a670dc5cb86c5aba1a4fcde0fcc45c4b5aae4304c71c48848c037cb11c50219a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GrfCL/Make a GRF from specific files.bat
Size

603B
MD5

d8ee475ea9a85e5bff0d785b062769b7
SHA1

8ffa8e0810c5ee85c448942e7883188d90270d80
SHA256

7fae0ad938a1b59779dfe48038aea1ac6d56a3e1c8a9a54f16861192b283744c
SHA512

520e3a6c00c37744d89f1271919217fa15996c6bf0544ac89ee7332e7edaf02d97537784203257d2ac30ebfd7593518a9153ae9e92dd22b29fc5cffadd3847c1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2968	GrfCL.exe
2968	GrfCL.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2968	GrfCL.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2968	2908	cmd.exe	29
PID 2908 wrote to memory of 2968	2908	cmd.exe	29
PID 2908 wrote to memory of 2968	2908	cmd.exe	29
PID 2908 wrote to memory of 2968	2908	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GrfCL\Make a GRF from specific files.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\GrfCL\GrfCL.exe
  GrfCL.exe -breakOnExceptions true -new -add "data\texture" data\texture\kung_gi_02.bmp data\texture\kung_sa_01.bmp -add "data" data\ba_chess.gnd -add "data\sprite\╕≤╜║┼═" "data\sprite\╕≤╜║┼═\high_orc.spr" -save example.grf -write "Finished writing the new GRF!" -shellOpen example.grf -break
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GrfCL\tmp\cps.dll

Filesize
72KB

MD5
aa0af6f7cc27b34497fbf44118a50a43

SHA1
7309cfe429fa4d8090b922c24b1663f8c09c38c6

SHA256
0c02edb2952ce0e983de43b7f5919bfe63df1a20be6e151f72c6640e9f2b4d4b

SHA512
a4d92d5169f5a10110f26f841dc28283404145f89d52ca28d2ca80bab5b0873e946f431c5c563eac3ca519d94678a4a604d7cf802c7dfdfbeb664b409d008dea

Download Submit
\Users\Admin\AppData\Local\Temp\GrfCL\tmp\lzma.dll

Filesize
77KB

MD5
a8bd77e9fe1480c81a7f44b3734c6071

SHA1
81a6359d90622c4b63e57d872f98e45604e85f2d

SHA256
0f0fd127278e80f74832003518688859b5e4e17820206224ea145a6f17352a4e

SHA512
e75427360fbd8ece3aa427a298aa5958eca890bd5c5fcd3db7be8c26360293ee1cb96199e70f042a35e482c30c37df7d9eca7864999508bf9a4dfdd95d77dd3a

Download Submit
memory/2968-3-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/2968-1-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-4-0x0000000000360000-0x000000000037E000-memory.dmp

Filesize
120KB

Download
memory/2968-5-0x0000000004A70000-0x0000000004BA2000-memory.dmp

Filesize
1.2MB

Download
memory/2968-6-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/2968-7-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/2968-2-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2968-0-0x0000000000BB0000-0x0000000000D94000-memory.dmp

Filesize
1.9MB

Download
memory/2968-27-0x0000000000A80000-0x0000000000A94000-memory.dmp

Filesize
80KB

Download
memory/2968-29-0x0000000002470000-0x0000000002472000-memory.dmp

Filesize
8KB

Download
memory/2968-30-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-31-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads