Analysis
-
max time kernel
23s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/02/2024, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
Setup_GameBoost.exe
Resource
win11-20240221-en
General
-
Target
Setup_GameBoost.exe
-
Size
678KB
-
MD5
0f2d18a27e31200e4555a5cc6def070e
-
SHA1
8ffb6b20bd5221dfbf7e9ef4e490d4be7cdf7fea
-
SHA256
316ae70e71476b940ec4cfd360987ccf79eadd816f5d2dc99ccb03c45931cf1b
-
SHA512
17b783aae69c7edf3ba51c3bfcb73cdee174ac2e8eceffea4c0417e73d31070e38e37f2f241472ac0e01c59679e0a06c0c69e1da2175a826587ef78a61622b47
-
SSDEEP
12288:D203gxzC2fjGZpU6zbO+Yjn20HfZnEAtfumZizbcjWci2w5wrvtA:D20QhBSfUvjn20/ZnEMtZGAj2w+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4552 Setup_GameBoost.tmp 3204 GameBoost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Toolwiz GameBoost FREE\unins000.dat Setup_GameBoost.tmp File created C:\Program Files (x86)\Toolwiz GameBoost FREE\unins000.dat Setup_GameBoost.tmp File created C:\Program Files (x86)\Toolwiz GameBoost FREE\is-NLRD5.tmp Setup_GameBoost.tmp File created C:\Program Files (x86)\Toolwiz GameBoost FREE\is-B1RO6.tmp Setup_GameBoost.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3204 GameBoost.exe 3204 GameBoost.exe 3204 GameBoost.exe 3204 GameBoost.exe 3204 GameBoost.exe 3204 GameBoost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe Token: SeIncBasePriorityPrivilege 3204 GameBoost.exe Token: 33 3204 GameBoost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4552 Setup_GameBoost.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3204 GameBoost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4552 3184 Setup_GameBoost.exe 80 PID 3184 wrote to memory of 4552 3184 Setup_GameBoost.exe 80 PID 3184 wrote to memory of 4552 3184 Setup_GameBoost.exe 80 PID 4552 wrote to memory of 3204 4552 Setup_GameBoost.tmp 82 PID 4552 wrote to memory of 3204 4552 Setup_GameBoost.tmp 82 PID 4552 wrote to memory of 3204 4552 Setup_GameBoost.tmp 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_GameBoost.exe"C:\Users\Admin\AppData\Local\Temp\Setup_GameBoost.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp"C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp" /SL5="$6024C,442874,54272,C:\Users\Admin\AppData\Local\Temp\Setup_GameBoost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe"C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3204
-
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:4780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:3428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:1784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a01a5c9d8c996cd201d846788bbce1c6
SHA16ad4e979cc65eea905b10209a6d9a5bab62c0f3f
SHA256e346c2e946c71199e5f189d6ac0aeddfbe6d218e9d90fdde3dcab70f54af9c30
SHA5121b7f3a378a59f3931e8cc720fce3201d5084bf83e913d082d9c4b59a407d9a9d84b2c3caa8d68d83dc900e1b819fb87e082b6e564e3269a302d12bfdcdffd51c
-
Filesize
694KB
MD5f0ccfb46f867443700d31c969bdcf552
SHA1f2474d5d7a906de3bc3381ca79bb1ea60f0d6697
SHA25654bb849d30567d5f10ac359f8b503732a3fcd76ad7cc72007eab843b784367bb
SHA51271c7de53d1db03f1149c3e82fd92842cbd284d17c981267b20290f8d54baf2b578f7830f64eb5308c82cf4aff4f1937586624c2769da74a463c8d4ebdcbe45ee