a186e36a8f44aeb1279c7f9637d17b2567a2f021a3bbcf180e69e75d9a263b4c

General

Target

188c30519e083a384929197f56bc8545.exe
Size

489KB
MD5

188c30519e083a384929197f56bc8545
SHA1

70e3e5eb141247b91f4d0cc3ca692b3dbb3a4ba4
SHA256

a186e36a8f44aeb1279c7f9637d17b2567a2f021a3bbcf180e69e75d9a263b4c
SHA512

6fd02bd5e8cc026d50bc1c7f9a30772771b8e9961113dfa874e26fdc4655189b424962f0d9e83418786fc9c8bc78ac61d74dc3380ab2c3ff268690d01c84cb01
SSDEEP

12288:d5ctCHSaysP/xpfOPMQNlpUvFXEnX4vTED2RprgkR:QQyayyxU3sXWIvTo2dR

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	GalaxyInstaller.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	188c30519e083a384929197f56bc8545.exe
2180	188c30519e083a384929197f56bc8545.exe
2180	188c30519e083a384929197f56bc8545.exe
2180	188c30519e083a384929197f56bc8545.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/2180-27-0x0000000000400000-0x0000000000518000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	188c30519e083a384929197f56bc8545.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	188c30519e083a384929197f56bc8545.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	GalaxyInstaller.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2656	2180	188c30519e083a384929197f56bc8545.exe	29
PID 2180 wrote to memory of 2656	2180	188c30519e083a384929197f56bc8545.exe	29
PID 2180 wrote to memory of 2656	2180	188c30519e083a384929197f56bc8545.exe	29
PID 2180 wrote to memory of 2656	2180	188c30519e083a384929197f56bc8545.exe	29

C:\Users\Admin\AppData\Local\Temp\188c30519e083a384929197f56bc8545.exe
"C:\Users\Admin\AppData\Local\Temp\188c30519e083a384929197f56bc8545.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\GalaxyInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\GalaxyInstaller.exe" 1207658901 "Tyrian 2000"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GOG.com\Galaxy\logs\InstallerBootstrapper.log

Filesize
4KB

MD5
0002e6c546cd42706adea9df893cf26b

SHA1
3a4b1d238b4151b6ff00563681e07b88e001311f

SHA256
5575efc83db2339e6e2db77ddc0eed29569f8e2f7ccf709b553e5e484e78ef83

SHA512
c5a0a1faa8f1e1d3eade30a3f7af5ea1df40e166b8327df08e821f8e3661b0add6925126667200e5a5a3106c6b601564873aea30c182fdc60811057aa7024868

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\GalaxyInstaller.exe

Filesize
116KB

MD5
fdb2a2d10d879e345a65a5cb0addf8d0

SHA1
4b0d45abe6a1ee08c212e517ad0aec8cf884dd6c

SHA256
1d4c1a3ece7629b7c04080f730a76295c6ae9ee0215518e7731583dc6ef94b8f

SHA512
6283565891b23355878c426de7475f54041c438ef0410ebec47dcec9999cc0db94815ab21cc868f7367ec1db5b5df44dbc71405cbedd752b7a6fd8b93c0bbcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\icon.ico

Filesize
98KB

MD5
506a8136e5a4c04f01faa16fdf9de832

SHA1
ce0369491b8997221f596d4e83af95ed476d6409

SHA256
f0752c0d6e7b955048d7ed98209eee14f7d29924e079f57969131a852c202d15

SHA512
404ac0b03b67dee14cadb91df0ccbf60d02415e5405db1dfca259d602e218330c564f43dd1d540149fa532b0a0f2abb10016c6420b1b1b037607d4e388cdb3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\remoteconfig.json

Filesize
555B

MD5
6f5b2b274c12f821f619837cca4abf0d

SHA1
8bb07d862ad75c98a1ca21b356b6c7570fd3d5c8

SHA256
0431b43af8dc5c5d60d2f5d53aaf2f2303df6244a91308269194091afcf9e35a

SHA512
53d2964fc16d34a0fce5d049eb137dc8fbc21bf821bbf7a2ee4ba902407be57ec3c405bf077d0c2d4500c6600c64dcc826f8a247439ea6ceb3d254937e83a0ee

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\GalaxyInstaller.exe

Filesize
120KB

MD5
d30d3a49fa8166b17dfdba3a9a153e92

SHA1
d97de62286b49e7fd25a8ef45d4808c7ebb320d4

SHA256
9e246ee6babdc3861578c36af8c652d4d4be1f3e83583472bcfdb3ea238eeec2

SHA512
466689b40679dd7c78d504bd440ad68e6656a8d4d88822f21c0deb513921ea0c578af63aeaf6c8b4f4edf989c36727575f3a69fd62f291d5bd5af3739733178b

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\GalaxyInstaller.exe

Filesize
89KB

MD5
9bbc0c28366ae16039a0cb4300b11222

SHA1
fc92951d22667c4bb62abe15bf5952be7d7039a7

SHA256
80f5d825a8ade668a12b33ad46d6e46212500a18f954e6a542e93b4ce7b608a2

SHA512
9a62d40ee9a1f3f23dd749cccc3a6d7c56459fc7076e6b95805a464761cb611a00816ab517f6a6e47e655b20c30950665acc740042e334b4d6b6eb70d0dc3be5

Download Submit
\Users\Admin\AppData\Local\Temp\GalaxyInstaller_GOFic\GalaxyInstaller.exe

Filesize
116KB

MD5
34ea2129eb09b37eeba7cfe0fdb5ac48

SHA1
ce63d086cabbfb5cc9db68cc1384d21515070413

SHA256
500ca88cafc7c87b760f74b80ce88353a38670d2657de10999a3dc09a3a58df3

SHA512
004b68681b1b6b8cb97a959012cf740329334f413649fc2319c539ceb96e3aa74d8ff4dae6e18042724189a2cc0901af9a6a4c6b3e1b7361f0810315ced05d74

Download Submit
memory/2180-27-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2180-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2656-28-0x000000001A640000-0x000000001A6C0000-memory.dmp

Filesize
512KB

Download
memory/2656-26-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-47-0x000000001A640000-0x000000001A6C0000-memory.dmp

Filesize
512KB

Download
memory/2656-25-0x00000000009B0000-0x00000000009D0000-memory.dmp

Filesize
128KB

Download
memory/2656-51-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-52-0x000000001A640000-0x000000001A6C0000-memory.dmp

Filesize
512KB

Download
memory/2656-54-0x000000001A640000-0x000000001A6C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing