209aa42ed73d3e57c4378cd9f58dad67b8f0bf06f95316d7cfdf25c6bf9d111c

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

556928d1923677ca8740d5179d9f30ef.exe
Size

76KB
MD5

556928d1923677ca8740d5179d9f30ef
SHA1

51ae4bb1b1da4c7f2f9ce354c2ea364f8afdf172
SHA256

209aa42ed73d3e57c4378cd9f58dad67b8f0bf06f95316d7cfdf25c6bf9d111c
SHA512

26420b04b41c647d15bf34c8e759b57a053e3fdf97c26c3c52aed5a4640d60cd2082e137e310f27459ace70c3d12d3f6b96b41a20d2789c5f36880c0f32cff61
SSDEEP

1536:LLXB65939tY6HBg4sXJp+ekp6jC+/ClJUDS8qcy4rLnVv:LLk395hYXJpS4WKC8Djy4fnV

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2836	iWinGamesSetup.exe
2672	InstGameInfoHelper.exe

Loads dropped DLL 7 IoCs

pid	Process
2508	556928d1923677ca8740d5179d9f30ef.exe
2508	556928d1923677ca8740d5179d9f30ef.exe
2508	556928d1923677ca8740d5179d9f30ef.exe
2836	iWinGamesSetup.exe
2836	iWinGamesSetup.exe
2836	iWinGamesSetup.exe
2836	iWinGamesSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000014fc0-12.dat	nsis_installer_1
behavioral1/files/0x0008000000014fc0-12.dat	nsis_installer_2
behavioral1/files/0x0008000000014fc0-15.dat	nsis_installer_1
behavioral1/files/0x0008000000014fc0-15.dat	nsis_installer_2
behavioral1/files/0x0008000000014fc0-16.dat	nsis_installer_1
behavioral1/files/0x0008000000014fc0-16.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	InstGameInfoHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	InstGameInfoHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	InstGameInfoHelper.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2508 wrote to memory of 2836	2508	556928d1923677ca8740d5179d9f30ef.exe	30
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31
PID 2836 wrote to memory of 2672	2836	iWinGamesSetup.exe	31

C:\Users\Admin\AppData\Local\Temp\556928d1923677ca8740d5179d9f30ef.exe
"C:\Users\Admin\AppData\Local\Temp\556928d1923677ca8740d5179d9f30ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\nsd5542.tmp\iWinGamesSetup.exe
  C:\Users\Admin\AppData\Local\Temp\nsd5542.tmp\iWinGamesSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\nsj8A56.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nsj8A56.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a315958392a88c9944553d34619b989e

SHA1
af9288df1513f40198a33533c019029c76dbd2bf

SHA256
0f33b51230bb41618477ac387273ded33a649971a7b29b51b0c690465aa37dd7

SHA512
1d715edc6dae7d5a4b9891a00be6bfd1e0999baa42e27138d875b9522f7d7536936a6380dd0e2bd911f3475d500457aa0b64c2729cc5ef6b832fc8b2e9dfd7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF691.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF701.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5542.tmp\ftdownload.dat

Filesize
512B

MD5
cc4bc3cff4ce1269b2b2f51b6732dfc1

SHA1
11daa7e8eeaa3890411ba56a06ccc8387b574bf3

SHA256
c2cb7b7f26e7ef6b5e7de080a03bed16f976df3f00cb3b9460af01fe2bfd44a3

SHA512
4732e36b8d7120484c72ffb42904fde9f898274ada64e43db731b9af2c510546a5924998651b423a8520a115916a22229a816c9d309a237057246a8d4a959549

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5542.tmp\iWinGamesSetup.exe

Filesize
762KB

MD5
063bf54ada4febe24db9c45684d4ffee

SHA1
ccb05fa81f9de477812bec8f63d70557c5f2462a

SHA256
41be4771d2222464eb6af6f660530b08569d3814e7e98b6c6f2b16da892bce9d

SHA512
1fe2550b284a34ff35c0c9bbe6a5aab64b4e22366ab1118e34d5a2f76ab45989c5a9eafecd819043874408d349a24ba139563b712fdfff71b2a2672dad62a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5542.tmp\iWinGamesSetup.exe

Filesize
11.8MB

MD5
b9acf92fdb4756d2ee1ce50e6e355845

SHA1
63fde4a8f6a3edd5be0c4cca15921b5cedb6d5e8

SHA256
4dc869e78f4ccfc7c6328404a012759be24a5ae6958e0420bd5c4aedd973d600

SHA512
a57e5036771bc1f5f885d44fb64330a2d1095de41b92981cfa9b8fa9c42c1378efb7adaeff8f57768e68dcbc7200d981621065f0031dc8dfb8894edc814814f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8A56.tmp\gametitle.txt

Filesize
59B

MD5
a6683dac356c9bdbc7cb5bf28dce3aee

SHA1
82815faf462cca294ee9a88482c8fe821cd98d85

SHA256
4cdae3c9d5e6daf0434ba7ee02c6611c9fa3d095e5b655380d344e793de1150a

SHA512
db33927430c85319ca4f1723db1cc5f9c879b8c3aad43c605b866fdf68b6c3003bc40430898b2d66bea9d00d3b6d9550ec5b8bbaf8e7bb301db5baf485348be7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5542.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5542.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5542.tmp\iWinGamesSetup.exe

Filesize
704KB

MD5
7e7515f9a14094eb0c531aea1640e12d

SHA1
0af9a5cade80ee0dec249cbc4764a3f7ed2519fe

SHA256
e1b517a72d286810627a8672f518f1158d579719cfce5e1e4a001568956afebe

SHA512
4f81be741bcb506aea7f1f5f767b3d10e2663abc74ff91a85a777133dc064324687b05410c810b4bd7846df177fb0bb82fdc43dc8ef70a16cfcf059c6dcc3719

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8A56.tmp\BgImage.dll

Filesize
7KB

MD5
0e6d71e08eb5f3fe111c2fc10cf3f669

SHA1
e50d07fa89a8a36e39196ef91ee10e6ce7e96289

SHA256
df4ae53731440c2a7fbabac6ded7684fadc03c050c3190a6ec38b1eaf88b76b9

SHA512
20325b41ea54f8aeae09a127e15400d462e99a86365d8b82d4b2d2cc13db6d7ecbb9e5db23091d8b68a92b3bb8cf87fabf9decd3f77089e32af2cdbfd705b77c

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8A56.tmp\InstGameInfoHelper.exe

Filesize
99KB

MD5
3d3d2bf9c42dbdf97247775c00f22190

SHA1
7a046170aaeb5e1a29d8c8cd7c32225f49237aa1

SHA256
59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a

SHA512
6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

Download Submit
\Users\Admin\AppData\Local\Temp\nsj8A56.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit