c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70

Analysis

max time kernel
150s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
23/04/2024, 14:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
Size

2.4MB
MD5

55f780ea4dc5a5401b80915d69a55481
SHA1

5ebdde7f87637493de0a5e7a4ffcd59839672c4e
SHA256

c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70
SHA512

680ca9d6f5aa4d53e7083858bfd4d3fc71f567993968edc83ddf262e15b2ed06f07c5a4c47e65f4874074213adf3cd978b8eaa658563694caf013fb126948697
SSDEEP

49152:zgwRtL9Hckjh40JEvPXJnxNH0IHK61VW/2t+YKpEv6o2sUX7fEgvr:zgwRB98kj3JCPF71HKAV3+YAEaZ7fEgj

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
2996	GameService.exe
4188	GameService.exe
3304	GameService.exe
2540	GameService.exe
3416	GameServerClient.exe
2436	91361.exe
2036	GameService.exe
2688	GameService.exe
3880	GameService.exe
1280	GameService.exe
668	GameServerClientC.exe
2572	955927.exe

Loads dropped DLL 1 IoCs

pid	Process
2436	91361.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameServerClient\GameServerClientC.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameServerClientC.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\installc.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameService.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\GameServerClient.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\GameService.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\GameServerClient.exe	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\installc.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File created	C:\Program Files (x86)\GameServerClient\installg.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
File opened for modification	C:\Program Files (x86)\GameServerClient\installg.bat	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5084	sc.exe
5116	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 900	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	80
PID 1648 wrote to memory of 900	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	80
PID 1648 wrote to memory of 900	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	80
PID 900 wrote to memory of 5084	900	cmd.exe	82
PID 900 wrote to memory of 5084	900	cmd.exe	82
PID 900 wrote to memory of 5084	900	cmd.exe	82
PID 900 wrote to memory of 2996	900	cmd.exe	83
PID 900 wrote to memory of 2996	900	cmd.exe	83
PID 900 wrote to memory of 2996	900	cmd.exe	83
PID 900 wrote to memory of 4188	900	cmd.exe	84
PID 900 wrote to memory of 4188	900	cmd.exe	84
PID 900 wrote to memory of 4188	900	cmd.exe	84
PID 900 wrote to memory of 3304	900	cmd.exe	85
PID 900 wrote to memory of 3304	900	cmd.exe	85
PID 900 wrote to memory of 3304	900	cmd.exe	85
PID 2540 wrote to memory of 3416	2540	GameService.exe	88
PID 2540 wrote to memory of 3416	2540	GameService.exe	88
PID 3416 wrote to memory of 2436	3416	GameServerClient.exe	90
PID 3416 wrote to memory of 2436	3416	GameServerClient.exe	90
PID 1648 wrote to memory of 3300	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	91
PID 1648 wrote to memory of 3300	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	91
PID 1648 wrote to memory of 3300	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	91
PID 3300 wrote to memory of 5116	3300	cmd.exe	93
PID 3300 wrote to memory of 5116	3300	cmd.exe	93
PID 3300 wrote to memory of 5116	3300	cmd.exe	93
PID 3300 wrote to memory of 2036	3300	cmd.exe	94
PID 3300 wrote to memory of 2036	3300	cmd.exe	94
PID 3300 wrote to memory of 2036	3300	cmd.exe	94
PID 3300 wrote to memory of 2688	3300	cmd.exe	95
PID 3300 wrote to memory of 2688	3300	cmd.exe	95
PID 3300 wrote to memory of 2688	3300	cmd.exe	95
PID 3300 wrote to memory of 3880	3300	cmd.exe	96
PID 3300 wrote to memory of 3880	3300	cmd.exe	96
PID 3300 wrote to memory of 3880	3300	cmd.exe	96
PID 1280 wrote to memory of 668	1280	GameService.exe	99
PID 1280 wrote to memory of 668	1280	GameService.exe	99
PID 668 wrote to memory of 2572	668	GameServerClientC.exe	100
PID 668 wrote to memory of 2572	668	GameServerClientC.exe	100
PID 1648 wrote to memory of 4876	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	101
PID 1648 wrote to memory of 4876	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	101
PID 1648 wrote to memory of 4876	1648	c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe	101

C:\Users\Admin\AppData\Local\Temp\c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe
"C:\Users\Admin\AppData\Local\Temp\c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\sc.exe
    Sc delete GameServerClient
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService remove GameServerClient confirm
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
    3⤵
    - Executes dropped EXE
    PID:4188
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService start GameServerClient
    3⤵
    - Executes dropped EXE
    PID:3304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\sc.exe
    Sc delete GameServerClientC
    3⤵
    - Launches sc.exe
    PID:5116
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService remove GameServerClientC confirm
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
    3⤵
    - Executes dropped EXE
    PID:2688
- - C:\Program Files (x86)\GameServerClient\GameService.exe
    GameService start GameServerClientC
    3⤵
    - Executes dropped EXE
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:4876

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files (x86)\GameServerClient\GameServerClient.exe
  "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\Temp\91361.exe
    "C:\Windows\Temp\91361.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2436

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
  "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\Temp\955927.exe
    "C:\Windows\Temp\955927.exe" --coin BTC -m ADDRESSES -t 0 --range 319e9147380000000:319e91473a0000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
    3⤵
    - Executes dropped EXE
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

Filesize
2.5MB

MD5
bf4360d76b38ed71a8ec2391f1985a5f

SHA1
57d28dc8fd4ac052d0ae32ca22143e7b57733003

SHA256
4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf

SHA512
7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd

Download Submit
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

Filesize
13.2MB

MD5
41b332ddc0b2faad06c4e94f689803af

SHA1
f30985161ff56a9a6af7e8c5e666494513e587ba

SHA256
49c32c99e5602a6fa8c8d0df198f0e3bb530777384d5103e90630a1b94f65ab0

SHA512
808b9c909741ebe64feb24c18b5dd9a802501adaa793670b899cdb26375baa0d35095b74cde768c462a085d76c4129abe7c8523132f5836c4e1ea2b081b755e1

Download Submit
C:\Program Files (x86)\GameServerClient\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameServerClient\installc.bat

Filesize
244B

MD5
a3d3d85bc0b7945908dd1a5eaf6e6266

SHA1
8979e79895226f2d05f8af1e10b99e8496348131

SHA256
3aad1c9feb23c9383ee7e5c8cb966afd262142b2e0124b8e9cda010ea53f24c6

SHA512
9184b09bdc10fb3ec981624f286ab4228917f8b1f5cbec7ee875d468c38461395d970d860e3ff99cb184e8839ed6c3ca85a9eaffdd24f15c74b311623c48f618

Download Submit
C:\Program Files (x86)\GameServerClient\installg.bat

Filesize
238B

MD5
b6b57c523f3733580d973f0f79d5c609

SHA1
2cc30cfd66817274c84f71d46f60d9e578b7bf95

SHA256
d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570

SHA512
d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
f4642873a793f4d4976f9f8d5202661f

SHA1
8a9197c6b042f9132cbe1a0170e3f7314dc289e4

SHA256
6bba718313322bf326c9dfe517562061ac108eadde857f3e0861fd742cef2cbd

SHA512
e6067dee7e8a52b9ca05bf0655891dda222b0fefd68198f02c56b691f65c238198cabb96122967d9fee4c0933c68531530e3c3666edda99fa3a2f5b307455261

Download Submit
C:\Windows\Temp\91361.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\955927.exe

Filesize
13.1MB

MD5
bfe6b13011bbba05c28109cf6730f8a1

SHA1
28da37544341c3587c11c1f1f294505516434d40

SHA256
93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd

SHA512
d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

Download Submit
C:\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
C:\Windows\Temp\curjob.bin

Filesize
40B

MD5
35b9e9e6454dedaf2a8214d6ab2733c3

SHA1
6e257cc8dcebe0a21ca72d95c5701d862ed7b3a9

SHA256
620bf426190c1e3a0ba6aa5b895d4a66d79d4f52159c297132bb7abc2afbf4ee

SHA512
720ddf7a45b8e01cf682f6d91d747e42006c7eb6c4a879d347e95367502eddffeb32b1331513f7b3fec2b4430f38b56d5cf1e88d77c6269ceb12d6c584e2bae0

Download Submit