Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
22-11-2023 14:00
General
-
Target
mal.exe
-
Size
749KB
-
MD5
c56344077a831944c8af79be448c687c
-
SHA1
bbebd8e987007a6f69b00cef76db759276fde555
-
SHA256
e52ab8300f63f4267db1d512b6900999debede4c275cfec023a7ff2270d61dac
-
SHA512
bbb383d777e9d8775108d62094f244c30818cb4c9826809c5fbbf99892108b67a1ec12068ae3e92ce8ca81da0a51758d384f1f5f3f6e95d810d1512a9d78cebb
-
SSDEEP
6144:sZY2J9yM8RQtfzMmqyjRY2J9yM8RQtvzfTqyjM97:S9yMiY7Rpn9yMiYrLpe7
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exe"C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exe" yimingjingren2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GameLauncher.exe" yimingjingren3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\handle64.exe"C:\Users\Admin\AppData\Local\Temp\handle64.exe" "C:\Users\Admin\AppData\Local\Temp\content" /accepteula4⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe"C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe" -f -v -d -B 2147483648 -s .\content\_package\client\c1078262835_0.pkg.temp .\patch\974f75257c85ee522e33425109b3b0f0to5050c4a04bd6290d99350dfe603c481b.patch11 .\content\_package\client\c1078262835_0.pkg.temp.temp4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe"C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe" -f -v -d -B 2147483648 -s .\content\_package\client\c1078262835_0.pkg.temp.temp .\patch\5050c4a04bd6290d99350dfe603c481bto3a4303e20a41c61900ccb13b0e5666ed.patch11 .\content\_package\client\c1078262835_0.pkg.temp.temp24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe"C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exe" -f -v -d -B 2147483648 -s .\content\_package\client\c2188128971_0.pkg.temp .\patch\f5c2a41244e0d1b12334ab048e4a362ato3192f50174c0776395a609ffffda89a4.patch11 .\content\_package\client\c2188128971_0.pkg.temp.temp4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GameLauncher.exeFilesize
10.5MB
MD5cc11d5077423e1d75329caf14b54f111
SHA12ca5d2bd31d428e2e1480c2e5ee659debfe73935
SHA256366118314ded7b6366e073efb9195fbe080f76566bee4029f62deea842553b1a
SHA51238e9af869b24bec0d17dd45d7a6709f0f16719d609f193217aeb6b3bacdd8d5c0e27b9694ef402c4715a47a432d84bf2055d425c0725e166ef395f0f55367200
-
C:\Users\Admin\AppData\Local\Temp\GameLauncher.exeFilesize
10.5MB
MD5cc11d5077423e1d75329caf14b54f111
SHA12ca5d2bd31d428e2e1480c2e5ee659debfe73935
SHA256366118314ded7b6366e073efb9195fbe080f76566bee4029f62deea842553b1a
SHA51238e9af869b24bec0d17dd45d7a6709f0f16719d609f193217aeb6b3bacdd8d5c0e27b9694ef402c4715a47a432d84bf2055d425c0725e166ef395f0f55367200
-
C:\Users\Admin\AppData\Local\Temp\GameLauncher.exeFilesize
10.5MB
MD5cc11d5077423e1d75329caf14b54f111
SHA12ca5d2bd31d428e2e1480c2e5ee659debfe73935
SHA256366118314ded7b6366e073efb9195fbe080f76566bee4029f62deea842553b1a
SHA51238e9af869b24bec0d17dd45d7a6709f0f16719d609f193217aeb6b3bacdd8d5c0e27b9694ef402c4715a47a432d84bf2055d425c0725e166ef395f0f55367200
-
C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exeFilesize
89KB
MD554095ffb02093dc9c684554e12637181
SHA1336c56d38b90a5dddcf479a2e15118a2ccf5734c
SHA256b468ce780c976c2f2bc01c3dfb5c69efbef93285a54c2a5bc7b7b2ddcdf85db1
SHA5126290460359f8f9ccd709d7d886cb32930656ba77499e8c79a58ac5ae7cc610e6dee0eb59e1ec34a791f5e8d1f08f92bdd8f2c3190d2eed4638b002d571d7ecc8
-
C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exeFilesize
89KB
MD554095ffb02093dc9c684554e12637181
SHA1336c56d38b90a5dddcf479a2e15118a2ccf5734c
SHA256b468ce780c976c2f2bc01c3dfb5c69efbef93285a54c2a5bc7b7b2ddcdf85db1
SHA5126290460359f8f9ccd709d7d886cb32930656ba77499e8c79a58ac5ae7cc610e6dee0eb59e1ec34a791f5e8d1f08f92bdd8f2c3190d2eed4638b002d571d7ecc8
-
C:\Users\Admin\AppData\Local\Temp\GameLauncherUpgrader.exeFilesize
89KB
MD554095ffb02093dc9c684554e12637181
SHA1336c56d38b90a5dddcf479a2e15118a2ccf5734c
SHA256b468ce780c976c2f2bc01c3dfb5c69efbef93285a54c2a5bc7b7b2ddcdf85db1
SHA5126290460359f8f9ccd709d7d886cb32930656ba77499e8c79a58ac5ae7cc610e6dee0eb59e1ec34a791f5e8d1f08f92bdd8f2c3190d2eed4638b002d571d7ecc8
-
C:\Users\Admin\AppData\Local\Temp\XLSDKAgent.dllFilesize
84KB
MD529ce882202da90e6f136562d80926573
SHA1dd053768c22bee14964d0f657d72c13dffddc882
SHA256c831be0e7d3d910001891e0088cc2b598f2c56a31536b4547e1dbdf29d9eac7e
SHA51284d66d36772a87da834d037a157b7ec5e579e90fdb7a7e187a1b79c1acca38bbf3bc2dab3a9e4d03a441e7593b1d503b72f712045680ded1b9714e8e62d768c5
-
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c1078262835_0.pkg.tempFilesize
36.4MB
MD5974f75257c85ee522e33425109b3b0f0
SHA1e8bb365a675d88230cd541e2d2d8c72de7f3f558
SHA25611024cc14cafff99d55c07417856b36bb4ec7e1e15e562126eab565d68abf05d
SHA512512039b035880dcee7f28f1a6c0add488ce401a5b57f521aaaec62ae9f9a60e5fb2c57eb3ef7aa3176b9c4ce9dbb189590dad9de1dee1574b8f141a23d95776f
-
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c1078262835_0.pkg.temp.tempFilesize
36.4MB
MD55050c4a04bd6290d99350dfe603c481b
SHA108f1f70bedcf8837152cf106b1c31f1c3b01130e
SHA25654527e098f701b381220bd1b899531550ff80252c6d6ed0b6ae28f53e059fb12
SHA5122622ae9382608b65d7a8b77a9895be0467374dcd65a1fd8b164649bbbf54b0bc664883cc52c3f88eb42d580f2cb32d6bbf70f75ffcad456b4ea6ca817104c0bc
-
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c1078262835_0.pkg.temp.temp2Filesize
36.5MB
MD53a4303e20a41c61900ccb13b0e5666ed
SHA14dfbb53e595b5dac2eb88fb1c5fc328f5639c51a
SHA2567268c1ee8aafd51e5ead6202f1df52d8dff202a41324d080856602d070d50e3b
SHA5128475691c187b21615790a4dc75e416e87e0ad27c3fb0935c503b98fe0b6703e87f9c6d55a365fe2d3d5f5961de0f795e4f8a8236b4c714621c68dfc0985c4f68
-
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c1078262835_0.pkg.temp.temp2Filesize
36.5MB
MD53a4303e20a41c61900ccb13b0e5666ed
SHA14dfbb53e595b5dac2eb88fb1c5fc328f5639c51a
SHA2567268c1ee8aafd51e5ead6202f1df52d8dff202a41324d080856602d070d50e3b
SHA5128475691c187b21615790a4dc75e416e87e0ad27c3fb0935c503b98fe0b6703e87f9c6d55a365fe2d3d5f5961de0f795e4f8a8236b4c714621c68dfc0985c4f68
-
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c2188128971_0.pkg.tempFilesize
60.1MB
MD5f5c2a41244e0d1b12334ab048e4a362a
SHA14b31e8c77c29029b69ccc213d8f96940b6d56e16
SHA256ae4e4607e6de0bf430c6f05fa1e287b1fe0acccab09a47d0a5cc13c0165d3801
SHA51259ee2ea550ced8e841d185571066f42c70451531154bfceb6e187f631e2cdcea1ca91d9c9b52ceb6520046cdb080f861cfe0896c553efb279d5d0e3028b3b813
-
C:\Users\Admin\AppData\Local\Temp\content\_package\client\c2188128971_0.pkg.temp.tempFilesize
60.1MB
MD53192f50174c0776395a609ffffda89a4
SHA18dcdf2236c1d36d24ad14cabb9aa57fa28abd74a
SHA256308c769d1ac34e89fc63b4570e5b9d79cb7df9c03ca5d2927a13d7732c4db505
SHA5128a00c72b01dbc5901f346448699b9f237838306ee43b8132d772607b38748a3950c8f50c35ceaa40a6e55b8dd95a7ccc20a7a7d79a4f25d8d011edb27cc205a4
-
C:\Users\Admin\AppData\Local\Temp\dllXYVodSDK.dllFilesize
2.3MB
MD57fd674ef58a1fb9fa3cbbd9388e35c04
SHA1ebbcc994532402f5875749caa83347a70dae606f
SHA256d9889aca7b2adabb1ced48b865b311bb93e1f3a2fbae38508dc2469513240dc6
SHA5120c6f95aaba155367767290c223008b0d1866912cedecd4041fd07deb357b6fca81d8a8bcf238adc7d4da99209a9c566cf2f60be86a95536a4308241931c62808
-
C:\Users\Admin\AppData\Local\Temp\game_launcher_log.otherFilesize
17KB
MD5a7570130edd11b0b85e014bdf71f5921
SHA11f09a8a3befe325aaf4c158ce2f92f9e9782139d
SHA256b5a4c9e02cc50f7ab9684039170dd57bae20d27427101e4bad6760ffae419381
SHA51219120da68e621a15b6f405b29c8e0908f46f64b9c27043aa56fb56f3b20c7462be0a0365c30450ec327d9aae1531cba1527fa934077d640f1feafcc85fbbec1e
-
C:\Users\Admin\AppData\Local\Temp\handle64.exeFilesize
591KB
MD5490abbb59c47d7cd17880b7ded85828a
SHA134d093c70f18d1ac7d27bb207bf64501afff5c0d
SHA25660896bb064332ebdb70f28f5c58e4b62d5ca454f89c23174115ab8768ebd54f4
SHA512048e5ebb82d418f97462e0598b80b9d1fe06e9f8dc758252bf1158b8b0921b1cf17bc81c8e06278b88fce8f88e60b1fd61ed8d986635bb2d3404b98c74e47ac7
-
C:\Users\Admin\AppData\Local\Temp\handle64.exeFilesize
591KB
MD5490abbb59c47d7cd17880b7ded85828a
SHA134d093c70f18d1ac7d27bb207bf64501afff5c0d
SHA25660896bb064332ebdb70f28f5c58e4b62d5ca454f89c23174115ab8768ebd54f4
SHA512048e5ebb82d418f97462e0598b80b9d1fe06e9f8dc758252bf1158b8b0921b1cf17bc81c8e06278b88fce8f88e60b1fd61ed8d986635bb2d3404b98c74e47ac7
-
C:\Users\Admin\AppData\Local\Temp\patch\5050c4a04bd6290d99350dfe603c481bto3a4303e20a41c61900ccb13b0e5666ed.patch11Filesize
94KB
MD5fa4256c69f6e84bbb0905ccf9c7ffebe
SHA1580d7c3c9b08ad44db4d04d10100e1c7507c15e9
SHA256c5eca19de1d2ff0dc0799abaef4e53e888385d1f8578d2bd048a67b6301b1ba7
SHA5124eed842ff5b7dbdc5630ee851d5b6ff4aa74152dd05c146aed1d334d01e6f29bc7cbebdd162e7633ceeb900084eb582f5895166f49fcd04e653848949114f0bb
-
C:\Users\Admin\AppData\Local\Temp\patch\974f75257c85ee522e33425109b3b0f0to5050c4a04bd6290d99350dfe603c481b.patch11Filesize
376B
MD5e8be4c28db6a2f3fc6d484c32ab52901
SHA14c3abaa82da0f26e80ccbc75e60cb8dd1cae5df7
SHA256714e774ccbe300b1b87eefffa4b343748ade08b344a406fe9a3f7ef7529b21d0
SHA5122883c7846d160982d048cc21ebdbde923756139ad243d825ed0382cc58b7529721107a4fd1194cc99513df940e131243f5e43faf7e603c84add5f5e540df7818
-
C:\Users\Admin\AppData\Local\Temp\patch\f5c2a41244e0d1b12334ab048e4a362ato3192f50174c0776395a609ffffda89a4.patch11Filesize
78KB
MD5db8d1e01ef6f3400e53bf94b6035c77e
SHA11195741ec366b36d00f94dc4a285e2920ec72795
SHA2568567b5f34905d236ec5b0e010e8df3463e27448485a2baea4e97ea0c956084a1
SHA512252904dcf0cad670c08c914fe236ad40f817e14ba52803aafc0aa7f638307fa59183f6b246505ff88bd31b20570ebe01c0c07f426e83b7daed32486b7da727a4
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exeFilesize
602KB
MD57ac21750e2032e5aeb681ac88460bdce
SHA18b2998807124137ba24b6df41dd6f1137a8b9e6e
SHA256d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342
SHA512bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exeFilesize
602KB
MD57ac21750e2032e5aeb681ac88460bdce
SHA18b2998807124137ba24b6df41dd6f1137a8b9e6e
SHA256d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342
SHA512bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exeFilesize
