90c7c257e2b78c7d7a93b881c151f2336421f118eec541b81c7c3b9935365aa0

General

Target

FreeNitro10.exe
Size

35.6MB
MD5

02386706a76cd4666a1a36a67f5dbf1a
SHA1

323f504e94a9f1785cb841606a7e92dbb0480aa1
SHA256

90c7c257e2b78c7d7a93b881c151f2336421f118eec541b81c7c3b9935365aa0
SHA512

7fca57cbaa6663b3ed1fd762053dcba79ce1d7aeadfce4c5387ced715c0b791d0a26b7fe5b26df829a5e99323e183e30859e06e111db9aadc1c9ac508ce3f3ce
SSDEEP

393216:Po9Ddnnx8Zl1hAT0L+9qz8mCk+7q3D1J61bbKXiWCUta:w9Znx6n+0+9q4s3D16HFVUta

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2700	FreeNitro10.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001972f-89.dat	upx
behavioral1/files/0x000500000001972f-90.dat	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	solitaire.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2700	1748	FreeNitro10.exe	28
PID 1748 wrote to memory of 2700	1748	FreeNitro10.exe	28
PID 1748 wrote to memory of 2700	1748	FreeNitro10.exe	28

C:\Users\Admin\AppData\Local\Temp\FreeNitro10.exe
"C:\Users\Admin\AppData\Local\Temp\FreeNitro10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\FreeNitro10.exe
  "C:\Users\Admin\AppData\Local\Temp\FreeNitro10.exe"
  2⤵
  - Loads dropped DLL
  PID:2700

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1244

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17482\python312.dll

Filesize
1.4MB

MD5
4d8b86e616c7cf907632b9e885e71104

SHA1
c3618ed8607eb104cced8eeec0df01ab81c45897

SHA256
41c355db64230486d517e6d99c239196da1d06dcbd1ef8c208af1e77ace40717

SHA512
af512da9af02d1ba1427f3de9dca0ba134c4728d7f785be35bcec0a547a16551c317de2515c71fb3a3abbe4091272daaac98c6beca9850368d013b11c25af55e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17482\python312.dll

Filesize
782KB

MD5
0e5e77c0d14de00209892660a789a19c

SHA1
c152b3cc1cf41bfd9b7bd8236735fe9dd2f1de19

SHA256
b0bdf25b68a0125d468315822d5944973a398a71ab1b52af9114990897a3f64a

SHA512
bc924cc516f04a6932b29677cbc5c4234bd899b2f80a2bce18fe7234b2054b590d7883bce196c12d37935af9a2e9e2cfcd5ebcf2189f2b74c8072d5b8783adb3

Download Submit
memory/1440-211-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/1440-223-0x000007FEF56C0000-0x000007FEF57F1000-memory.dmp

Filesize
1.2MB

Download
memory/1440-183-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-182-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-181-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-180-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1440-191-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-192-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-194-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-205-0x000007FEF56C0000-0x000007FEF57F1000-memory.dmp

Filesize
1.2MB

Download
memory/1440-209-0x0000000006BC0000-0x0000000006FC0000-memory.dmp

Filesize
4.0MB

Download
memory/1440-213-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-184-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-225-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/1440-210-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/1440-214-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-215-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-216-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-217-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-218-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/1440-221-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-222-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-220-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-219-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/1440-212-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1440-224-0x0000000006BC0000-0x0000000006FC0000-memory.dmp

Filesize
4.0MB

Download
memory/2700-91-0x000007FEF6340000-0x000007FEF6A18000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing