Analysis Overview
SHA256
316ae70e71476b940ec4cfd360987ccf79eadd816f5d2dc99ccb03c45931cf1b
Threat Level: Shows suspicious behavior
The file Setup_GameBoost.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks installed software on the system
Enumerates connected drives
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 18:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 18:51
Reported
2024-02-22 18:52
Platform
win11-20240221-en
Max time kernel
23s
Max time network
23s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Toolwiz GameBoost FREE\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp | N/A |
| File created | C:\Program Files (x86)\Toolwiz GameBoost FREE\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp | N/A |
| File created | C:\Program Files (x86)\Toolwiz GameBoost FREE\is-NLRD5.tmp | C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp | N/A |
| File created | C:\Program Files (x86)\Toolwiz GameBoost FREE\is-B1RO6.tmp | C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup_GameBoost.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_GameBoost.exe"
C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp" /SL5="$6024C,442874,54272,C:\Users\Admin\AppData\Local\Temp\Setup_GameBoost.exe"
C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe
"C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3184-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3184-2-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9G6EV.tmp\Setup_GameBoost.tmp
| MD5 | f0ccfb46f867443700d31c969bdcf552 |
| SHA1 | f2474d5d7a906de3bc3381ca79bb1ea60f0d6697 |
| SHA256 | 54bb849d30567d5f10ac359f8b503732a3fcd76ad7cc72007eab843b784367bb |
| SHA512 | 71c7de53d1db03f1149c3e82fd92842cbd284d17c981267b20290f8d54baf2b578f7830f64eb5308c82cf4aff4f1937586624c2769da74a463c8d4ebdcbe45ee |
memory/4552-9-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Program Files (x86)\Toolwiz GameBoost FREE\GameBoost.exe
| MD5 | a01a5c9d8c996cd201d846788bbce1c6 |
| SHA1 | 6ad4e979cc65eea905b10209a6d9a5bab62c0f3f |
| SHA256 | e346c2e946c71199e5f189d6ac0aeddfbe6d218e9d90fdde3dcab70f54af9c30 |
| SHA512 | 1b7f3a378a59f3931e8cc720fce3201d5084bf83e913d082d9c4b59a407d9a9d84b2c3caa8d68d83dc900e1b819fb87e082b6e564e3269a302d12bfdcdffd51c |
memory/4552-30-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3184-32-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3204-31-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/3204-33-0x0000000000400000-0x000000000055A000-memory.dmp
memory/3204-34-0x0000000000400000-0x000000000055A000-memory.dmp