Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-04-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe
Resource
win11-20240412-en
General
-
Target
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe
-
Size
2.4MB
-
MD5
6184676075afacb9103ae8cbf542c1ed
-
SHA1
bc757642ad2fcfd6d1da79c0754323cdc823a937
-
SHA256
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
-
SHA512
861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa
-
SSDEEP
49152:zgwRFL9Hckjh40JEvPgb/KZabJq1Bk2oavWcEZEUrW9:zgwRJ98kj3JCPZznvW9EUK9
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 12 IoCs
Processes:
GameService.exeGameService.exeGameService.exeGameService.exeGameServerClient.exe139852.exeGameService.exeGameService.exeGameService.exeGameService.exeGameServerClientC.exe474515.exepid process 1816 GameService.exe 5376 GameService.exe 2160 GameService.exe 4868 GameService.exe 1192 GameServerClient.exe 3088 139852.exe 3244 GameService.exe 1196 GameService.exe 2864 GameService.exe 2912 GameService.exe 3344 GameServerClientC.exe 920 474515.exe -
Loads dropped DLL 1 IoCs
Processes:
139852.exepid process 3088 139852.exe -
Drops file in Program Files directory 10 IoCs
Processes:
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exedescription ioc process File created C:\Program Files (x86)\GameServerClient\GameService.exe a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File created C:\Program Files (x86)\GameServerClient\GameServerClient.exe a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File created C:\Program Files (x86)\GameServerClient\GameServerClientC.exe a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClientC.exe a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File created C:\Program Files (x86)\GameServerClient\installc.bat a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File created C:\Program Files (x86)\GameServerClient\installg.bat a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File opened for modification C:\Program Files (x86)\GameServerClient\GameService.exe a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClient.exe a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File opened for modification C:\Program Files (x86)\GameServerClient\installc.bat a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe File opened for modification C:\Program Files (x86)\GameServerClient\installg.bat a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2344 sc.exe 5872 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.execmd.exeGameService.exeGameServerClient.execmd.exeGameService.exeGameServerClientC.exedescription pid process target process PID 4720 wrote to memory of 5860 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4720 wrote to memory of 5860 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4720 wrote to memory of 5860 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 5860 wrote to memory of 2344 5860 cmd.exe sc.exe PID 5860 wrote to memory of 2344 5860 cmd.exe sc.exe PID 5860 wrote to memory of 2344 5860 cmd.exe sc.exe PID 5860 wrote to memory of 1816 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 1816 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 1816 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 5376 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 5376 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 5376 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 2160 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 2160 5860 cmd.exe GameService.exe PID 5860 wrote to memory of 2160 5860 cmd.exe GameService.exe PID 4868 wrote to memory of 1192 4868 GameService.exe GameServerClient.exe PID 4868 wrote to memory of 1192 4868 GameService.exe GameServerClient.exe PID 1192 wrote to memory of 3088 1192 GameServerClient.exe 139852.exe PID 1192 wrote to memory of 3088 1192 GameServerClient.exe 139852.exe PID 4720 wrote to memory of 4848 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4720 wrote to memory of 4848 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4720 wrote to memory of 4848 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4848 wrote to memory of 5872 4848 cmd.exe sc.exe PID 4848 wrote to memory of 5872 4848 cmd.exe sc.exe PID 4848 wrote to memory of 5872 4848 cmd.exe sc.exe PID 4848 wrote to memory of 3244 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 3244 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 3244 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 1196 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 1196 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 1196 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 2864 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 2864 4848 cmd.exe GameService.exe PID 4848 wrote to memory of 2864 4848 cmd.exe GameService.exe PID 2912 wrote to memory of 3344 2912 GameService.exe GameServerClientC.exe PID 2912 wrote to memory of 3344 2912 GameService.exe GameServerClientC.exe PID 3344 wrote to memory of 920 3344 GameServerClientC.exe 474515.exe PID 3344 wrote to memory of 920 3344 GameServerClientC.exe 474515.exe PID 4720 wrote to memory of 760 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4720 wrote to memory of 760 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe PID 4720 wrote to memory of 760 4720 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe"C:\Users\Admin\AppData\Local\Temp\a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete GameServerClient3⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService remove GameServerClient confirm3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService start GameServerClient3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeSc delete GameServerClientC3⤵
- Launches sc.exe
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService remove GameServerClientC confirm3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService start GameServerClientC3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
C:\Program Files (x86)\GameServerClient\GameService.exe"C:\Program Files (x86)\GameServerClient\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameServerClient\GameServerClient.exe"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\139852.exe"C:\Windows\Temp\139852.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameServerClient\GameService.exe"C:\Program Files (x86)\GameServerClient\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\474515.exe"C:\Windows\Temp\474515.exe" --coin BTC -m ADDRESSES -t 0 --range 2ed2091b500000000:2ed2091b540000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameServerClient\GameServerClient.exeFilesize
2.5MB
MD5bf4360d76b38ed71a8ec2391f1985a5f
SHA157d28dc8fd4ac052d0ae32ca22143e7b57733003
SHA2564ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf
SHA5127b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd
-
C:\Program Files (x86)\GameServerClient\GameServerClientC.exeFilesize
13.2MB
MD59c3cfd2a7e37af3ed81598469fcbe08a
SHA1059bb3b9bb547feedc2bf07c89c9a604aaf04f3d
SHA2566991a5928be7bfbb9a18f20bf00121371b4127f8295e5673303bfe044da8f715
SHA5121b48d43d665cbe8588f984a588439d16aac12fc3a9c70cfbf223350221db0e60dedb1ad3b4b83d5b2e7352c3ee402884390647da3189af8e26c307eb5c679edf
-
C:\Program Files (x86)\GameServerClient\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameServerClient\installc.batFilesize
244B
MD5a3d3d85bc0b7945908dd1a5eaf6e6266
SHA18979e79895226f2d05f8af1e10b99e8496348131
SHA2563aad1c9feb23c9383ee7e5c8cb966afd262142b2e0124b8e9cda010ea53f24c6
SHA5129184b09bdc10fb3ec981624f286ab4228917f8b1f5cbec7ee875d468c38461395d970d860e3ff99cb184e8839ed6c3ca85a9eaffdd24f15c74b311623c48f618
-
C:\Program Files (x86)\GameServerClient\installg.batFilesize
238B
MD5b6b57c523f3733580d973f0f79d5c609
SHA12cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
300B
MD53ef297828343fa3c1e4a4e6132aeb68a
SHA114d09eff8b55d8ec17ab22b024f52ed37982fd46
SHA2566cfe4d80575660bc122964282904bd90c6911d5b1084221b2bef25f72407e7ec
SHA512e26a50ed4f98d24f3de1bb03adc7d4eca484689e5f22bc60affca452d9d094ba67e3f0b606942f1e33020c838a97cd66517252f2caff8915f8c33177765ecabf
-
C:\Windows\Temp\139852.exeFilesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
C:\Windows\Temp\474515.exeFilesize
13.1MB
MD5bfe6b13011bbba05c28109cf6730f8a1
SHA128da37544341c3587c11c1f1f294505516434d40
SHA25693fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd
SHA512d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660
-
C:\Windows\Temp\cudart64_101.dllFilesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2
-
C:\Windows\Temp\curjob.binFilesize
40B
MD5514bb5d629f92acdc6dd805e31d59162
SHA1870d57d0b691549fa2f15c27bb7a2456ac005f03
SHA256c5058bd1e5c6b84c95518a0c0b37ca6cc3e5946f644572ba05b79178cbb8196d
SHA51272177af5fd6064f70fe9058f90dde8a2a987b83687624df92e7a662dbc1dca514a2317fa2c44b4526c4c9c89a0835c65a0f987c888881658bd4db1d7ef7ca293