bc1c4bed8f051dd56d33f8570d68828c14eabec5e91a04cf64b6e8c4aaf23552

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GameEdit.exe
Size

1.2MB
MD5

3e9d6cb0886b2c44223ce1cec8562081
SHA1

88dd6838066ddf420133338ad7a32c9ed7b3e5a7
SHA256

f8c414ac40d806ef4865a91a2add5e11e8dd987410859c0ba29cfa3d18541f79
SHA512

83acf8030f0ee36be3c62c1ea73f8860416b30c44d9fdcb9a8c3e92b8ae3a45d900b6c8a94bf98c1c5c001febfaf72f76b549a9d0f7e9bec19b53da849247af6
SSDEEP

24576:MpnirfNlG0sAJijLlFFwkRxvO2AgJuJ/s52psa3kY2+mO8B:Ciru0s97FzxzAj/q2p13O+mOC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	is-9IJFM.tmp

Loads dropped DLL 3 IoCs

pid	Process
2816	GameEdit.exe
2880	is-9IJFM.tmp
2880	is-9IJFM.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	is-9IJFM.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14
PID 2816 wrote to memory of 2880	2816	GameEdit.exe	14

C:\Users\Admin\AppData\Local\Temp\GameEdit.exe
"C:\Users\Admin\AppData\Local\Temp\GameEdit.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\is-2K1BT.tmp\is-9IJFM.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2K1BT.tmp\is-9IJFM.tmp" /SL4 $5014C "C:\Users\Admin\AppData\Local\Temp\GameEdit.exe" 1028398 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2K1BT.tmp\is-9IJFM.tmp

Filesize
1KB

MD5
fcbefddc642e6022d93e5a8a448f19b0

SHA1
2044ff29bacec783e979fcb79bbc2fc11bcd7947

SHA256
e0a53996488e1c065d9da9bd9d72290ec5bf2b11386578aeed33ebe13e6bd918

SHA512
b6fe834f63852d9566ef7617bb5a75385532e2fe8459ce675fdc7dc941547422e1b181baa1e73c898115469a2c380b8f01a57b00e4d3c37eb85ec68971f4421b

Download Submit
\Users\Admin\AppData\Local\Temp\is-1SDJN.tmp\_isetup\_shfoldr.dll

Filesize
20KB

MD5
2d16f5b530f50f08f1a9745aa4e4d242

SHA1
1ab5029cc4fa4ec9b8dd511df830600f846afa76

SHA256
9459ef37ee24cef6ee86df1924d51ce363afcc88dcd1fe5ed24369623e2ec35a

SHA512
39c0e34da50cbf7f5870dd2f0dd36856d5e7d6f24557f87f36c42aa4976d200ed8a148b3829e10b455cad309212e22dd3749ad9197481e89e3a6459e34a421e6

Download Submit
\Users\Admin\AppData\Local\Temp\is-1SDJN.tmp\_isetup\_shfoldr.dll

Filesize
1KB

MD5
796b91d3cf6a5bf4deb18041d54cc295

SHA1
2f2a86347e4d2e24bb818df22a7bc10eb0a7421e

SHA256
048262ce1f16ba87740f3ad9be498264a97438521071d0c93432f654d33f0646

SHA512
8f7eca10ea3fe1548243c1d7fd8924b0ef9fdafcb55dceb5b2f34efec33777d7d7d903084b65adc0f205a454acb411e6fec39eb8403ad45c12f72951653a4fc7

Download Submit
\Users\Admin\AppData\Local\Temp\is-2K1BT.tmp\is-9IJFM.tmp

Filesize
13KB

MD5
e330a0e80bfa86434f67d2c4984c2549

SHA1
0a01e150dfeaf5496d6c39edffd965f0d5c10b48

SHA256
143458e22cf20f91a88166a80efc4d82839e4fa4476eb1880e20aa1bc11d8062

SHA512
e63f8aacedf59282d5caad1b5cb9589aeeaa6a1714f91a42280722f55b37471bd34685bb908e69749c335dd83976676585ea4436d1afdc71e1276fddca56c5ba

Download Submit
memory/2816-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2816-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2816-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2880-16-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download