Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
11-12-2023 04:21
Static task
static1
Behavioral task
behavioral1
Sample
c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe
Resource
win10-20231129-en
General
-
Target
c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe
-
Size
6.9MB
-
MD5
3febf5a2e794480d8b66141e9e505aca
-
SHA1
a512e3134cb1b71442dde4e3fff3351011e613af
-
SHA256
c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050
-
SHA512
c12e5ea6087563c43e8cf4c17b6d5abbfc2d743c6a6238810fa1ab39e676635f3d634978282b503f149d314c15101a2dc4892b154fd322410902ad5fe22b803c
-
SSDEEP
196608:5Snj/mmV+GsH+bNueuJRAZVAOk5Vvz+tqE9AmEkzj:5SjumV+jHUodIjk5VzfE9Awzj
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 660 crtgame.exe 1584 crtgame.exe -
Loads dropped DLL 3 IoCs
pid Process 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 63 IoCs
description ioc Process File created C:\Program Files (x86)\CRTGame\bin\x86\is-7E9HE.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-CFPV7.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-NOBIU.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\is-83R6Q.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-9IEQH.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-GT8A5.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-F9SM1.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-RBHG6.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File opened for modification C:\Program Files (x86)\CRTGame\uninstall\unins000.dat c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File opened for modification C:\Program Files (x86)\CRTGame\crtgame.exe c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\stuff\is-DT2QT.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-QLAJ8.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-G1LTA.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-FMCA5.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-KJ560.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-M0069.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-NM0VA.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-Q2JO0.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-5U7N3.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-9365B.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\stuff\is-0N2Q9.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-E4L4K.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-OLVM4.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-LK6GA.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-USI6C.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-AC8MQ.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-SE73A.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-OTL0M.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-2BMHV.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-9FCFU.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-E4ORI.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\uninstall\unins000.dat c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-83TE4.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-07NOF.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-H77DU.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-B2O4J.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-AGMP6.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-3ANLB.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-TLSI5.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-MBTD5.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\stuff\is-LTC6P.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-ML824.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\uninstall\is-SSRDT.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-CC159.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-O4I6U.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-MQEG6.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-BGPS1.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-U0PHM.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-JJOUH.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-QNPGD.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-IEU12.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-528F4.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-A301K.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-FSQ44.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-2AE5O.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-E7GLH.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-5H3M8.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-AM4V5.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\stuff\is-GRHEA.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-B5F61.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-KF2FT.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-GK2KR.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp File created C:\Program Files (x86)\CRTGame\bin\x86\is-2JTSL.tmp c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4048 wrote to memory of 1512 4048 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe 15 PID 4048 wrote to memory of 1512 4048 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe 15 PID 4048 wrote to memory of 1512 4048 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe 15 PID 1512 wrote to memory of 1192 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 39 PID 1512 wrote to memory of 1192 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 39 PID 1512 wrote to memory of 1192 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 39 PID 1512 wrote to memory of 660 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 33 PID 1512 wrote to memory of 660 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 33 PID 1512 wrote to memory of 660 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 33 PID 1512 wrote to memory of 812 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 37 PID 1512 wrote to memory of 812 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 37 PID 1512 wrote to memory of 812 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 37 PID 1512 wrote to memory of 1584 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 36 PID 1512 wrote to memory of 1584 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 36 PID 1512 wrote to memory of 1584 1512 c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp 36 PID 812 wrote to memory of 4600 812 net.exe 35 PID 812 wrote to memory of 4600 812 net.exe 35 PID 812 wrote to memory of 4600 812 net.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe"C:\Users\Admin\AppData\Local\Temp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\is-1E86B.tmp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp"C:\Users\Admin\AppData\Local\Temp\is-1E86B.tmp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp" /SL5="$901C8,6998999,54272,C:\Users\Admin\AppData\Local\Temp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Program Files (x86)\CRTGame\crtgame.exe"C:\Program Files (x86)\CRTGame\crtgame.exe" -i3⤵
- Executes dropped EXE
PID:660
-
-
C:\Program Files (x86)\CRTGame\crtgame.exe"C:\Program Files (x86)\CRTGame\crtgame.exe" -s3⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 103⤵
- Suspicious use of WriteProcessMemory
PID:812
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵PID:1192
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 101⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD53dfd2d0b6924e2a3bd4f968376ddc098
SHA1f8c8a995b48102cce14904f85e20a9ab6f9a6f33
SHA2564d91e82b99c88f81669095b7e627e92a6491be1cfa59dd85bbdf767ec124cbde
SHA512d2e1d229961e083d835567649792ef4eceaa86906e149282e777f01101771172f48ad1afae33a73bbec245b49147a8eaa5dc4d4e2e89555c3ae9c75a7844f23f
-
Filesize
210KB
MD5841d46524551f3baf57c959b8363d27f
SHA1f17a2ee11cce6064732fdca67b76c1be29e44a78
SHA256d0e7c89660f8bc996bfde6af02328f7395c8e7f00cf3a8a6eba1e22a9581ec78
SHA5120ab259153cf87c9d3d413d6a6b78785577ab3fcbfdd4fa333df82087792d129d247dfb563839118636917e90d30d4bcc3945bf48be723383111d801cd938307a
-
Filesize
57KB
MD5319f9251036cdd0e794949612fe0d2e2
SHA120298f64186ead76c09e91b3a501887e303b9442
SHA25691a29f8471b6074cebf719ff94b5c304e16d57190728e3aa4e0c85f307bc380a
SHA512e912f0603639daa335982473197d6ee2e90fe54441a4f87f389eda77266a6d5150049f7d606de90ee837516d946d76cd1c9924908513c343a592fb39f44e5b2f
-
C:\Users\Admin\AppData\Local\Temp\is-1E86B.tmp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp
Filesize202KB
MD507ed1951afd639900f683bf611e33e5f
SHA168c66ee2743cd694163b2e074754c72d0280f14d
SHA2567630c9a72c13b7233a97f14bffcaa74558cc6f675c7a871db63bee5be3f333ca
SHA512c7807151e558303769bf480d5a6fa3a0d0fa0d4c7ff70bb19ba374b5bc3063e045d873c4ccb78150d27bee044b8cc6a5d48a622348ec32fafe61bdb47c27af60
-
C:\Users\Admin\AppData\Local\Temp\is-1E86B.tmp\c5ed75f4bf46b741e1d58458e75cc4c6de36ee4aea4503b2dcd1fd846657c050.tmp
Filesize188KB
MD5b85de96f730becf4d37a139e04a9c989
SHA13219f7e14f2b780a0971532047c2cd701b500362
SHA256428985c20dc336d21c5f8515991a73b627686cf051a215ceb616c511fde891ed
SHA512d44fc4f71a45dcdffae565c28f0daff02fa5eb2d63a43441a7954b98674215151b9d7293497acd96b3a74e24a868e8ee85cb79f27ca731143923efc7504ffb1b
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303