fd12e3273384c36dc406005581b988682c64f3e730fe6619044bcff6eaad1390

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LometuGame.exe
Size

42.4MB
MD5

c1a0e18082e98a1a91ee70fe489e3827
SHA1

d4538ff7a4ea76430cd88184783d5f8802049007
SHA256

fd12e3273384c36dc406005581b988682c64f3e730fe6619044bcff6eaad1390
SHA512

637803b25ea8a1f067d0f95906913c1a5557eae7a888a861da49033397f50a8e6e597906a513da0fb1dae04f70dbf2351fdec09ee00c693a573c44eb729c6043
SSDEEP

393216:1yT3YGojrsBEnP4XrqSFM+FcrONRtgZJ93AEMQu58EISEhoIaE2FShMzTVA+BDEZ:1WeBZ6QxhUDE5VO26rsxcW3

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3896	powershell.exe
3896	powershell.exe
2128	powershell.exe
2128	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
1920	powershell.exe
1920	powershell.exe
1920	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeIncreaseQuotaPrivilege	4336	powershell.exe
Token: SeSecurityPrivilege	4336	powershell.exe
Token: SeTakeOwnershipPrivilege	4336	powershell.exe
Token: SeLoadDriverPrivilege	4336	powershell.exe
Token: SeSystemProfilePrivilege	4336	powershell.exe
Token: SeSystemtimePrivilege	4336	powershell.exe
Token: SeProfSingleProcessPrivilege	4336	powershell.exe
Token: SeIncBasePriorityPrivilege	4336	powershell.exe
Token: SeCreatePagefilePrivilege	4336	powershell.exe
Token: SeBackupPrivilege	4336	powershell.exe
Token: SeRestorePrivilege	4336	powershell.exe
Token: SeShutdownPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeSystemEnvironmentPrivilege	4336	powershell.exe
Token: SeRemoteShutdownPrivilege	4336	powershell.exe
Token: SeUndockPrivilege	4336	powershell.exe
Token: SeManageVolumePrivilege	4336	powershell.exe
Token: 33	4336	powershell.exe
Token: 34	4336	powershell.exe
Token: 35	4336	powershell.exe
Token: 36	4336	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeIncreaseQuotaPrivilege	1920	powershell.exe
Token: SeSecurityPrivilege	1920	powershell.exe
Token: SeTakeOwnershipPrivilege	1920	powershell.exe
Token: SeLoadDriverPrivilege	1920	powershell.exe
Token: SeSystemProfilePrivilege	1920	powershell.exe
Token: SeSystemtimePrivilege	1920	powershell.exe
Token: SeProfSingleProcessPrivilege	1920	powershell.exe
Token: SeIncBasePriorityPrivilege	1920	powershell.exe
Token: SeCreatePagefilePrivilege	1920	powershell.exe
Token: SeBackupPrivilege	1920	powershell.exe
Token: SeRestorePrivilege	1920	powershell.exe
Token: SeShutdownPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeSystemEnvironmentPrivilege	1920	powershell.exe
Token: SeRemoteShutdownPrivilege	1920	powershell.exe
Token: SeUndockPrivilege	1920	powershell.exe
Token: SeManageVolumePrivilege	1920	powershell.exe
Token: 33	1920	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4644	4184	LometuGame.exe	93
PID 4184 wrote to memory of 4644	4184	LometuGame.exe	93
PID 4644 wrote to memory of 400	4644	cmd.exe	95
PID 4644 wrote to memory of 400	4644	cmd.exe	95
PID 4184 wrote to memory of 2128	4184	LometuGame.exe	96
PID 4184 wrote to memory of 2128	4184	LometuGame.exe	96
PID 4184 wrote to memory of 2028	4184	LometuGame.exe	97
PID 4184 wrote to memory of 2028	4184	LometuGame.exe	97
PID 4184 wrote to memory of 3896	4184	LometuGame.exe	98
PID 4184 wrote to memory of 3896	4184	LometuGame.exe	98
PID 2128 wrote to memory of 4580	2128	powershell.exe	100
PID 2128 wrote to memory of 4580	2128	powershell.exe	100
PID 4580 wrote to memory of 3248	4580	csc.exe	102
PID 4580 wrote to memory of 3248	4580	csc.exe	102
PID 4184 wrote to memory of 4336	4184	LometuGame.exe	103
PID 4184 wrote to memory of 4336	4184	LometuGame.exe	103
PID 4184 wrote to memory of 1920	4184	LometuGame.exe	106
PID 4184 wrote to memory of 1920	4184	LometuGame.exe	106

C:\Users\Admin\AppData\Local\Temp\LometuGame.exe
"C:\Users\Admin\AppData\Local\Temp\LometuGame.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bjv1koz3\bjv1koz3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C5A.tmp" "c:\Users\Admin\AppData\Local\Temp\bjv1koz3\CSCAABDAF5E39F544CC83CCB87F338E5713.TMP"
      4⤵
      PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fb18c3a48ea159dc0318d3326cd75713

