Overview

overview

10

Static

static

10

gamesense.exe

windows7-x64

8

gamesense.exe

windows10-2004-x64

8

gamesense.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gamesense.exe

  • Size

    93KB

  • MD5

    63901be7c78d601cf4683b0bf7076674

  • SHA1

    a1e8a41ad2d1a3103bb74e59152b5b4cac4a745c

  • SHA256

    90f099c2038ea56847b5b41f68cd96c43463af2976106fe094c4befd62a644ab

  • SHA512

    eefa4a121d67fae8d62ef147c5f05b979fd84f0d248ea8a521a9a6fbabdd18654f62406cc5cd39ae45f94ec5ef7cc98fdfaa405c955a98357c457cfebfa8f200

  • SSDEEP

    1536:9IQO3oH4zrEDR6P4z4jEwzGi1dDHDrgS:9IeH4vEDMAzJi1dnk

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 6 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gamesense.exe
    "C:\Users\Admin\AppData\Local\Temp\gamesense.exe"
    1⤵
    • Drops startup file
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gamesense.exe" "gamesense.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Umbrella.flv.exe
    Filesize

    93KB

    MD5

    63901be7c78d601cf4683b0bf7076674

    SHA1

    a1e8a41ad2d1a3103bb74e59152b5b4cac4a745c

    SHA256

    90f099c2038ea56847b5b41f68cd96c43463af2976106fe094c4befd62a644ab

    SHA512

    eefa4a121d67fae8d62ef147c5f05b979fd84f0d248ea8a521a9a6fbabdd18654f62406cc5cd39ae45f94ec5ef7cc98fdfaa405c955a98357c457cfebfa8f200

    Download Submit
  • memory/2240-0-0x00000000741D0000-0x000000007477B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2240-1-0x0000000000520000-0x0000000000560000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2240-2-0x00000000741D0000-0x000000007477B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2240-35-0x0000000000520000-0x0000000000560000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2240-34-0x00000000741D0000-0x000000007477B000-memory.dmp
    Filesize

    5.7MB

    Download