602KB
MD57ac21750e2032e5aeb681ac88460bdce
SHA18b2998807124137ba24b6df41dd6f1137a8b9e6e
SHA256d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342
SHA512bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35
-
C:\Users\Admin\AppData\Local\Temp\xdelta3.0.11.exeFilesize
602KB
MD57ac21750e2032e5aeb681ac88460bdce
SHA18b2998807124137ba24b6df41dd6f1137a8b9e6e
SHA256d81f59b2fe5e8589c0ee9782e231c805084f4d23dfade413903a4cad63b4e342
SHA512bf377d88375495cdf31e5c90c1d89a337a66c7e64cfcd588c7e412af0411e3b784d143fee6a25229df1188dfd5cbe8bec43702b5076f4020f2ef83dca7480d35
-
memory/1476-22-0x000000001FE80000-0x000000001FEB8000-memory.dmpFilesize
224KB
-
memory/1476-18-0x00007FFAD20E0000-0x00007FFAD2BA1000-memory.dmpFilesize
10.8MB
-
memory/1476-16-0x00000000006A0000-0x00000000006B8000-memory.dmpFilesize
96KB
-
memory/1476-19-0x000000001C340000-0x000000001C350000-memory.dmpFilesize
64KB
-
memory/1476-23-0x000000001FE50000-0x000000001FE5E000-memory.dmpFilesize
56KB
-
memory/1476-21-0x000000001C340000-0x000000001C350000-memory.dmpFilesize
64KB
-
memory/1476-20-0x000000001C340000-0x000000001C350000-memory.dmpFilesize
64KB
-
memory/1476-41-0x00007FFAD20E0000-0x00007FFAD2BA1000-memory.dmpFilesize
10.8MB
-
memory/1612-147-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2444-58-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-57-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-71-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-72-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-74-0x00007FFAD20E0000-0x00007FFAD2BA1000-memory.dmpFilesize
10.8MB
-
memory/2444-75-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-76-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-77-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-78-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-79-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-80-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-81-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-67-0x000000001D310000-0x000000001D318000-memory.dmpFilesize
32KB
-
memory/2444-66-0x000000001D320000-0x000000001D328000-memory.dmpFilesize
32KB
-
memory/2444-40-0x00000000005F0000-0x000000000107C000-memory.dmpFilesize
10.5MB
-
memory/2444-68-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-42-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-39-0x00007FFAD20E0000-0x00007FFAD2BA1000-memory.dmpFilesize
10.8MB
-
memory/2444-56-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/2444-55-0x000000001E430000-0x000000001E46C000-memory.dmpFilesize
240KB
-
memory/2444-54-0x000000001D090000-0x000000001D0A2000-memory.dmpFilesize
72KB
-
memory/2444-51-0x0000000003120000-0x0000000003144000-memory.dmpFilesize
144KB
-
memory/2444-52-0x0000000003190000-0x0000000003198000-memory.dmpFilesize
32KB
-
memory/3372-17-0x00007FFAD20E0000-0x00007FFAD2BA1000-memory.dmpFilesize
10.8MB
-
memory/3372-2-0x000000001B000000-0x000000001B010000-memory.dmpFilesize
64KB
-
memory/3372-0-0x00000000002C0000-0x0000000000380000-memory.dmpFilesize
768KB
-
memory/3372-1-0x00007FFAD20E0000-0x00007FFAD2BA1000-memory.dmpFilesize
10.8MB
-
memory/4220-167-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4736-137-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB