7e2e8ffe378ecaaea154dccc1adb712df101a8cdd5cbe667ac31d8623da6d6ef

Analysis

max time kernel
0s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f90195cb778f025025b9fd38cb46ca.exe
Size

856KB
MD5

02f90195cb778f025025b9fd38cb46ca
SHA1

00ffcfd453fc5573fab6066b2ce9d1f9abf49ea7
SHA256

7e2e8ffe378ecaaea154dccc1adb712df101a8cdd5cbe667ac31d8623da6d6ef
SHA512

83231f109e40b90d30200a8d67f471b43aefa7611d416fb9de196bd6ba7fdd41c11bdb1ac7d6aed011ab30b683a446e4f479c250413b8237268dc8d822aa1e14
SSDEEP

24576:Nutr5OUKd7t2GbHYzdKWua1wRAUS+7b8viF:NuXgNbHYzQWRwRAUSaIK

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002320f-24.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	02f90195cb778f025025b9fd38cb46ca.exe

Executes dropped EXE 1 IoCs

pid	Process
1628	GamePlayLabsInstaller.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002320f-24.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x00090000000231fb-6.dat	nsis_installer_1
behavioral2/files/0x00090000000231fb-6.dat	nsis_installer_2
behavioral2/files/0x00090000000231fb-10.dat	nsis_installer_1
behavioral2/files/0x00090000000231fb-10.dat	nsis_installer_2
behavioral2/files/0x00090000000231fb-9.dat	nsis_installer_1
behavioral2/files/0x00090000000231fb-9.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1628	4836	02f90195cb778f025025b9fd38cb46ca.exe	30
PID 4836 wrote to memory of 1628	4836	02f90195cb778f025025b9fd38cb46ca.exe	30
PID 4836 wrote to memory of 1628	4836	02f90195cb778f025025b9fd38cb46ca.exe	30

C:\Users\Admin\AppData\Local\Temp\02f90195cb778f025025b9fd38cb46ca.exe
"C:\Users\Admin\AppData\Local\Temp\02f90195cb778f025025b9fd38cb46ca.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe"
  2⤵
  - Executes dropped EXE
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
129KB

MD5
d4e51948966f674502e8b6a37ac81198

SHA1
f918d00718662163eb934be5687a7de21b6d0eb6

SHA256
ca62aea003a46be48e0b8b623f0ecb39c8993e7e78a26131fd3bd56517e52153

SHA512
541622b26ed814a979fbc5c43b43badc29a28e366552e27ae40d05b2b7c03ae770dd2fe210bf43051129880f8c371ea270f6caa3e7d6050e35d197b0673c025a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
74KB

MD5
69d7f6085e2c734bdbb1e45b49c4403a

SHA1
5e9877ecd6abcbd5119eab02356915bcb8482394

SHA256
f213ac83b3f38d105ddf743ee8f8e3b234103690254d99bafc9e99149b4162f4

SHA512
17baaba1de3b206f7a60ce0be6a1f2dbe4c4baca4eea9171c82ec8d6ea2d9bd57e8a2a27c71df5aa2729ac1bee10a20e049f8a8bbb0c59a8ed1fcc5090256702

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GamePlayLabsInstaller.exe

Filesize
99KB

MD5
6ca7429663ff5a13fc4a53a029f7abf3

SHA1
934c98d69e0057b41ea0b8fe5b88d878ae6cdf54

SHA256
00fed96b8ff0227ad6311fc8540ed80f88112b32bc02922a7ec59ae3ea95567a

SHA512
080de58cf3475ccff8e244fb1f588992a4d93162ffa44d41854283d93a101a0f31faf05080ecb711cd8a1cbe5902505d180aca9297f964fcb3d110f057cf3b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
131B

MD5
27c1a34e66fcfaaf29dbd0999d22ef87

SHA1
9dc6780451ce78a8554a14d0b4bd21274e7b30d3

SHA256
f89ccb2c07a0ba12a6041ae060ef31c5a9e76360b976e18c11db95904c1c583a

SHA512
8c0f5403553fa36326f4af10f72e686b296a7a416add8b3eee2bdbdbb1a044ab0adb169952af40a17cdacc68359c7d6bef7b9722b1d061f49d0f5c33d7d2c648

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\inetc.dll

Filesize
2KB

MD5
4884add19a29f7e89cf0105c5c696d71

SHA1
93638283f5ecc158369a8f3b916af88e3a6e8975

SHA256
ca6a92781162d3e28fba16481f74ffd86158ef78022685f37c6170dba6f1e289

SHA512
c76819f6f6d37d76fd22f145a8ccd598156b590d1251ea90677b35edfbaf308a9898fd52be4f6ad854b910604d6c39e71004eeeff7868bab02bac7327530f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\inetc.dll

Filesize
24KB

MD5
1efbbf5a54eb145a1a422046fd8dfb2c

SHA1
ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

SHA256
983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

SHA512
7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\inetc.dll

Filesize
16KB

MD5
98e77abdeca1ef92d61590e0b29bb5dd

SHA1
467012027adbe65a491f77554ca2bae7f6207232

SHA256
4026cde0d3cd80c4d23f7cbea17e677c902a33d331617b7896c4063a969d4768

SHA512
f165584801ef0ea58a13cbe991cd1f8fb2067158e62b7854a79b74fe02b11dabca25d3006a02e14ce0d9e272e20b98b3381c350367ac946034096778fe8f42bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\nsisXML.dll

Filesize
12KB

MD5
aaf5a62051c11db6aa1a651bb9c295dd

SHA1
75413fd14a67a468578c9d8fbd1c0a810c5044d0

SHA256
55ec0f7d4c14b8b36e18203dad5604d066979e18017207f1165f17691845b161

SHA512
f35a6c4e133d5dd396cc326f7f7365483de0477629e290a91b2200253cf7bb39e0d8ab700eda66d88c7b5568cfac069d4a7b277400ad776d64611a3723362466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5093.tmp\timeDLL.dll

Filesize
7KB

MD5
64f470b5bfe4a1b1cc7bd55fdb51aad9

SHA1
f153d314525edb9642e66028cbe4cd06352500b7

SHA256
c22b362c42ea42233c6ce646d6df74ff11dea11743e9be2cd1e9fbbd488af926

SHA512
70d4cc8e67375f55e51a2b42b7b03fe41e97dcfe3014febc730caa56131d2ff4cc2d882dc793820bfb740d37ab9392e5e9b3a0960ea60353bd2b1d74f9a8e827

Download Submit
memory/1628-27-0x0000000003280000-0x0000000003289000-memory.dmp

Filesize
36KB

Download
memory/1628-73-0x0000000003C70000-0x0000000003C79000-memory.dmp

Filesize
36KB

Download
memory/1628-72-0x0000000003C70000-0x0000000003C79000-memory.dmp

Filesize
36KB

Download
memory/1628-76-0x0000000003280000-0x0000000003289000-memory.dmp

Filesize
36KB

Download
memory/1628-75-0x0000000003280000-0x0000000003289000-memory.dmp

Filesize
36KB

Download