Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 16:53
Behavioral task
behavioral1
Sample
gamesense.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
gamesense.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
gamesense.exe
Resource
win11-20240412-en
General
-
Target
gamesense.exe
-
Size
93KB
-
MD5
63901be7c78d601cf4683b0bf7076674
-
SHA1
a1e8a41ad2d1a3103bb74e59152b5b4cac4a745c
-
SHA256
90f099c2038ea56847b5b41f68cd96c43463af2976106fe094c4befd62a644ab
-
SHA512
eefa4a121d67fae8d62ef147c5f05b979fd84f0d248ea8a521a9a6fbabdd18654f62406cc5cd39ae45f94ec5ef7cc98fdfaa405c955a98357c457cfebfa8f200
-
SSDEEP
1536:9IQO3oH4zrEDR6P4z4jEwzGi1dDHDrgS:9IeH4vEDMAzJi1dnk
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2376 netsh.exe -
Drops startup file 6 IoCs
Processes:
gamesense.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f198e2e527a1b5c423cf558af5689dfJava.exe gamesense.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe gamesense.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe gamesense.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java.exe gamesense.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java.exe gamesense.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f198e2e527a1b5c423cf558af5689dfJava.exe gamesense.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
gamesense.exedescription ioc process File opened for modification C:\autorun.inf gamesense.exe File created F:\autorun.inf gamesense.exe File opened for modification F:\autorun.inf gamesense.exe File created C:\autorun.inf gamesense.exe -
Drops file in System32 directory 2 IoCs
Processes:
gamesense.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe gamesense.exe File opened for modification C:\Windows\SysWOW64\Explower.exe gamesense.exe -
Drops file in Program Files directory 2 IoCs
Processes:
gamesense.exedescription ioc process File created C:\Program Files (x86)\Explower.exe gamesense.exe File opened for modification C:\Program Files (x86)\Explower.exe gamesense.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gamesense.exepid process 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe 2240 gamesense.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
gamesense.exepid process 2240 gamesense.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
gamesense.exedescription pid process Token: SeDebugPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe Token: 33 2240 gamesense.exe Token: SeIncBasePriorityPrivilege 2240 gamesense.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
gamesense.exedescription pid process target process PID 2240 wrote to memory of 2376 2240 gamesense.exe netsh.exe PID 2240 wrote to memory of 2376 2240 gamesense.exe netsh.exe PID 2240 wrote to memory of 2376 2240 gamesense.exe netsh.exe PID 2240 wrote to memory of 2376 2240 gamesense.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gamesense.exe"C:\Users\Admin\AppData\Local\Temp\gamesense.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gamesense.exe" "gamesense.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Umbrella.flv.exeFilesize
93KB
MD563901be7c78d601cf4683b0bf7076674
SHA1a1e8a41ad2d1a3103bb74e59152b5b4cac4a745c
SHA25690f099c2038ea56847b5b41f68cd96c43463af2976106fe094c4befd62a644ab
SHA512eefa4a121d67fae8d62ef147c5f05b979fd84f0d248ea8a521a9a6fbabdd18654f62406cc5cd39ae45f94ec5ef7cc98fdfaa405c955a98357c457cfebfa8f200
-
memory/2240-0-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB
-
memory/2240-1-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/2240-2-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB
-
memory/2240-35-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/2240-34-0x00000000741D0000-0x000000007477B000-memory.dmpFilesize
5.7MB