c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
Size

2.4MB
MD5

55f780ea4dc5a5401b80915d69a55481
SHA1

5ebdde7f87637493de0a5e7a4ffcd59839672c4e
SHA256

c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70
SHA512

680ca9d6f5aa4d53e7083858bfd4d3fc71f567993968edc83ddf262e15b2ed06f07c5a4c47e65f4874074213adf3cd978b8eaa658563694caf013fb126948697
SSDEEP

49152:zgwRtL9Hckjh40JEvPXJnxNH0IHK61VW/2t+YKpEv6o2sUX7fEgvr:zgwRB98kj3JCPF71HKAV3+YAEaZ7fEgj

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe

Executes dropped EXE 12 IoCs

pid	Process
5440	GameService.exe
2108	GameService.exe
2240	GameService.exe
4040	GameService.exe
3016	GameServerClient.exe
4932	782136.exe
5252	GameService.exe
412	GameService.exe
5660	GameService.exe
5076	GameService.exe
2540	GameServerClientC.exe
5748	630194.exe

Loads dropped DLL 1 IoCs

pid	Process
4932	782136.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameServerClient\GameServerClient.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\GameServerClientC.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\installc.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\installg.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameService.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\GameServerClient.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameServerClientC.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\installc.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\installg.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\GameService.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5424	sc.exe
5024	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 6016 wrote to memory of 5104	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	87
PID 6016 wrote to memory of 5104	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	87
PID 6016 wrote to memory of 5104	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	87
PID 5104 wrote to memory of 5424	5104	cmd.exe	89
PID 5104 wrote to memory of 5424	5104	cmd.exe	89
PID 5104 wrote to memory of 5424	5104	cmd.exe	89
PID 5104 wrote to memory of 5440	5104	cmd.exe	90
PID 5104 wrote to memory of 5440	5104	cmd.exe	90
PID 5104 wrote to memory of 5440	5104	cmd.exe	90
PID 5104 wrote to memory of 2108	5104	cmd.exe	91
PID 5104 wrote to memory of 2108	5104	cmd.exe	91
PID 5104 wrote to memory of 2108	5104	cmd.exe	91
PID 5104 wrote to memory of 2240	5104	cmd.exe	92
PID 5104 wrote to memory of 2240	5104	cmd.exe	92
PID 5104 wrote to memory of 2240	5104	cmd.exe	92
PID 4040 wrote to memory of 3016	4040	GameService.exe	96
PID 4040 wrote to memory of 3016	4040	GameService.exe	96
PID 3016 wrote to memory of 4932	3016	GameServerClient.exe	97
PID 3016 wrote to memory of 4932	3016	GameServerClient.exe	97
PID 6016 wrote to memory of 3516	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	100
PID 6016 wrote to memory of 3516	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	100
PID 6016 wrote to memory of 3516	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	100
PID 3516 wrote to memory of 5024	3516	cmd.exe	102
PID 3516 wrote to memory of 5024	3516	cmd.exe	102
PID 3516 wrote to memory of 5024	3516	cmd.exe	102
PID 3516 wrote to memory of 5252	3516	cmd.exe	103
PID 3516 wrote to memory of 5252	3516	cmd.exe	103
PID 3516 wrote to memory of 5252	3516	cmd.exe	103
PID 3516 wrote to memory of 412	3516	cmd.exe	104
PID 3516 wrote to memory of 412	3516	cmd.exe	104
PID 3516 wrote to memory of 412	3516	cmd.exe	104
PID 3516 wrote to memory of 5660	3516	cmd.exe	105
PID 3516 wrote to memory of 5660	3516	cmd.exe	105
PID 3516 wrote to memory of 5660	3516	cmd.exe	105
PID 5076 wrote to memory of 2540	5076	GameService.exe	109
PID 5076 wrote to memory of 2540	5076	GameService.exe	109
PID 2540 wrote to memory of 5748	2540	GameServerClientC.exe	113
PID 2540 wrote to memory of 5748	2540	GameServerClientC.exe	113
PID 6016 wrote to memory of 1896	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	117
PID 6016 wrote to memory of 1896	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	117
PID 6016 wrote to memory of 1896	6016	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	117

