00695fca44bfff4a2f3ca7baee45420721dd284371daa66b075fa1415cfda1d3

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 23:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GTA_Launcher.exe
Size

130.7MB
MD5

c07cf9bedcdc482cb46374abefcda862
SHA1

9d4f1515174afa0d61d656047fbc0824415db85e
SHA256

00695fca44bfff4a2f3ca7baee45420721dd284371daa66b075fa1415cfda1d3
SHA512

a5eac22592a2cc3e92d51a11d8968de85682fa2e055ea86dfb063e0e27db34cfabec81b201aca18c412661fe1bcecc7945a42d02b9804b52c1357e84c601ab58
SSDEEP

3145728:BU9X9UYPhAW4EPBf/PZtPzDDf/9VFDe0/0:el9UaAW4EJf/fzDJTDe0c

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	GTA_Launcher.exe
File opened (read-only)	\??\J:	GTA_Launcher.exe
File opened (read-only)	\??\K:	GTA_Launcher.exe
File opened (read-only)	\??\M:	GTA_Launcher.exe
File opened (read-only)	\??\X:	GTA_Launcher.exe
File opened (read-only)	\??\Y:	GTA_Launcher.exe
File opened (read-only)	\??\A:	GTA_Launcher.exe
File opened (read-only)	\??\G:	GTA_Launcher.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	GTA_Launcher.exe
File opened (read-only)	\??\W:	GTA_Launcher.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	GTA_Launcher.exe
File opened (read-only)	\??\P:	GTA_Launcher.exe
File opened (read-only)	\??\R:	GTA_Launcher.exe
File opened (read-only)	\??\Z:	GTA_Launcher.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	GTA_Launcher.exe
File opened (read-only)	\??\Q:	GTA_Launcher.exe
File opened (read-only)	\??\V:	GTA_Launcher.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	GTA_Launcher.exe
File opened (read-only)	\??\L:	GTA_Launcher.exe
File opened (read-only)	\??\S:	GTA_Launcher.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	GTA_Launcher.exe
File opened (read-only)	\??\O:	GTA_Launcher.exe
File opened (read-only)	\??\T:	GTA_Launcher.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
1816	MsiExec.exe
1816	MsiExec.exe
1816	MsiExec.exe
1816	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	GTA_Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GTA_Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GTA_Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GTA_Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GTA_Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GTA_Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GTA_Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2488	GTA_Launcher.exe
Token: SeAssignPrimaryTokenPrivilege	2488	GTA_Launcher.exe
Token: SeLockMemoryPrivilege	2488	GTA_Launcher.exe
Token: SeIncreaseQuotaPrivilege	2488	GTA_Launcher.exe
Token: SeMachineAccountPrivilege	2488	GTA_Launcher.exe
Token: SeTcbPrivilege	2488	GTA_Launcher.exe
Token: SeSecurityPrivilege	2488	GTA_Launcher.exe
Token: SeTakeOwnershipPrivilege	2488	GTA_Launcher.exe
Token: SeLoadDriverPrivilege	2488	GTA_Launcher.exe
Token: SeSystemProfilePrivilege	2488	GTA_Launcher.exe
Token: SeSystemtimePrivilege	2488	GTA_Launcher.exe
Token: SeProfSingleProcessPrivilege	2488	GTA_Launcher.exe
Token: SeIncBasePriorityPrivilege	2488	GTA_Launcher.exe
Token: SeCreatePagefilePrivilege	2488	GTA_Launcher.exe
Token: SeCreatePermanentPrivilege	2488	GTA_Launcher.exe
Token: SeBackupPrivilege	2488	GTA_Launcher.exe
Token: SeRestorePrivilege	2488	GTA_Launcher.exe
Token: SeShutdownPrivilege	2488	GTA_Launcher.exe
Token: SeDebugPrivilege	2488	GTA_Launcher.exe
Token: SeAuditPrivilege	2488	GTA_Launcher.exe
Token: SeSystemEnvironmentPrivilege	2488	GTA_Launcher.exe
Token: SeChangeNotifyPrivilege	2488	GTA_Launcher.exe
Token: SeRemoteShutdownPrivilege	2488	GTA_Launcher.exe
Token: SeUndockPrivilege	2488	GTA_Launcher.exe
Token: SeSyncAgentPrivilege	2488	GTA_Launcher.exe
Token: SeEnableDelegationPrivilege	2488	GTA_Launcher.exe
Token: SeManageVolumePrivilege	2488	GTA_Launcher.exe
Token: SeImpersonatePrivilege	2488	GTA_Launcher.exe
Token: SeCreateGlobalPrivilege	2488	GTA_Launcher.exe
Token: SeCreateTokenPrivilege	2488	GTA_Launcher.exe
Token: SeAssignPrimaryTokenPrivilege	2488	GTA_Launcher.exe
Token: SeLockMemoryPrivilege	2488	GTA_Launcher.exe
Token: SeIncreaseQuotaPrivilege	2488	GTA_Launcher.exe
Token: SeMachineAccountPrivilege	2488	GTA_Launcher.exe
Token: SeTcbPrivilege	2488	GTA_Launcher.exe
Token: SeSecurityPrivilege	2488	GTA_Launcher.exe
Token: SeTakeOwnershipPrivilege	2488	GTA_Launcher.exe
Token: SeLoadDriverPrivilege	2488	GTA_Launcher.exe
Token: SeSystemProfilePrivilege	2488	GTA_Launcher.exe
Token: SeSystemtimePrivilege	2488	GTA_Launcher.exe
Token: SeProfSingleProcessPrivilege	2488	GTA_Launcher.exe
Token: SeIncBasePriorityPrivilege	2488	GTA_Launcher.exe
Token: SeCreatePagefilePrivilege	2488	GTA_Launcher.exe
Token: SeCreatePermanentPrivilege	2488	GTA_Launcher.exe
Token: SeBackupPrivilege	2488	GTA_Launcher.exe
Token: SeRestorePrivilege	2488	GTA_Launcher.exe
Token: SeShutdownPrivilege	2488	GTA_Launcher.exe
Token: SeDebugPrivilege	2488	GTA_Launcher.exe
Token: SeAuditPrivilege	2488	GTA_Launcher.exe
Token: SeSystemEnvironmentPrivilege	2488	GTA_Launcher.exe
Token: SeChangeNotifyPrivilege	2488	GTA_Launcher.exe
Token: SeRemoteShutdownPrivilege	2488	GTA_Launcher.exe
Token: SeUndockPrivilege	2488	GTA_Launcher.exe
Token: SeSyncAgentPrivilege	2488	GTA_Launcher.exe
Token: SeEnableDelegationPrivilege	2488	GTA_Launcher.exe
Token: SeManageVolumePrivilege	2488	GTA_Launcher.exe
Token: SeImpersonatePrivilege	2488	GTA_Launcher.exe
Token: SeCreateGlobalPrivilege	2488	GTA_Launcher.exe
Token: SeCreateTokenPrivilege	2488	GTA_Launcher.exe
Token: SeAssignPrimaryTokenPrivilege	2488	GTA_Launcher.exe
Token: SeLockMemoryPrivilege	2488	GTA_Launcher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2488	GTA_Launcher.exe
2488	GTA_Launcher.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29
PID 2964 wrote to memory of 1816	2964	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\GTA_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\GTA_Launcher.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBC9F55EC153DBD0FC33C4A524F3C0D7 C
  2⤵
  - Loads dropped DLL
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\aicustact.dll

