Overview
overview
7Static
static
7Gccg/Check...ed.bat
windows7-x64
7Gccg/Check...ed.bat
windows10-2004-x64
7Gccg/Insta...ds.bat
windows7-x64
7Gccg/Insta...ds.bat
windows10-2004-x64
7Gccg/Install LOTR.bat
windows7-x64
7Gccg/Install LOTR.bat
windows10-2004-x64
7Gccg/Insta...ch.bat
windows7-x64
1Gccg/Insta...ch.bat
windows10-2004-x64
1Gccg/Insta...ds.bat
windows7-x64
7Gccg/Insta...ds.bat
windows10-2004-x64
7Gccg/Insta...ch.bat
windows7-x64
1Gccg/Insta...ch.bat
windows10-2004-x64
1Gccg/Install METW.bat
windows7-x64
7Gccg/Install METW.bat
windows10-2004-x64
7Gccg/Insta...ds.bat
windows7-x64
7Gccg/Insta...ds.bat
windows10-2004-x64
7Gccg/Install MTG.bat
windows7-x64
7Gccg/Install MTG.bat
windows10-2004-x64
7Gccg/Insta...ds.bat
windows7-x64
7Gccg/Insta...ds.bat
windows10-2004-x64
7Gccg/Insta...on.bat
windows7-x64
7Gccg/Insta...on.bat
windows10-2004-x64
7Gccg/Insta...ce.bat
windows7-x64
7Gccg/Insta...ce.bat
windows10-2004-x64
7Gccg/Install.bat
windows7-x64
7Gccg/Install.bat
windows10-2004-x64
7Gccg/Metw_deu.bat
windows7-x64
1Gccg/Metw_deu.bat
windows10-2004-x64
1Gccg/Updat...ng.bat
windows7-x64
1Gccg/Updat...ng.bat
windows10-2004-x64
1Gccg/chmod.exe
windows7-x64
1Gccg/chmod.exe
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 13:51
Behavioral task
behavioral1
Sample
Gccg/Check Installed.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral2
Sample
Gccg/Check Installed.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Gccg/Install LOTR Cards.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
Gccg/Install LOTR Cards.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Gccg/Install LOTR.bat
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral6
Sample
Gccg/Install LOTR.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Gccg/Install METW Cards deutsch.bat
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral8
Sample
Gccg/Install METW Cards deutsch.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Gccg/Install METW Cards.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral10
Sample
Gccg/Install METW Cards.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Gccg/Install METW deutsch.bat
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral12
Sample
Gccg/Install METW deutsch.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Gccg/Install METW.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral14
Sample
Gccg/Install METW.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Gccg/Install MTG Cards.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral16
Sample
Gccg/Install MTG Cards.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Gccg/Install MTG.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral18
Sample
Gccg/Install MTG.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Gccg/Install Pokemon Cards.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral20
Sample
Gccg/Install Pokemon Cards.bat
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Gccg/Install Pokemon.bat
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral22
Sample
Gccg/Install Pokemon.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Gccg/Install Source.bat
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral24
Sample
Gccg/Install Source.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Gccg/Install.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral26
Sample
Gccg/Install.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Gccg/Metw_deu.bat
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral28
Sample
Gccg/Metw_deu.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Gccg/Update Everything.bat
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral30
Sample
Gccg/Update Everything.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Gccg/chmod.exe
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral32
Sample
Gccg/chmod.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
Gccg/Install Pokemon.bat
-
Size
93B
-
MD5
ff1be5e50f6f0d3e217ede89d1f8dcf3
-
SHA1
baebc13b2e7be0f18ce5162836526914cc5dd252
-
SHA256
c71674818558f0f57fbc610ae2e9c703cbe2e00a31d4e18a1713806c42cd7cc2
-
SHA512
127917837d5d7a67967044e89d818e87da65115eb0080241fc01687c00fb60ffd3f8a95b3ec8334168d116d896a920542461e298d49213487643ad4ab7aeb8ad
Malware Config
Signatures
-
resource yara_rule behavioral21/memory/2628-0-0x0000000000170000-0x000000000020C000-memory.dmp upx behavioral21/memory/2892-2-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2892-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2892-5-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2692-6-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2812-8-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2700-10-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2700-13-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2588-14-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral21/memory/2588-16-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2628 perl.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2892 wget.exe 2692 wget.exe 2812 wget.exe 2700 wget.exe 2588 wget.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2628 2176 cmd.exe 29 PID 2176 wrote to memory of 2628 2176 cmd.exe 29 PID 2176 wrote to memory of 2628 2176 cmd.exe 29 PID 2176 wrote to memory of 2628 2176 cmd.exe 29 PID 2628 wrote to memory of 2892 2628 perl.exe 30 PID 2628 wrote to memory of 2892 2628 perl.exe 30 PID 2628 wrote to memory of 2892 2628 perl.exe 30 PID 2628 wrote to memory of 2892 2628 perl.exe 30 PID 2628 wrote to memory of 2692 2628 perl.exe 31 PID 2628 wrote to memory of 2692 2628 perl.exe 31 PID 2628 wrote to memory of 2692 2628 perl.exe 31 PID 2628 wrote to memory of 2692 2628 perl.exe 31 PID 2628 wrote to memory of 2812 2628 perl.exe 32 PID 2628 wrote to memory of 2812 2628 perl.exe 32 PID 2628 wrote to memory of 2812 2628 perl.exe 32 PID 2628 wrote to memory of 2812 2628 perl.exe 32 PID 2628 wrote to memory of 2700 2628 perl.exe 33 PID 2628 wrote to memory of 2700 2628 perl.exe 33 PID 2628 wrote to memory of 2700 2628 perl.exe 33 PID 2628 wrote to memory of 2700 2628 perl.exe 33 PID 2628 wrote to memory of 2588 2628 perl.exe 36 PID 2628 wrote to memory of 2588 2628 perl.exe 36 PID 2628 wrote to memory of 2588 2628 perl.exe 36 PID 2628 wrote to memory of 2588 2628 perl.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Gccg\Install Pokemon.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\Gccg\perl.exeperl gccg_package install core client fonts-windows windows32 pokemon2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\Gccg\wget.exewget -t 0 http://gccg.sourceforge.net/modules/available.xml3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\Gccg\wget.exewget -t 0 http://www.derangedmonkey.com/bmin/available.xml3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\Gccg\wget.exewget -t 0 http://www.reneploetz.de/gccg/available.xml3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\Gccg\wget.exewget -t 0 http://lotrtcgdb.com/files/gccg/available.xml3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\Gccg\wget.exewget -t 0 http://whiterose.net/~wlk/gccg/available.xml3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-