fdcce575bce0c36548e779e953138d4954a0ce51143eed52d7f37c5d8905e87c

Analysis

max time kernel
152s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
14/01/2024, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Game.exe
Size

10.9MB
MD5

35d548bf3143dd1466c632d8e75b0a80
SHA1

4dffe3f1b34bfc82aba7d56b1ceb5eee9ff2d5e1
SHA256

fdcce575bce0c36548e779e953138d4954a0ce51143eed52d7f37c5d8905e87c
SHA512

3cfbde535c06cf07967f26b05505db78abc5ea96852aa64639e6a588aee210b2a1e507680adba12a814804363f80d2153ad95bc5e35ed9dbc5da000d078d4a5e
SSDEEP

196608:rMYlen2bCRLvh2lN7feBLsfpN74UpfoPciANuZl7/oujMN+ohYl2aShOJcdXvEup:4J0msN72FcN8UVodANQl7ouqhwWddXvj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3944	Game.exe

Loads dropped DLL 17 IoCs

pid	Process
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe
3944	Game.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2116	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3944	1152	Game.exe	81
PID 1152 wrote to memory of 3944	1152	Game.exe	81
PID 3944 wrote to memory of 5004	3944	Game.exe	84
PID 3944 wrote to memory of 5004	3944	Game.exe	84

C:\Users\Admin\AppData\Local\Temp\Game.exe
"C:\Users\Admin\AppData\Local\Temp\Game.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\Game.exe
  "C:\Users\Admin\AppData\Local\Temp\Game.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5004

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e0318545925262ee25623937bc30f43f

SHA1
dcd7b4f9513e205d046fcc3c42bce17f043851d4

SHA256
2233a96a9ee22402cbbc28f09a606e9856e3a5e3a9b5aa005a773481bd520b4e

SHA512
5a34b9e05e09e65775775f054f47e1f25b2246cffa6e18dc29521957512cbd415c184296664ce4ee48f3fc0be50ce4647bb6a1a5297214c8db7a6f912306b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
534902be1d8a57974efd025aff4f11ef

SHA1
1179c6153dc52f72c29fe1591dc9a889c2e229e9

SHA256
30adfb86513282e59d7e27968e1ff6686e43b8559994a50c17be66d0789f82b3

SHA512
7f0cdcf8576faf30fc8104b9bc9586d85ad50b7803074a7bcaa192eed05b1e2bd988a91873554fb63f204fcad86c667e95755c5ff13c43f96dc334ef3ea37240

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
12KB

MD5
4ac556fe5195aa827c27c3ff586927ec

SHA1
37262d166b24137dbbc48c02005c7dc8f125bb31

SHA256
cd1d9bb51cfdfefb42ad79be3479eb1664587536edf80b890b462351c519413d

SHA512
62dde3a6ea5b0d0ff58725d70641b94f2e9d76ab53da5ab1b9cafcf935d67d5d750b61816b8c23000bfd6711ab1b20c2550efb3703ce6a700f32de4e8af29948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
299KB

MD5
7ce04ec90292bef7bc66434a35d07b77

SHA1
e859fd44b6ed858075f39d4298ccff06ff2b5a9e

SHA256
324302417e163fb6a4eb13bf919203d55f641564b1c5f5cf683637d4710262e2

SHA512
e75e64886cad49c3207b89839e33bff501d0f6cf49dcf57ff3e5f65f3de2ee74cee38616d7c6b52787250e51bb66fac962617813181bc83454d2fa33b2d9de9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
164KB

MD5
ebb57b897771fa844251210665961d1e

SHA1
a1b0c436d60a60f5da1c753c45382c1448241659

SHA256
0820cfd23384977cf428940b92619b4ea4194fcedebe3fcbb8a3d22da2dca597

SHA512
6e56d63c8dd02b5a155644c1bd214c13945d83caf08d767619bf047d52a6677c56473745b923a7326630291169a78ded07f3850388279c3f2f5fcc5b30db864d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pythoncom311.dll

Filesize
393KB

MD5
20749d1c8cbf7878e6f4b0e7562a6d7a

SHA1
267c36082bcba970e85b1c131a5dff54a1d5b7ff

SHA256
e6bd9a97495f4905b0f16ba349d9be6050659812da0afcd4daf05c1a18edba78

SHA512
6805d5866497dbf6f101526486ed4ccb34e4417fbb9af4ab238314e487cc19b9a02b66d59262e4e2b68051c8c73c22f34b2428557e3a2a340046614bc4b862d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
0b55f18218f4c8f30105db9f179afb2c

SHA1
f1914831cf0a1af678970824f1c4438cc05f5587

SHA256
e7fe45baef9cee192c65fcfce1790ccb6f3f9b81e86df82c08f838e86275af02

SHA512
428ee25e99f882af5ad0dedf1ccdbeb1b4022ac286af23b209947a910bf02ae18a761f3152990c84397649702d8208fed269aa3e3a3c65770e21ee1eec064cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\Game.exe

Filesize
3.6MB

MD5
742a98b8374e91a1762eb92e55c22358

SHA1
6a0d952f1cf1a02aabce96fe6766e5887e7b7ba9

SHA256
a144edf512d0a21a4555a6ebe20230e1fcf32e2dd296b7740a6009bc2eacc360

SHA512
e54df98df96862d7b02d68e857dc13f32fa51d73a949612697559e37ff8aa64e72426ad933f1957d81829143c55cc48d2dad65871b5d0f5d3e7dd3296d77dd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\Game.exe

Filesize
2.2MB

MD5
534ad5e73202976150f075448d46d63f

SHA1
3b2271d1f4f881728c1bbc9cd50dff57af241fc0

SHA256
352a6bd6b0d3bff9d9168b4fedeb64af443a03b5fe29a34c62f61a196ab19635

SHA512
82de2ce1201f218c36645119671d09c35b90294e0b56fe841f0add1c0c87a1a1e3c427b620844029a167e844200fab209a9af97d16579981e59c77bb25933835

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\_bz2.pyd

Filesize
82KB

MD5
afaa11704fda2ed686389080b6ffcb11

SHA1
9a9c83546c2e3b3ccf823e944d5fd07d22318a1b

SHA256
ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4

SHA512
de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\_cffi_backend.pyd

Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\_lzma.pyd

Filesize
56KB

MD5
f966a014f6720af1c79ade16f709b540

SHA1
0822e9a9bf1dbbaa15b866b9fd10dea319b43393

SHA256
2d33dc4a16419c267cf6573570a83e0061f40ce61ba6b31185f447922c2fb322

SHA512
2b35f6e7926c2809b9a0049fd4ec5301df7b2f8f59dd66a3e338d9330cea189a2663d855cba8bfc2a152157b6725b994613b716c70aeed7e8a0c90e7f5b51a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\_socket.pyd

Filesize
77KB

MD5
11b7936a5bd929cc76ac3f4f137b5236

SHA1
09cb712fa43dc008eb5185481a5080997aff82ab

SHA256
8956b11c07d08d289425e7240b8fa37841a27c435617dbbd02bfe3f9405f422b

SHA512
7b050df283a0ad4295a5be47b99d7361f49a3cfd20691e201c5da5349a9eb8f5710ab3a26a66d194567539660ed227411485f4edf2269567a55a6b8ccfd71096

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\_win32sysloader.pyd

Filesize
14KB

MD5
6b3d025362f13d2e112d7fec4b58bf0c

SHA1
4a26921fcd1e9ee19c2d8bf67fb8acf9c48ae359

SHA256
48d2d1f61383dcaf65f5f4f08cae96f4a915eb89c3ea23d0ef9ae7b0a8173399

SHA512
3023901edff779dbd1ff37ba9fb950ecd6d9ac8117ea7a0585a004da453b98ae5eab8c2b15c85dcd6e0e9c24ef6734d4ae322b9e5c5e6c9553148b01a14be808

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\cryptography\hazmat\bindings\_rust.pyd

Filesize
306KB

MD5
d38501c0a5e368f1432a67f23852bd52

SHA1
6827f377e786321af2454e3435eed85ed9add58d

SHA256
384c8cfe0fd3a9fb7827ba2ef9a733b9491b3d6e903766dfb8446fa5c4526daf

SHA512
364c1807c70b284b2e4ebe0948e88d77ee5d742c96951666915b23288be7b4f820904acbdaa9f51fb2588a31d2df5a6737a442d57117e5d5b67397ca7d4e1b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\libcrypto-3.dll

Filesize
168KB

MD5
a929f267948c6ae1d62708fc4bc54c04

SHA1
f7a9109f7d9e5f84a6d012d41389a249ca7e8807

SHA256
29dc491cd9f8b0de53f8d49b74835a886560b587c407b635b159344fc460cd83

SHA512
a624049bdb982c895b82ce5e1c2c16e280e476861af4d54a428d7773f22bd4cf5e3d1cfb46ff6366eaead924082d5b30764aa7c6498109e74e1ffd4bbc88b1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\python3.DLL

Filesize
65KB

MD5
ff319d24153238249adea18d8a3e54a7

SHA1
0474faa64826a48821b7a82ad256525aa9c5315e

SHA256
a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991

SHA512
0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\python311.dll

Filesize
3.5MB

MD5
1f85de4dafd30e46c4072d5825767ada

SHA1
c72c86542a67c2b4da89fe81cfb5997b0bfb0cee

SHA256
1353300e70c559a7f33bf595c55b787f80450d30cdddc0478bb1c652734d21e1

SHA512
793efa4a1ada2468232291c9bd9fc3419fc3788dda2aca744fb97ad0c78fef9a42d3b362c3c611f41fad5f7253b63786af8906f89e8c815e335021d54ca3482d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\python311.dll

Filesize
2.5MB

MD5
0bbba6a307905ba8a98601e6a23faf0b

SHA1
ea880a6a827318b68bf88d9b03e871437fd8ce30

SHA256
6d324750d418e1af6ba799cdb5616a6878ddbe9257be1a92690bdf457d890cd0

SHA512
8eb642be20c210c9bb8a9ace6bfb8dafa0133dc293cf97c3e1bdd87989b1acb866861467c972413d9c1fd2ae0a54871188799e0ede875e0daf4b7bd7f5f438ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\pythoncom311.dll

Filesize
400KB

MD5
cd70d1a5e242b954dbda4c20634eaff2

SHA1
cfff520f52d76536354fa2f406d0a6e0680d4140

SHA256
dfe6905c544ef451d79c3e670aae111b55a548ce561aaf5160e415a948096c3c

SHA512
9bc6ae88b9be5663804854de3fd6c45a44afb9c10ec408788354753466a719f9c6b74806f20686b378814ecf30e119d0d3bb8036f4a17d577f39ca738c377b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1152_133496710231551589\select.pyd

Filesize
24KB

MD5
e1683fc1e9b14c47e16b5bfa97abba3f

SHA1
685fa74c62e8f68ff78aa7f23d6b78cd9cdbcbe2

SHA256
b3d88af7a14663374202cddcb47b687035208a38e2011fd1686774140e1b4ecf

SHA512
21988d203aee6ee7671cdde7a7d2ad410644a6ab0553bdf70f66cfe081dc9678d20e73a1f1394cc09b7e3dc603839abe35d70f04798e2751f1f32f180b219a66

Download Submit