Filesize
54KB

MD5
9f98133d59cf49d7a0fa498fa49c3268

SHA1
4794dd7ad4bc544fc2d074d8afc1b1109187311a

SHA256
6dda2f7f61cb143e18891f2085f5e4f00bf5d913a09b7ce1e51636c1eb4a9d32

SHA512
c079d7c76d2b2217db12689e3bf8831298d2f6479067012749a16fd30230070e7e2a491b36a51fcccafd51676c58ccd71dac23181f56ddf59c5ab757df27259c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_bottom_left.bmp

Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_bottom_left_inactive.bmp

Filesize
66B

MD5
821930553ef406b0c82d9420d3351c78

SHA1
8511c65f0048f8f30797a13b3d7d8264c314cbd4

SHA256
d5e9f3533cb7d727611aafaa5af22fa07efeaec0391a011ecf9803bed867de7a

SHA512
9d55bb01e40bb411321e60fbb1e60748a7243392456030d81f853448af0af75e27ef87455ad1eebf96af754e803aabd1a82f0653deda52832769f5b74171d9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_bottom_mid.bmp

Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_caption.bmp

Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_left.bmp

Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_left_inactive.bmp

Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_top_left.bmp

Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\frame_top_mid.bmp

Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_close_down.png

Filesize
273B

MD5
f6a5e71e9cbe8d3654a2cdf91aae98fa

SHA1
8871a1ae25cff6c5a3e6288a58fc5f4d7a92409d

SHA256
4801d63bd9bdc6279765ba785b0da9e10730764a9c3645934a46c691547c0612

SHA512
1b3146dfdef9c46123f27fa355790036f296d600bb10fbad12363c71c8e3a840863512f4a581daa18ffabb3ec5a3720a6337c4bac54be8b9b49d161b9459a1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_close_hot.png

Filesize
276B

MD5
17242d201d004bb34449aab0428d2df1

SHA1
77a332c6a6c4bfc47a2120203cfeabb8a2268a6b

SHA256
15405855866fa2b7c60afbc8ba720aae8f2ba7fb60bfa641dc9d10361e56f033

SHA512
605a97e2614c664417d53263be21c67b1504a46ee61b92b0a84ac18a7baab05eb56b72d4cf27372ae6c157928080ba16e24081e95458eb122ba18f3722c2d21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_min_down.png

Filesize
205B

MD5
5e947815d865acf099fa753283e09179

SHA1
7d98046d20a73439c53044e0ebb5f0b34afaeea9

SHA256
c1d0663131fe901d890cdd9f18af8f9a553bee4848cbd978f5122e8383b5534b

SHA512
b22e31c37d84128b271c5e5a70fdce90a3bbc02059d1bd032841b3383dbeeca56ec9abe6335453abc8ded1de84e6fcafb648d76d4dcc79246339e9a5eb6d5270

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_min_hot.png

Filesize
180B

MD5
1a883668b735248518bfc4eefd248113

SHA1
1112803a0558a1ad049d1cac6b8a9d626b582606

SHA256
bcbb601daa5a139419f3cd0f6084615574c41b837426ebff561b7846dfec038e

SHA512
d321878ed517544c815fd0236bdff6fcb6da5c5c3658338afba646f1d8f2e246c6c880d4f592ff574a18f9efdf160e5772bbf876fb207c8fd25c1f9dd9ddfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_min_inactive.png

Filesize
175B

MD5
a2c4802002bb61994faabda60334a695

SHA1
0a2b6b0ceb09425080c5ba4b9cbdef533cf69eba

SHA256
a3b59dbc5a39d551455ff838e71b5820560ca3484c6411b9d69df33d8113619c

SHA512
34e130edc650c3de6020f2d2b5dc1404b7aee0105eb7e315c15c5aa61398d174377e9b6a2aecc55f79f54c04812b8745c6739a201539e291538979e6b024da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2488\sys_min_normal.png

Filesize
238B

MD5
516172d0ebf941237cef32fcee8cdf43

SHA1
6bee117996c16c7413be876dfc15978d14813091

SHA256
56e64eaf6349ece08005e6f7299de413ed00112d53518215d90690be2b2a4f1a

SHA512
46477a58aa7e9eeae29e1c1d826bf045422709b7c8f428985c617b366012c58121d4404523a75efe77fc6d8e061a6bb209743d0a2af81545898f51c8855728ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1EC9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI279D.tmp

Filesize
179KB

MD5
d763a0273836ea2250d6e26b8526a013

SHA1
9f32ffaeb4d1c633e53d137495825d71d2da089e

SHA256
a40f4de6e987d3d611e1424c79130e39ebdae472e9ca337619446593ce659058

SHA512
23e221885bfaef22b295686bb69816a1a72f537117f4349101be281768facf186df7b16cb130984db80e8c8cf2dfb2bd649d92b76e8732d77ef1e98f2f48e9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2869.tmp

Filesize
65KB

MD5
81424b45630b2648b3ddcd3b3b03cdd8

SHA1
6f6a4c60ba17241ed9dc0d1e4ae3eb496fc416eb

SHA256
454fd28d1da4a4b53a10fa7b7cb64897267d82ab72f55c8c63f27033a857120b

SHA512
cedb7bd7ae3a8235eb7aa29ae77c8b08be70d97afc87e5613018f57c87dffecc699e7c8c0753f3b809355a53c97b101a64266bb07a437909442ff0e3ff455424

