9f4883ec1194d02a1362127dc61fe67a629f1d585764f942d7bbf9bd29eff235

Analysis

max time kernel
1167s
max time network
1168s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goldbet-poker.exe
Size

788KB
MD5

204128b789c33ffa063e8f1f0f378680
SHA1

b25dff8d3031c5aa2e9281e03289b9b2ccb24725
SHA256

c873ccaa7639178426193e0bb3204ef4cae0f873abccb743f2afb594619f4fe4
SHA512

13dcb3af4791dc154098239373d155bad40f2f81c6d503100997d8e45e2e4aeb7b9afcdf5a1e3bdf6b65143dfe4e7c181ef4cac1abc07a9e2735376a286102b3
SSDEEP

12288:jKA/pA97806QTLysboUg9BO1kZLcVDlrzLBA4ltVFnljAuu7kz2:bRAt80YsUUyBUk0zLnNBSuugz2

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	goldbet-poker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	goldbet-poker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4632	goldbet-poker.exe
4632	goldbet-poker.exe
4632	goldbet-poker.exe
5084	goldbet-poker.exe
5084	goldbet-poker.exe
5084	goldbet-poker.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 1680	4632	goldbet-poker.exe	88
PID 4632 wrote to memory of 1680	4632	goldbet-poker.exe	88
PID 4632 wrote to memory of 1680	4632	goldbet-poker.exe	88
PID 5084 wrote to memory of 4752	5084	goldbet-poker.exe	106
PID 5084 wrote to memory of 4752	5084	goldbet-poker.exe	106
PID 5084 wrote to memory of 4752	5084	goldbet-poker.exe	106

C:\Users\Admin\AppData\Local\Temp\goldbet-poker.exe
"C:\Users\Admin\AppData\Local\Temp\goldbet-poker.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26500.bat" "C:\Users\Admin\AppData\Local\Temp\WebInstaller_A7A128292F704D379BB1B74357EA9013\""
  2⤵
  PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\goldbet-poker.exe
"C:\Users\Admin\AppData\Local\Temp\goldbet-poker.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26500.bat" "C:\Users\Admin\AppData\Local\Temp\WebInstaller_A4B1C6EFE34941C4A9C9699421668A8B\""
  2⤵
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26500.bat

Filesize
178B

MD5
d4c523b02cd37cbcf272626ea3ff0aec

SHA1
32be6d6fe1ffad8da6f95b25f57bffd2373f5a83

SHA256
3bdcd8ae9274ade24d9ebd18a679bd5c0a50119e7b69dce005113ccc828d5e09

SHA512
b459fac9e52641139dc1a431c7d3bf5ca136d7f7ab90fb9cfa8b532c9391fd0629864c802fc75336e5d58a4b3f20bc979e5e5e9091ee1da1639a8c1bcfbb5b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebInstaller_A4B1C6EFE34941C4A9C9699421668A8B\WEBINS~1.LOG

Filesize
25KB

MD5
b9e084d02f6ef19816f774154185fba5

SHA1
8b78d735bd56f4ad2ad39d077516ce1b745acb71

SHA256
184c372e649847d066bceec96790279072807c1086df47c826d90d74a936e497

SHA512
287dcf95ea3029da1903edf3f134fe78286e82b3422ad2d6d1d62dfc1521e14646ffd3e62175363ffe538c258e54b3a3f16a0be86938a082015df66f5419a57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebInstaller_A4B1C6EFE34941C4A9C9699421668A8B\WebInstaller_5084.log

Filesize
6KB

MD5
3b25f343c96f49686219ce5dd3f7a33e

SHA1
b3662113d66032d201b1f0119f17aa1a7c7ed383

SHA256
66eff4ccf91a1502be98e6e79537207befa2e6d8df032022ed262e02d6be25c1

SHA512
a4c33b3b09ab139094c8799a56023daae23a6ff4bb19230732185c61fa084f9e79d9b0c492dc101e687dec81ffd1bbe2a80ae17dd2a82e53878400fa18b4b2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebInstaller_A7A128292F704D379BB1B74357EA9013\WEBINS~1.LOG

Filesize
22KB

MD5
3e83bfda0dece755af4c931af7191b88

SHA1
1f317e55ab3ad497a64ced04ad20b11432baca63

SHA256
bc205466a027005626ce20f29369f770bee94a41a5fe517c2b27c9bdaecbd0d1

SHA512
44321485148dbe4c3ca533cbe0bcfc7a9682ea087d68efc92cd686c893bedcc3ce11f419c4fd4641987469f34976c6def19007ca8eea1df082d0396097c6df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebInstaller_A7A128292F704D379BB1B74357EA9013\WebInstaller_4632.log

Filesize
6KB

MD5
a3f34d1a81c75272ebb26dc952b0842f

SHA1
4aa1255dabb70db8e3296d0cd0e669d1b9d97e7e

SHA256
c6dd8f311cd58e777ecc3ce4707f2b00cee9d0121a7d57a19dada42aafc2091d

SHA512
3b6e69aba421ddbfa0af15fa6a1be7fd4c20fadb47ac02744b0ee433ff6e27ef749ec7e27715d0df4b1653827dd6e79ab8d80e41b77709c1d348d96a0945e5ca

Download Submit