6cda0aaa436a192056034ae9ca4170a9b3f17e05ee71ca565602ce273a048019

General

Target

543977461af93562e57b045cfa9d8ccc.exe
Size

572KB
MD5

543977461af93562e57b045cfa9d8ccc
SHA1

f9e25fc962ad6e098a3edf64822c637f26ed023c
SHA256

6cda0aaa436a192056034ae9ca4170a9b3f17e05ee71ca565602ce273a048019
SHA512

919ce07bf61b0998cd79f296e81b2a80202d625eb9162408cfd8c7f6c4fc514c3b150f2fef98466ae37ac846d42dcd4b04c6b0a578a00c3fbf285a1f60380122
SSDEEP

12288:jutrzh9xOXktnCeUs/cVGB8JZlIFnjr/wbrIhXuH2GNrSqsa1sLta/wx78Kc:jutr5OUelKjkrvNGqsaswCi

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000017550-20.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2228	GamePlayLabsInstaller.exe

Loads dropped DLL 8 IoCs

pid	Process
3048	543977461af93562e57b045cfa9d8ccc.exe
2228	GamePlayLabsInstaller.exe
2228	GamePlayLabsInstaller.exe
2228	GamePlayLabsInstaller.exe
2228	GamePlayLabsInstaller.exe
2228	GamePlayLabsInstaller.exe
2228	GamePlayLabsInstaller.exe
2228	GamePlayLabsInstaller.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000017550-20.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016d46-5.dat	nsis_installer_1
behavioral1/files/0x0008000000016d46-5.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	GamePlayLabsInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28
PID 3048 wrote to memory of 2228	3048	543977461af93562e57b045cfa9d8ccc.exe	28

C:\Users\Admin\AppData\Local\Temp\543977461af93562e57b045cfa9d8ccc.exe
"C:\Users\Admin\AppData\Local\Temp\543977461af93562e57b045cfa9d8ccc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
132B

MD5
a5ca00a652c09846fb45b865cb943fd2

SHA1
66feb809f4eee709f323f717f73514925c5e12d4

SHA256
64a0527b705ced169484ffe25fcd8ea3abfd0adfb6519f58e0a86869b80c9136

SHA512
c168fd731ccc5c4a708012445f8cdda7e1e14ad7bfbe4e94945aaacf95d9b470a7f9b487b4d667f88e497cc5b2a078b6965e0767638ee103b989c75d5eec6ed0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
379KB

MD5
d97bd6b003434c8ff7ac1e0eb9931f22

SHA1
44d548a7139e340d82dba85e261c41de8f935819

SHA256
6f4b194fd8925f006d35f1e80410cde02ebeeed122a3263cfbf1f0f5d73be697

SHA512
7135d115dc874955148c94b5731ac17aba546fdf2d7ee885b13b26a8974a14851ed0d3a061d04b61ee2e2abe5321e9ff3978d6d53e71316e20e692ed67106acc

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F75.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F75.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F75.tmp\inetc.dll

Filesize
24KB

MD5
1efbbf5a54eb145a1a422046fd8dfb2c

SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F75.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8F75.tmp\nsisXML.dll

Filesize
12KB

MD5
aaf5a62051c11db6aa1a651bb9c295dd

SHA1
75413fd14a67a468578c9d8fbd1c0a810c5044d0

SHA256
55ec0f7d4c14b8b36e18203dad5604d066979e18017207f1165f17691845b161

SHA512
f35a6c4e133d5dd396cc326f7f7365483de0477629e290a91b2200253cf7bb39e0d8ab700eda66d88c7b5568cfac069d4a7b277400ad776d64611a3723362466

Download Submit
memory/2228-25-0x0000000001E80000-0x0000000001E89000-memory.dmp

Filesize
36KB

Download
memory/2228-48-0x00000000037F0000-0x00000000037F9000-memory.dmp

Filesize
36KB

Download
memory/2228-50-0x0000000001E80000-0x0000000001E89000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing