Overview

overview

8

Static

static

3

cryptolaemus

windows10-2004-x64

8

cryptolaemus

windows11-21h2-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe

  • Size

    2.4MB

  • MD5

    6184676075afacb9103ae8cbf542c1ed

  • SHA1

    bc757642ad2fcfd6d1da79c0754323cdc823a937

  • SHA256

    a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b

  • SHA512

    861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa

  • SSDEEP

    49152:zgwRFL9Hckjh40JEvPgb/KZabJq1Bk2oavWcEZEUrW9:zgwRJ98kj3JCPZznvW9EUK9

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe
    "C:\Users\Admin\AppData\Local\Temp\a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameServerClient
        3⤵
        • Launches sc.exe
        PID:3080
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService remove GameServerClient confirm
        3⤵
        • Executes dropped EXE
        PID:3804
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
        3⤵
        • Executes dropped EXE
        PID:5044
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService start GameServerClient
        3⤵
        • Executes dropped EXE
        PID:3980
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameServerClientC
        3⤵
        • Launches sc.exe
        PID:764
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService remove GameServerClientC confirm
        3⤵
        • Executes dropped EXE
        PID:3032
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
        3⤵
        • Executes dropped EXE
        PID:1356
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService start GameServerClientC
        3⤵
        • Executes dropped EXE
        PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
        PID:1704
    • C:\Program Files (x86)\GameServerClient\GameService.exe
      "C:\Program Files (x86)\GameServerClient\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Program Files (x86)\GameServerClient\GameServerClient.exe
        "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\Temp\493861.exe
          "C:\Windows\Temp\493861.exe" --list-devices
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4580
    • C:\Program Files (x86)\GameServerClient\GameService.exe
      "C:\Program Files (x86)\GameServerClient\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
        "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4484
        • C:\Windows\Temp\553228.exe
          "C:\Windows\Temp\553228.exe" --coin BTC -m ADDRESSES -t 0 --range 2ed2091b500000000:2ed2091b540000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
          3⤵
          • Executes dropped EXE
          PID:4360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\GameServerClient\GameServerClient.exe
      Filesize

      2.5MB

      MD5

      bf4360d76b38ed71a8ec2391f1985a5f

      SHA1

      57d28dc8fd4ac052d0ae32ca22143e7b57733003

      SHA256

      4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf

      SHA512

      7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd

      Download Submit

    • C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
      Filesize

      13.2MB

      MD5

      9c3cfd2a7e37af3ed81598469fcbe08a

      SHA1

      059bb3b9bb547feedc2bf07c89c9a604aaf04f3d

      SHA256

      6991a5928be7bfbb9a18f20bf00121371b4127f8295e5673303bfe044da8f715

      SHA512

      1b48d43d665cbe8588f984a588439d16aac12fc3a9c70cfbf223350221db0e60dedb1ad3b4b83d5b2e7352c3ee402884390647da3189af8e26c307eb5c679edf

      Download Submit

    • C:\Program Files (x86)\GameServerClient\GameService.exe
      Filesize

      288KB

      MD5

      d9ec6f3a3b2ac7cd5eef07bd86e3efbc

      SHA1

      e1908caab6f938404af85a7df0f80f877a4d9ee6

      SHA256

      472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

      SHA512

      1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

      Download Submit

    • C:\Program Files (x86)\GameServerClient\installc.bat
      Filesize

      244B

      MD5

      a3d3d85bc0b7945908dd1a5eaf6e6266

      SHA1

      8979e79895226f2d05f8af1e10b99e8496348131

      SHA256

      3aad1c9feb23c9383ee7e5c8cb966afd262142b2e0124b8e9cda010ea53f24c6

      SHA512

      9184b09bdc10fb3ec981624f286ab4228917f8b1f5cbec7ee875d468c38461395d970d860e3ff99cb184e8839ed6c3ca85a9eaffdd24f15c74b311623c48f618

      Download Submit

    • C:\Program Files (x86)\GameServerClient\installg.bat
      Filesize

      238B

      MD5

      b6b57c523f3733580d973f0f79d5c609

      SHA1

      2cc30cfd66817274c84f71d46f60d9e578b7bf95

      SHA256

      d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570

      SHA512

      d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
      Filesize

      300B

      MD5

      3ef297828343fa3c1e4a4e6132aeb68a

      SHA1

      14d09eff8b55d8ec17ab22b024f52ed37982fd46

      SHA256

      6cfe4d80575660bc122964282904bd90c6911d5b1084221b2bef25f72407e7ec

      SHA512

      e26a50ed4f98d24f3de1bb03adc7d4eca484689e5f22bc60affca452d9d094ba67e3f0b606942f1e33020c838a97cd66517252f2caff8915f8c33177765ecabf

      Download Submit

    • C:\Windows\Temp\493861.exe
      Filesize

      2.0MB

      MD5

      5c9e996ee95437c15b8d312932e72529

      SHA1

      eb174c76a8759f4b85765fa24d751846f4a2d2ef

      SHA256

      0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

      SHA512

      935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

      Download Submit

    • C:\Windows\Temp\553228.exe
      Filesize

      13.1MB

      MD5

      bfe6b13011bbba05c28109cf6730f8a1

      SHA1

      28da37544341c3587c11c1f1f294505516434d40

      SHA256

      93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd

      SHA512

      d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

      Download Submit

    • C:\Windows\Temp\cudart64_101.dll
      Filesize

      398KB

      MD5

      1d7955354884a9058e89bb8ea34415c9

      SHA1

      62c046984afd51877ecadad1eca209fda74c8cb1

      SHA256

      111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

      SHA512

      7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

      Download Submit

    • C:\Windows\Temp\curjob.bin
      Filesize

      40B

      MD5

      514bb5d629f92acdc6dd805e31d59162

      SHA1

      870d57d0b691549fa2f15c27bb7a2456ac005f03

      SHA256

      c5058bd1e5c6b84c95518a0c0b37ca6cc3e5946f644572ba05b79178cbb8196d

      SHA512

      72177af5fd6064f70fe9058f90dde8a2a987b83687624df92e7a662dbc1dca514a2317fa2c44b4526c4c9c89a0835c65a0f987c888881658bd4db1d7ef7ca293

      Download Submit