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI28E7.tmp

Filesize
82KB

MD5
8905d830bce9e540124b2085232f64ac

SHA1
78acd37b93b0c3ab879ad45903655a6cc0c99176

SHA256
9fb50294fb0923c3339489a4288809567ab1c276fb91c9a1441dde31119f5570

SHA512
5f6d81add62348c2beaa90befbaa7496d3df85466c93cf92f322669ac2252e9c7c58bc2eb0d087a18c4c05330b1c6f903e578221f9a09722fd69b54d305b0e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI29F1.tmp

Filesize
88KB

MD5
6972dcfcf6298b046aa13001c655a674

SHA1
0091aacea74684f3864d2ea678294c81a7296596

SHA256
8b5978f11e6cbdc32424d3da61fd63fd29a8dbaa6be28966be48ccc69815d8f6

SHA512
0f078565fdf3ff5627f751a9f911d05d8ef45ee531dfa918e51bc46fc26f785bd7f7089de887a9e10fc0d3365c0da9d24d09692a2cbdd694b84ea96216ca501c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1ECC.tmp

Filesize
92KB

MD5
71e4ce8b3a1b89f335a6936bbdafce4c

SHA1
6e0d450eb5f316a9924b3e58445b26bfb727001e

SHA256
a5edfae1527d0c8d9fe5e7a2c5c21b671e61f9981f3bcf9e8cc9f9bb9f3b44c5

SHA512
b80af88699330e1ff01e409daabdedeef350fe7d192724dfa8622afa71e132076144175f6e097f8136f1bba44c7cb30cfdd0414dbe4e0a4712b3bad7b70aeff7

Download Submit
C:\Users\Admin\AppData\Roaming\GTA DAY\Launcher GTA V 1.0.0\install\GTA DAY.msi

Filesize
132KB

MD5
62b0663b4b3d03a1fd7b4cbc20cc5d23

SHA1
8d714ade0c3c66fe1da95ef4b1c00571827d9577

SHA256
c4c5647be3b2cb00e63bb17512330a99b3f59a60f8b2efd5c3393b263a7a8e6e

SHA512
79bec8993b98bb3bfd19188f8d95a7b88824e6a56bf3cb52fed4e9fdb911c9a0b8a2ecea140bd773f394ecd1b06283673376baa8baecf14ff5183c4446c0c6ad

Download Submit
\Users\Admin\AppData\Local\Temp\MSI279D.tmp

Filesize
90KB

MD5
9b8fb52404d36abebbb0fb5f65ba4562

SHA1
97c7d2c792430740500c0c895dae2c5036411b08

SHA256
c5f7a078728fd75c3b9499ba4b12e0c82d4e4189e4a3700a4823cef67ecfec66

SHA512
aac9ee0cd743648c8b2fa2ac859c77b27e63ea8ab3a33b23b1e07a7fb3281701f025a2fec2ce7ab2e0350fe644446e6618cc78f2e57fc4d0132d318ec893567e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2869.tmp

Filesize
70KB

MD5
79ecdd14d512040d97458b0c25ca7136

SHA1
8249dffcdaabb2a0bc424fbe4dd4581240ff7737

SHA256
ea2d69dda2eab8a9342c01cc01b3e005ada3a4ee5e4bfb673cf825b32c4c4d48

SHA512
b76620d02a16b6f0a4ade356272da0dafbe54bac40e786dd378991644a45d17617703298a9f38ac53739fe6d17fa849a7a98236dcf0ad4b96e62b39e6646e86f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI28E7.tmp

Filesize
93KB

MD5
6af33113c732a0a413b076d607b91ef7

SHA1
a0024f76140b5ae6f03aa7af0d6fad33e9c260e1

SHA256
5f0252345fbd6c1d05ba987b75886f9b095f76e472aed1b0baf055f5ed00d163

SHA512
22c7f6e7e0731f0afe7544d948a61cf3ba72dbc5f12e15ba890c11c517f8b8e364575dce9184d13e2563997543ccc038a6bae5864b24e12767bf8bb1e6263b78

Download Submit
\Users\Admin\AppData\Local\Temp\MSI29F1.tmp

Filesize
55KB

MD5
260dcea61942a59434c6a850cbe734ee

SHA1
83c6c51ca1db8a37e71871847e73258e542c7b87

SHA256
ebca4bd8e44d2c8ebdae335835fc8d875fa9ac8b4cb2099af8313c7da7853a6c

SHA512
c2bf13343d1046af4360cfbe557a7644001f7e9ac6463bbdc256c06dfd7005a72484bd837725c849649409aade32f9a7a6165cc56182a25edb5268e8c63403d8

Download Submit