SHA1
4314d7f3d704a64adaf427a374b6c2f76a0ab168

SHA256
8d254412597f9e63fd4f1211d6786e0b00e274d0e26fc14f31baeadb8a55c04f

SHA512
d0bb743e7ba663095bdf6f2a0ae695eff770ce5b9d9947dd62be5e034042f6d79aeb5796477fe625aaf9cf348b6a847c3ecc85ef9b456db9bb20671b4035c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C5A.tmp

Filesize
1KB

MD5
fb30b28e135241d95c1d3e97bd0cac61

SHA1
3e3278b6458b92d7cb6534b508da5f8cfb819e91

SHA256
25562cdfb7ec9a534cbe3eaa899f839fda68bc308476fd6dfb8ab17f5c628998

SHA512
164db8ebdd7d3e0abcb16948af36a5f632fe615c315bc5e544988d77cc6fe97e9eb52c7a1c04a2faf294116f29d2253c3ca53570c1329dee1f689a215ac6a4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ye4342bb.s35.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjv1koz3\bjv1koz3.dll

Filesize
3KB

MD5
68188f16a4d6a67931acd9ba6cebf828

SHA1
29038eb056de1acf93e66c3144270d7a42153b67

SHA256
9eb4b4891b4e3e0eb694fb9d6fa87d3a70350caa76d560beaa9784b5735da7c0

SHA512
649d6b96d02dd7720828357d7f61d482ea358293c04986be139087324c1360dc6522e05f261dc105c5bc58a422cbcc43df1ba68fc27bb0bbb22dc468e82ef98f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bjv1koz3\CSCAABDAF5E39F544CC83CCB87F338E5713.TMP

Filesize
652B

MD5
06fd5cc7eb387e89e2538260a0a16bc8

SHA1
a04a73b3768584bbae29dfeffd37e7529707fde9

SHA256
c9f04c801a9bf4d95f73bb7f79aac7f14b618fc51193ee1e06b491c881414e87

SHA512
73b94ded090dbbc9ba51a6d05742618652497f2f7211313407bf1510c17b5dd323ac91180d3b70015c65d9aa520bb02098759781aa26906700af6acddad2797b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bjv1koz3\bjv1koz3.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bjv1koz3\bjv1koz3.cmdline

Filesize
369B

MD5
41def0dc07573ecc38d0ef9a890d8e55

SHA1
3790aacd3f2feb4bdaf5dbcb6e30b2f276d1a49e

SHA256
0566618a60c46476ad9303d41dad74d4b5405deaefcb2c66008147b779e66285

SHA512
90bbb72810c4446aa229ade3e2f442488578c0e72e05aae8a348907a73082cb85d47df2a982fa50260c89d9cecaaeb65a0f100936ddb922b06d5a61b26974032

Download Submit
memory/1920-92-0x0000020FAB2E0000-0x0000020FAB2F0000-memory.dmp

Filesize
64KB

Download
memory/1920-88-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/1920-89-0x0000020FAB2E0000-0x0000020FAB2F0000-memory.dmp

Filesize
64KB

Download
memory/1920-90-0x0000020FAB2E0000-0x0000020FAB2F0000-memory.dmp

Filesize
64KB

Download
memory/1920-96-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/2128-31-0x00000252454B0000-0x00000252454C0000-memory.dmp

Filesize
64KB

Download
memory/2128-30-0x00000252454B0000-0x00000252454C0000-memory.dmp

Filesize
64KB

Download
memory/2128-28-0x00000252454B0000-0x00000252454C0000-memory.dmp

Filesize
64KB

Download
memory/2128-50-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/2128-26-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/2128-45-0x000002522D1B0000-0x000002522D1B8000-memory.dmp

Filesize
32KB

Download
memory/3896-58-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/3896-27-0x000002444C070000-0x000002444C080000-memory.dmp

Filesize
64KB

Download
memory/3896-24-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/3896-54-0x000002444E3E0000-0x000002444E404000-memory.dmp

Filesize
144KB

Download
memory/3896-25-0x000002444C070000-0x000002444C080000-memory.dmp

Filesize
64KB

Download
memory/3896-10-0x000002444E1F0000-0x000002444E212000-memory.dmp

Filesize
136KB

Download
memory/3896-53-0x000002444E3E0000-0x000002444E40A000-memory.dmp

Filesize
168KB

Download
memory/3896-36-0x000002444E810000-0x000002444E886000-memory.dmp

Filesize
472KB

Download
memory/3896-29-0x000002444E390000-0x000002444E3D4000-memory.dmp

Filesize
272KB

Download
memory/4336-61-0x00000275646A0000-0x00000275646B0000-memory.dmp

Filesize
64KB

Download
memory/4336-77-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download
memory/4336-73-0x00000275646A0000-0x00000275646B0000-memory.dmp

Filesize
64KB

Download
memory/4336-62-0x00000275646A0000-0x00000275646B0000-memory.dmp

Filesize
64KB

Download
memory/4336-60-0x00007FFFC6480000-0x00007FFFC6F41000-memory.dmp

Filesize
10.8MB

Download