7e7a07eb82913a55b139630604f80586c414be285ed0e588e72f50815ab07ea4

General

Target

loader_2.exe
Size

15.8MB
MD5

f9ad8a7c92d0921a26e24f29930d6a5a
SHA1

3b9435006ebb4e19cea30409386e0a5cdabf77c2
SHA256

7e7a07eb82913a55b139630604f80586c414be285ed0e588e72f50815ab07ea4
SHA512

3e7accb79af061a1895049f069877c6d30a2da7be5700bbf44b0ed2259fa689dbdf25c9a5c498414b10409fc744caebde3d5f5bd011227ebc38148486feff6fe
SSDEEP

393216:YVEe/6F7EkUN3GBYzInRdGlSohPvdHbEuHL23HYQKCI:X261YWqwG4SXd7E4iIdCI

Score

10^/10

ransomware

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485

Processes:

fsutil.exe

pid process

4328 fsutil.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

loader_2.exeGamePanel.exe

pid process

2940 loader_2.exe
3144 GamePanel.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

loader_2.exe

description pid process target process

PID 2940 set thread context of 3144 2940 loader_2.exe GamePanel.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4016 sc.exe
2668 sc.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3888 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2412 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

loader_2.exeGamePanel.exe

pid process

2940 loader_2.exe
2940 loader_2.exe
3144 GamePanel.exe
3144 GamePanel.exe

pid	process
4328	fsutil.exe

pid	process
2940	loader_2.exe
3144	GamePanel.exe

description	pid	process	target process
PID 2940 set thread context of 3144	2940	loader_2.exe	GamePanel.exe

pid	process
4016	sc.exe
2668	sc.exe

pid	process
3888	taskkill.exe

pid	process
2412	PING.EXE

pid	process
2940	loader_2.exe
2940	loader_2.exe
3144	GamePanel.exe
3144	GamePanel.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

GamePanel.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3144	GamePanel.exe
Token: SeTakeOwnershipPrivilege	3144	GamePanel.exe
Token: SeLoadDriverPrivilege	3144	GamePanel.exe
Token: SeShutdownPrivilege	3144	GamePanel.exe
Token: SeDebugPrivilege	3888	taskkill.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

loader_2.execmd.exeGamePanel.exe

description	pid	process	target process
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 3144	2940	loader_2.exe	GamePanel.exe
PID 2940 wrote to memory of 2896	2940	loader_2.exe	cmd.exe
PID 2940 wrote to memory of 2896	2940	loader_2.exe	cmd.exe
PID 2896 wrote to memory of 2412	2896	cmd.exe	PING.EXE
PID 2896 wrote to memory of 2412	2896	cmd.exe	PING.EXE
PID 2896 wrote to memory of 4328	2896	cmd.exe	fsutil.exe
PID 2896 wrote to memory of 4328	2896	cmd.exe	fsutil.exe
PID 3144 wrote to memory of 2988	3144	GamePanel.exe	SystemSettingsAdminFlows.exe
PID 3144 wrote to memory of 2988	3144	GamePanel.exe	SystemSettingsAdminFlows.exe
PID 3144 wrote to memory of 4016	3144	GamePanel.exe	sc.exe
PID 3144 wrote to memory of 4016	3144	GamePanel.exe	sc.exe
PID 3144 wrote to memory of 2668	3144	GamePanel.exe	sc.exe
PID 3144 wrote to memory of 2668	3144	GamePanel.exe	sc.exe
PID 3144 wrote to memory of 3888	3144	GamePanel.exe	taskkill.exe
PID 3144 wrote to memory of 3888	3144	GamePanel.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\loader_2.exe
"C:\Users\Admin\AppData\Local\Temp\loader_2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SYSTEM32\GamePanel.exe
GamePanel.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SYSTEM32\SystemSettingsAdminFlows.exe
SystemSettingsAdminFlows.exe SetInternetTime 1
3⤵
PID:2988

C:\Windows\SYSTEM32\sc.exe
sc start ProfSvc
3⤵
- Launches sc.exe
PID:4016

C:\Windows\SYSTEM32\sc.exe
sc config ProfSvc start=auto
3⤵
- Launches sc.exe
PID:2668

C:\Windows\SYSTEM32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\loader_2.exe" & fsutil usn deletejournal /D C:
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:2412

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D C:
3⤵
- Deletes NTFS Change Journal
PID:4328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Data Destruction

1

T1485

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2940-0-0x00007FFFD9030000-0x00007FFFD9032000-memory.dmp

Filesize
8KB

Download
memory/2940-1-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/2940-10-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/3144-5-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/3144-6-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/3144-12-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/3144-18-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/3144-17-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download
memory/3144-19-0x0000000140000000-0x00000001438F1000-memory.dmp

Filesize
56.9MB

Download

Analysis

Sharing