08b1bf5eafe88ab23a8464040ab8ccc74636df964376860866e1c7edb3ea1425

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08887594d6ebb35e86253dfa3d997ad3.exe
Size

856KB
MD5

08887594d6ebb35e86253dfa3d997ad3
SHA1

42f5234c7186f5b0d5730e0acf39a93828ea31dd
SHA256

08b1bf5eafe88ab23a8464040ab8ccc74636df964376860866e1c7edb3ea1425
SHA512

9a0298568d3fa09f80070075900b042d1519f4267b3f958835bb8db39e1ccfe933a8fa120dc23827a93bcf02f22317af4f21bd2ae8f687c74c34fcf41c8ab309
SSDEEP

24576:Yutr5OUKy7t2GbHYzdKWua1wRAUS+7b8viA:YuXrNbHYzQWRwRAUSaIb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	GamePlayLabsInstaller.exe

Loads dropped DLL 10 IoCs

pid	Process
1848	08887594d6ebb35e86253dfa3d997ad3.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe
2144	GamePlayLabsInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000015018-8.dat	nsis_installer_1
behavioral1/files/0x0009000000015018-8.dat	nsis_installer_2
behavioral1/files/0x0009000000015018-7.dat	nsis_installer_1
behavioral1/files/0x0009000000015018-7.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2144	GamePlayLabsInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18
PID 1848 wrote to memory of 2144	1848	08887594d6ebb35e86253dfa3d997ad3.exe	18

C:\Users\Admin\AppData\Local\Temp\08887594d6ebb35e86253dfa3d997ad3.exe
"C:\Users\Admin\AppData\Local\Temp\08887594d6ebb35e86253dfa3d997ad3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
92KB

MD5
a5fa139ffcf70a7ac7dc60b04f1d9dce

SHA1
ca516d6f8c759cd22974657dc38923b1c7908a45

SHA256
d96d49e95bdad75dd84fa574cf903a3de0b43de120ebaa5979b37c5de0373229

SHA512
15c95f618e43f8b282790eb50fb6829552eecc4bfc79e8e829c28e0f355005c858b0dc78cce6f64c479973ca487a00f687a74fc97d735f26cb47f7814b08c27d

Download Submit
memory/2144-33-0x0000000000780000-0x0000000000789000-memory.dmp

Filesize
36KB

Download
memory/2144-55-0x0000000000B10000-0x0000000000B19000-memory.dmp

Filesize
36KB

Download
memory/2144-61-0x0000000000780000-0x0000000000789000-memory.dmp

Filesize
36KB

Download
memory/2144-62-0x0000000000B10000-0x0000000000B19000-memory.dmp

Filesize
36KB

Download