c11197

SHA1
564e732e1b81d9f66891c357e7783b55681c0486

SHA256
a5a2d31a1ff12a9d607448563b025adaf236f8e33da5cada6e4c0e2b39a9271d

SHA512
13d61fcdeaf62878e97ef02c3174db665db2bffa1ce940d9df459da96402fdd411c57aa9337fd67e84571457ae8a02bb5207c36fb806be0fd6e9a757f0a11bf4

Download Submit
C:\Games\cmd\steamcmd.exe

Filesize
4.0MB

MD5
f2da0d45690f89ee8e6533c3a67fe885

SHA1
a6b5ca9317b2e4732d94d942002b4c30c64ed749

SHA256
2d4ca71ae6b55e773c19cab9ecf8bbf27f3e6711a2db632d0ce628089299a12e

SHA512
3ac023337fb06460b111f3a339d5eb7d7f27346f4d2025ccd81c245eec8ab3ca05801098ea3a2bafcd1066c865057d743d37898b4f7c5d84d4a469dfdb262314

Download Submit
C:\Games\cmd\steamcmd.exe

Filesize
1.6MB

MD5
2629c77b1149eee9203e045e289e68ef

SHA1
e45974be43d33419ac8e5208e0b2b787cd592fc4

SHA256
fc103a323d70caaac475ae1cfcacfd8eec4c6b1e130005c4793f2013b4b019f8

SHA512
397c238f43c6208feea21fb929e6f6429b3ed035414dc779982350998030dda834431864026e22f2b6a2c99b8b2bcd6d5d2970dd8d71c39698f03d6043c6778d

Download Submit
C:\Games\cmd\steamcmd.exe

Filesize
1.6MB

MD5
2629c77b1149eee9203e045e289e68ef

SHA1
e45974be43d33419ac8e5208e0b2b787cd592fc4

SHA256
fc103a323d70caaac475ae1cfcacfd8eec4c6b1e130005c4793f2013b4b019f8

SHA512
397c238f43c6208feea21fb929e6f6429b3ed035414dc779982350998030dda834431864026e22f2b6a2c99b8b2bcd6d5d2970dd8d71c39698f03d6043c6778d

Download Submit
C:\Games\cmd\steamcmd.exe

Filesize
1.6MB

MD5
2629c77b1149eee9203e045e289e68ef

SHA1
e45974be43d33419ac8e5208e0b2b787cd592fc4

SHA256
fc103a323d70caaac475ae1cfcacfd8eec4c6b1e130005c4793f2013b4b019f8

SHA512
397c238f43c6208feea21fb929e6f6429b3ed035414dc779982350998030dda834431864026e22f2b6a2c99b8b2bcd6d5d2970dd8d71c39698f03d6043c6778d

Download Submit
\Games\cmd\crashhandler.dll

Filesize
370KB

MD5
1d6c027a8c44b7bbe8631eb2fe59c7dd

SHA1
c03c8ba8b4ac9a58407598e3ad90412ca52eafa4

SHA256
d4488cf706c291042508eeda5b05645d948115bac599555fd10991d1d85b93d9

SHA512
608db630bb0317f77df970583baf2f6c54c100e15a919c218ba6ddeeab49ad2a0dbc6908f63e83caac7ccbd2b8b312b2f021c1db6b1ad9fa301f0f1b578a0e45

Download Submit
\Games\cmd\steamcmd.exe

Filesize
4.0MB

MD5
f2da0d45690f89ee8e6533c3a67fe885

SHA1
a6b5ca9317b2e4732d94d942002b4c30c64ed749

SHA256
2d4ca71ae6b55e773c19cab9ecf8bbf27f3e6711a2db632d0ce628089299a12e

SHA512
3ac023337fb06460b111f3a339d5eb7d7f27346f4d2025ccd81c245eec8ab3ca05801098ea3a2bafcd1066c865057d743d37898b4f7c5d84d4a469dfdb262314

Download Submit
memory/1204-59-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download