f98c9bd918a9bd8e5027854c75c520309204a2e14fb40c9fd08d4ef8a6883263

Analysis

max time kernel
147s
max time network
128s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
Size

2.4MB
MD5

ba7445dd6438c2097c1c5b2ce173c064
SHA1

24873c5c09152806caa71b6bb990ef0797e626ae
SHA256

4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768
SHA512

6cf7d18b51d2ec88d9c76470800cf9b8c1fcb30fe02041be3f3694eb7e2a708a9d96ed7b9aafd5e7fdff5b618d6b1796a80c78c74204e7272b58a7b4f7a84ace
SSDEEP

49152:zgwRBNhWLwbYdMsr37tl5oaSeaduub9vdcOMigvOQowQEJHQJPT5NuEj3uWNtiT:zgwRBNhmwbirt02q1r4PFJwJ1fjeWNk

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2560	GameService.exe
2532	GameService.exe
2664	GameService.exe
2636	GameService.exe
2624	GameClient.exe
2488	587448.exe
1388	GameService.exe
1368	GameService.exe
320	GameService.exe
1032	GameService.exe
2172	GameClientC.exe
1456	846605.exe

Loads dropped DLL 10 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2636	GameService.exe
2636	GameService.exe
2624	GameClient.exe
2488	587448.exe
1032	GameService.exe
1032	GameService.exe
2172	GameClientC.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameServerClient\GameClient.exe	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameClient.exe	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File created	C:\Program Files (x86)\GameServerClient\GameClientC.exe	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File created	C:\Program Files (x86)\GameServerClient\install.bat	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\install.bat	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File created	C:\Program Files (x86)\GameServerClient\installc.bat	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameService.exe	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\installc.bat	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameClientC.exe	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
File created	C:\Program Files (x86)\GameServerClient\GameService.exe	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1640	sc.exe
2140	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 1992 wrote to memory of 2668	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	28
PID 2668 wrote to memory of 1640	2668	cmd.exe	30
PID 2668 wrote to memory of 1640	2668	cmd.exe	30
PID 2668 wrote to memory of 1640	2668	cmd.exe	30
PID 2668 wrote to memory of 1640	2668	cmd.exe	30
PID 2668 wrote to memory of 2560	2668	cmd.exe	31
PID 2668 wrote to memory of 2560	2668	cmd.exe	31
PID 2668 wrote to memory of 2560	2668	cmd.exe	31
PID 2668 wrote to memory of 2560	2668	cmd.exe	31
PID 2668 wrote to memory of 2532	2668	cmd.exe	32
PID 2668 wrote to memory of 2532	2668	cmd.exe	32
PID 2668 wrote to memory of 2532	2668	cmd.exe	32
PID 2668 wrote to memory of 2532	2668	cmd.exe	32
PID 2668 wrote to memory of 2664	2668	cmd.exe	33
PID 2668 wrote to memory of 2664	2668	cmd.exe	33
PID 2668 wrote to memory of 2664	2668	cmd.exe	33
PID 2668 wrote to memory of 2664	2668	cmd.exe	33
PID 2636 wrote to memory of 2624	2636	GameService.exe	36
PID 2636 wrote to memory of 2624	2636	GameService.exe	36
PID 2636 wrote to memory of 2624	2636	GameService.exe	36
PID 2636 wrote to memory of 2624	2636	GameService.exe	36
PID 2624 wrote to memory of 2488	2624	GameClient.exe	37
PID 2624 wrote to memory of 2488	2624	GameClient.exe	37
PID 2624 wrote to memory of 2488	2624	GameClient.exe	37
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1992 wrote to memory of 1564	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	38
PID 1564 wrote to memory of 2140	1564	cmd.exe	40
PID 1564 wrote to memory of 2140	1564	cmd.exe	40
PID 1564 wrote to memory of 2140	1564	cmd.exe	40
PID 1564 wrote to memory of 2140	1564	cmd.exe	40
PID 1564 wrote to memory of 1388	1564	cmd.exe	41
PID 1564 wrote to memory of 1388	1564	cmd.exe	41
PID 1564 wrote to memory of 1388	1564	cmd.exe	41
PID 1564 wrote to memory of 1388	1564	cmd.exe	41
PID 1564 wrote to memory of 1368	1564	cmd.exe	42
PID 1564 wrote to memory of 1368	1564	cmd.exe	42
PID 1564 wrote to memory of 1368	1564	cmd.exe	42
PID 1564 wrote to memory of 1368	1564	cmd.exe	42
PID 1564 wrote to memory of 320	1564	cmd.exe	43
PID 1564 wrote to memory of 320	1564	cmd.exe	43
PID 1564 wrote to memory of 320	1564	cmd.exe	43
PID 1564 wrote to memory of 320	1564	cmd.exe	43
PID 1032 wrote to memory of 2172	1032	GameService.exe	46
PID 1032 wrote to memory of 2172	1032	GameService.exe	46
PID 1032 wrote to memory of 2172	1032	GameService.exe	46
PID 1032 wrote to memory of 2172	1032	GameService.exe	46
PID 2172 wrote to memory of 1456	2172	GameClientC.exe	47
PID 2172 wrote to memory of 1456	2172	GameClientC.exe	47
PID 2172 wrote to memory of 1456	2172	GameClientC.exe	47
PID 1992 wrote to memory of 2476	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	48
PID 1992 wrote to memory of 2476	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	48
PID 1992 wrote to memory of 2476	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	48
PID 1992 wrote to memory of 2476	1992	4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe	48

C:\Users\Admin\AppData\Local\Temp\4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
"C:\Users\Admin\AppData\Local\Temp\4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\GameServerClient\install.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\sc.exe
    Sc delete GameServerClient
    3⤵
    - Launches sc.exe
    PID:1640
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService remove GameServerClient confirm
    3⤵
    - Executes dropped EXE
    PID:2560
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameClient.exe"
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService start GameServerClient
    3⤵
    - Executes dropped EXE
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\sc.exe
    Sc delete GameServerClientC
    3⤵
    - Launches sc.exe
    PID:2140
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService remove GameServerClientC confirm
    3⤵
    - Executes dropped EXE
    PID:1388
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameClientC.exe"
    3⤵
    - Executes dropped EXE
    PID:1368
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService start GameServerClientC
    3⤵
    - Executes dropped EXE
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:2476

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\GameServerClient\GameClient.exe
  "C:\Program Files (x86)\GameServerClient\GameClient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\Temp\587448.exe
    "C:\Windows\Temp\587448.exe" --points 512 --out xxx.txt --keyspace 25efb6df800000000:25efb6e0000000000 13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so 16cJHB8WboGoPCmL28pEsbkJMeMixK56tR
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2488

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files (x86)\GameServerClient\GameClientC.exe
  "C:\Program Files (x86)\GameServerClient\GameClientC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\Temp\846605.exe
    "C:\Windows\Temp\846605.exe" --coin BTC -m ADDRESSES -t 0 --range 25efb6df800000000:25efb6e0000000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
    3⤵
    - Executes dropped EXE
    PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameServerClient\GameClient.exe

Filesize
2.5MB

MD5
0fac9d21508e154127a9fd4b90a1ca39

SHA1
cb9df00888a37443e6b4f87daf74e591b4dc373a

SHA256
6fb647a3af04d0bb02d9925cf974c21be48512ee56eb3275be575dadd1a7aec0

SHA512
fdd75a3dceb4dd9083f46ba09a51213779958e440b0f6cf61d63ed9b65964b912bd270f3cc616e795c4d8d36daf19b15ee3f99fbaa827c113ff47477a604480d

Download Submit
C:\Program Files (x86)\GameServerClient\install.bat

Filesize
231B

MD5
b9ecefec035b92492661437972d20a33

SHA1
6d694ed7107919baa1da347784b2fb2378f25193

SHA256
5c4b3d2bbfc982378155656046dccd2fac16a5f8d2bbf23f5dbc6a6dc8ebfde8

SHA512
cf22b003bc370e01c7ce64338bb86dc42a4db4d8357924ba85abd07e2293936ca879d64e35a2b4f3679f281ad112867564ca50054f865525ec7f0cb9c274da99

Download Submit
C:\Program Files (x86)\GameServerClient\installc.bat

Filesize
238B

MD5
8b1a66e9898c6054903c6fb23d6c197c

SHA1
06a2131ac4cd1dcdd7999322e728445e732b265d

SHA256
6e36cda60845bbe139f6fa3eaaa71047bb117b74ac47d698bbc526ebf512d025

SHA512
0abb0c4214508da7826f604ba164becbd5ea9567595494273c51e4573f3bbe9c51c40e0e5fe0f06d6628743ca55da4ea8b2b9b4348d372c57f0bcbd13449168a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
8d8c12c40612f3e58d8f8e6bb45f5c9a

SHA1
9bab3a51743c885643d3b7f50bbe8c3d4c16c62f

SHA256
980b080577f773982b6e79e6311f38c06f18a98c2f0cfa5dd73fee254015dc62

SHA512
d6af36a765b1d499be091a61550ed24247be308242f4dd9eb0a9756990aea20cc2d78096798679411cf9a301016d3429b1387889b84114cc0c19300e266c9b5d

Download Submit
C:\Windows\Temp\587448.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\846605.exe

Filesize
13.1MB

MD5
bfe6b13011bbba05c28109cf6730f8a1

SHA1
28da37544341c3587c11c1f1f294505516434d40

SHA256
93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd

SHA512
d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

Download Submit
C:\Windows\Temp\curjob.bin

Filesize
40B

MD5
d935c86a105ddd7787d03e0fd61bb148

SHA1
c8a3be929bda73cc9c3d5cd658e47387368aae96

SHA256
c1a09eb7a3222a4098149c7bd12616316abb751cb84ee87f98a71c16137e3982

SHA512
b719a868f3616e2a635f4de3b71510a83bf3648420ebbc643ab544e39fd2f492e30a142f1f9180715c53646ebf16db1ec51db523638a0a3646c7e52a6e64607b

Download Submit
\Program Files (x86)\GameServerClient\GameClientC.exe

Filesize
13.2MB

MD5
fc63d47dd6b9847ab82f4dd05ed7cb99

SHA1
cac41f14caaabef4d89d3311e2314a09f602e256

SHA256
864f529a4618eec7e5eff997c66dd5001c75beed21b587bcc492e944fb059a49

SHA512
190102bdc8f5794f9fc20ee3402dc1e03e4f8af9c7992a55766e1bfe3a77c8910efc96c63ce2c5c1f0f9429c233cd62420479ca8a53b788e637bee14f9bcc72d

Download Submit
\Program Files (x86)\GameServerClient\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit