7e2e8ffe378ecaaea154dccc1adb712df101a8cdd5cbe667ac31d8623da6d6ef

Analysis

max time kernel
142s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02f90195cb778f025025b9fd38cb46ca.exe
Size

856KB
MD5

02f90195cb778f025025b9fd38cb46ca
SHA1

00ffcfd453fc5573fab6066b2ce9d1f9abf49ea7
SHA256

7e2e8ffe378ecaaea154dccc1adb712df101a8cdd5cbe667ac31d8623da6d6ef
SHA512

83231f109e40b90d30200a8d67f471b43aefa7611d416fb9de196bd6ba7fdd41c11bdb1ac7d6aed011ab30b683a446e4f479c250413b8237268dc8d822aa1e14
SSDEEP

24576:Nutr5OUKd7t2GbHYzdKWua1wRAUS+7b8viF:NuXgNbHYzQWRwRAUSaIK

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000018b82-20.dat	acprotect
behavioral1/memory/2244-22-0x00000000003B0000-0x00000000003B9000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2244	GamePlayLabsInstaller.exe

Loads dropped DLL 10 IoCs

pid	Process
2304	02f90195cb778f025025b9fd38cb46ca.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe
2244	GamePlayLabsInstaller.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018b82-20.dat	upx
behavioral1/memory/2244-22-0x00000000003B0000-0x00000000003B9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x002e000000016d2d-5.dat	nsis_installer_1
behavioral1/files/0x002e000000016d2d-5.dat	nsis_installer_2
behavioral1/files/0x002e000000016d2d-8.dat	nsis_installer_1
behavioral1/files/0x002e000000016d2d-8.dat	nsis_installer_2
behavioral1/files/0x002e000000016d2d-7.dat	nsis_installer_1
behavioral1/files/0x002e000000016d2d-7.dat	nsis_installer_2
behavioral1/files/0x002e000000016d2d-9.dat	nsis_installer_1
behavioral1/files/0x002e000000016d2d-9.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2244	GamePlayLabsInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28
PID 2304 wrote to memory of 2244	2304	02f90195cb778f025025b9fd38cb46ca.exe	28

C:\Users\Admin\AppData\Local\Temp\02f90195cb778f025025b9fd38cb46ca.exe
"C:\Users\Admin\AppData\Local\Temp\02f90195cb778f025025b9fd38cb46ca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
315KB

MD5
107c88f70254a2e6c727271f6c1c9c20

SHA1
fa9a4306792059340ac98f21f0d5b88761de0f6c

SHA256
52837eb3f5ad076087eca49a7b0c670da3c90363cb01f60bdc5ab3197ffaa261

SHA512
5401651bd0bcd079f60a9e726f20a614a9ffa48b1110af05b92fa1bfe3f72829a90dc661f343a717205c5edc573282f628cc1f0af0ad1d3fcec0eaf6bc882576

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
521KB

MD5
e82a5f1daa79e4933b9f814bb651812d

SHA1
8d1d4105418992aa777b64ca27e7ce676f1e22d7

SHA256
ec3912bab199e71d331f0f3e6c7aebd6ab76b7555565784bb1e2431b848c7993

SHA512
7ee9ecc7aa785ed04ee5f880a89ea0e4964956a275f4426835dcaed4266448b8a0dd8223044b3e39c8679a9fad37eee914a686a4a2525932fd1493fad0cebd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
85KB

MD5
2607b05960bd133e5851a2d7403d0533

SHA1
a0a2391bf74e08fb60d8574fcda107308ef08828

SHA256
f5b72a352de695474ccc72ed778cd7487a56781741470700b4ad686fab8aa284

SHA512
f931f15a98e7519dfef9cb5032dfa910260f56d97540885a1cd72c5d45b00c73666555351d07b0102f88ffdf792e1e6b171ba3d78eb921ba406b1c3b68803ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
131B

MD5
27c1a34e66fcfaaf29dbd0999d22ef87

SHA1
9dc6780451ce78a8554a14d0b4bd21274e7b30d3

SHA256
f89ccb2c07a0ba12a6041ae060ef31c5a9e76360b976e18c11db95904c1c583a

SHA512
8c0f5403553fa36326f4af10f72e686b296a7a416add8b3eee2bdbdbb1a044ab0adb169952af40a17cdacc68359c7d6bef7b9722b1d061f49d0f5c33d7d2c648

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7ABD.tmp\timeDLL.dll

Filesize
7KB

MD5
64f470b5bfe4a1b1cc7bd55fdb51aad9

SHA1
f153d314525edb9642e66028cbe4cd06352500b7

SHA256
c22b362c42ea42233c6ce646d6df74ff11dea11743e9be2cd1e9fbbd488af926

SHA512
70d4cc8e67375f55e51a2b42b7b03fe41e97dcfe3014febc730caa56131d2ff4cc2d882dc793820bfb740d37ab9392e5e9b3a0960ea60353bd2b1d74f9a8e827

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
697KB

MD5
d980d35bf5ee27d822e247e5d038e7fa

SHA1
7a9d915423aa0d43d04d3ebaffb1adb2a893fd80

SHA256
07e04ec4d6a0c87e75c9936e9442f9e6361c139938aa42984f6722abb46eb96e

SHA512
d29fd775ecf6b973e6527daf74e331ede8f70cf54166b066d2926897c17d445923769ac058354450ab2e2008cb94e719ff549d8fe4cdf03c71820769155ea1b5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7ABD.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7ABD.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7ABD.tmp\inetc.dll

Filesize
24KB

MD5
1efbbf5a54eb145a1a422046fd8dfb2c

SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7ABD.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7ABD.tmp\nsisXML.dll

Filesize
12KB

MD5
aaf5a62051c11db6aa1a651bb9c295dd

SHA1
75413fd14a67a468578c9d8fbd1c0a810c5044d0

SHA256
55ec0f7d4c14b8b36e18203dad5604d066979e18017207f1165f17691845b161

SHA512
f35a6c4e133d5dd396cc326f7f7365483de0477629e290a91b2200253cf7bb39e0d8ab700eda66d88c7b5568cfac069d4a7b277400ad776d64611a3723362466

Download Submit
memory/2244-22-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/2244-55-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/2244-61-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/2244-62-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download