C:\Users\Admin\AppData\Local\Temp\c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
"C:\Users\Admin\AppData\Local\Temp\c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:6016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\sc.exe
    Sc delete GameServerClient
    3⤵
    - Launches sc.exe
    PID:5424
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService remove GameServerClient confirm
    3⤵
    - Executes dropped EXE
    PID:5440
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService start GameServerClient
    3⤵
    - Executes dropped EXE
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\sc.exe
    Sc delete GameServerClientC
    3⤵
    - Launches sc.exe
    PID:5024
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService remove GameServerClientC confirm
    3⤵
    - Executes dropped EXE
    PID:5252
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
    3⤵
    - Executes dropped EXE
    PID:412
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService start GameServerClientC
    3⤵
    - Executes dropped EXE
    PID:5660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:1896

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Program Files (x86)\GameServerClient\GameServerClient.exe
  "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\Temp\782136.exe
    "C:\Windows\Temp\782136.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4932

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
  "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Temp\630194.exe
    "C:\Windows\Temp\630194.exe" --coin BTC -m ADDRESSES -t 0 --range 380ae9a4a20000000:380ae9a4a40000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
    3⤵
    - Executes dropped EXE
    PID:5748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

Filesize
2.5MB

MD5
bf4360d76b38ed71a8ec2391f1985a5f

SHA1
57d28dc8fd4ac052d0ae32ca22143e7b57733003

SHA256
4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf

SHA512
7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd

Download Submit
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

Filesize
13.2MB

MD5
41b332ddc0b2faad06c4e94f689803af

SHA1
f30985161ff56a9a6af7e8c5e666494513e587ba

SHA256
49c32c99e5602a6fa8c8d0df198f0e3bb530777384d5103e90630a1b94f65ab0

SHA512
808b9c909741ebe64feb24c18b5dd9a802501adaa793670b899cdb26375baa0d35095b74cde768c462a085d76c4129abe7c8523132f5836c4e1ea2b081b755e1

Download Submit
C:\Program Files (x86)\GameServerClient\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameServerClient\installc.bat

Filesize
244B

MD5
a3d3d85bc0b7945908dd1a5eaf6e6266

SHA1
8979e79895226f2d05f8af1e10b99e8496348131

SHA256
3aad1c9feb23c9383ee7e5c8cb966afd262142b2e0124b8e9cda010ea53f24c6

SHA512
9184b09bdc10fb3ec981624f286ab4228917f8b1f5cbec7ee875d468c38461395d970d860e3ff99cb184e8839ed6c3ca85a9eaffdd24f15c74b311623c48f618

Download Submit
C:\Program Files (x86)\GameServerClient\installg.bat

Filesize
238B

MD5
b6b57c523f3733580d973f0f79d5c609

SHA1
2cc30cfd66817274c84f71d46f60d9e578b7bf95

SHA256
d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570

SHA512
d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
f4642873a793f4d4976f9f8d5202661f

SHA1
8a9197c6b042f9132cbe1a0170e3f7314dc289e4

SHA256
6bba718313322bf326c9dfe517562061ac108eadde857f3e0861fd742cef2cbd

SHA512
e6067dee7e8a52b9ca05bf0655891dda222b0fefd68198f02c56b691f65c238198cabb96122967d9fee4c0933c68531530e3c3666edda99fa3a2f5b307455261

Download Submit
C:\Windows\Temp\630194.exe

Filesize
13.1MB

MD5
bfe6b13011bbba05c28109cf6730f8a1

SHA1
28da37544341c3587c11c1f1f294505516434d40

SHA256
93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd

SHA512
d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

Download Submit
C:\Windows\Temp\782136.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
C:\Windows\Temp\curjob.bin

Filesize
40B

MD5
8a5690540565cf5dcf1a1e4d11799f00

SHA1
5a7227a232ca3ebe7a542ee79aeb090077109e08

SHA256
6ffb7accf49ed880c8d7263a5550507988771a3b34682d214c714ce059ea7ca7

SHA512
53af8d6406aca268413f38483c6d4d3d4a9b13ddb1c1b7404a9c937672c0b47d6269e6269bc3caeb31edb21e0338187352278bfd0d346776ba05e35a1118025c

Download Submit