Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 13:18
General
-
Target
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe
-
Size
2.4MB
-
MD5
6184676075afacb9103ae8cbf542c1ed
-
SHA1
bc757642ad2fcfd6d1da79c0754323cdc823a937
-
SHA256
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
-
SHA512
861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa
-
SSDEEP
49152:zgwRFL9Hckjh40JEvPgb/KZabJq1Bk2oavWcEZEUrW9:zgwRJ98kj3JCPZznvW9EUK9
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe"C:\Users\Admin\AppData\Local\Temp\a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete GameServerClient3⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService remove GameServerClient confirm3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService start GameServerClient3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete GameServerClientC3⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService remove GameServerClientC confirm3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService start GameServerClientC3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
C:\Program Files (x86)\GameServerClient\GameService.exe"C:\Program Files (x86)\GameServerClient\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameServerClient\GameServerClient.exe"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\493861.exe"C:\Windows\Temp\493861.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameServerClient\GameService.exe"C:\Program Files (x86)\GameServerClient\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\553228.exe"C:\Windows\Temp\553228.exe" --coin BTC -m ADDRESSES -t 0 --range 2ed2091b500000000:2ed2091b540000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameServerClient\GameServerClient.exeFilesize
2.5MB
MD5bf4360d76b38ed71a8ec2391f1985a5f
SHA157d28dc8fd4ac052d0ae32ca22143e7b57733003
SHA2564ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf
SHA5127b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd
-
C:\Program Files (x86)\GameServerClient\GameServerClientC.exeFilesize
13.2MB
MD59c3cfd2a7e37af3ed81598469fcbe08a
SHA1059bb3b9bb547feedc2bf07c89c9a604aaf04f3d
SHA2566991a5928be7bfbb9a18f20bf00121371b4127f8295e5673303bfe044da8f715
SHA5121b48d43d665cbe8588f984a588439d16aac12fc3a9c70cfbf223350221db0e60dedb1ad3b4b83d5b2e7352c3ee402884390647da3189af8e26c307eb5c679edf
-
C:\Program Files (x86)\GameServerClient\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameServerClient\installc.batFilesize
244B
MD5a3d3d85bc0b7945908dd1a5eaf6e6266
SHA18979e79895226f2d05f8af1e10b99e8496348131
SHA2563aad1c9feb23c9383ee7e5c8cb966afd262142b2e0124b8e9cda010ea53f24c6
SHA5129184b09bdc10fb3ec981624f286ab4228917f8b1f5cbec7ee875d468c38461395d970d860e3ff99cb184e8839ed6c3ca85a9eaffdd24f15c74b311623c48f618
-
C:\Program Files (x86)\GameServerClient\installg.batFilesize
238B
MD5b6b57c523f3733580d973f0f79d5c609
SHA12cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD53ef297828343fa3c1e4a4e6132aeb68a
SHA114d09eff8b55d8ec17ab22b024f52ed37982fd46
SHA2566cfe4d80575660bc122964282904bd90c6911d5b1084221b2bef25f72407e7ec
SHA512e26a50ed4f98d24f3de1bb03adc7d4eca484689e5f22bc60affca452d9d094ba67e3f0b606942f1e33020c838a97cd66517252f2caff8915f8c33177765ecabf
-
C:\Windows\Temp\493861.exeFilesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
C:\Windows\Temp\553228.exeFilesize
13.1MB
MD5bfe6b13011bbba05c28109cf6730f8a1
SHA128da37544341c3587c11c1f1f294505516434d40
SHA25693fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd
SHA512d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660
-
C:\Windows\Temp\cudart64_101.dllFilesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2
-
C:\Windows\Temp\curjob.binFilesize
40B
MD5514bb5d629f92acdc6dd805e31d59162
SHA1870d57d0b691549fa2f15c27bb7a2456ac005f03
SHA256c5058bd1e5c6b84c95518a0c0b37ca6cc3e5946f644572ba05b79178cbb8196d
SHA51272177af5fd6064f70fe9058f90dde8a2a987b83687624df92e7a662dbc1dca514a2317fa2c44b4526c4c9c89a0835c65a0f987c888881658bd4db1d7ef7ca293