05451b195a176fa75fb7a8de600068e1f08b2a0b5cef42eef8439ec28ed26a59

Resubmissions

27/04/2024, 19:36

240427-ybnfasfc9t 7

27/04/2024, 19:12

240427-xwpy7afb2v 7

27/04/2024, 18:20

240427-wy4ppaed6x 7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LomebuGame.exe
Size

152.7MB
MD5

88719f2009bf17f5be9713212f520ab4
SHA1

0b843803935d15ff0179cbc83a66768eed88f381
SHA256

cde6587e39b95f9debf34ce7c2af0932c8711597fc81609f4d300e63b2fe39dd
SHA512

c1fa450234e5571d4c6cfa4a19e7ef5859bcf2300a25462e9eb16198618b9dfdcdb1f15fce309571de58c38c1107c26ad47a65d03eaf1e72ec538b0410784b0b
SSDEEP

1572864:gLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:gypCmJctBjj2+Jv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4628	LomebuGame.exe
4628	LomebuGame.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1692	powershell.exe
3992	powershell.exe
1344	powershell.exe
1692	powershell.exe
3992	powershell.exe
1344	powershell.exe
2700	LomebuGame.exe
2700	LomebuGame.exe
3724	LomebuGame.exe
3724	LomebuGame.exe
3724	LomebuGame.exe
3724	LomebuGame.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeSystemEnvironmentPrivilege	3992	powershell.exe
Token: SeRemoteShutdownPrivilege	3992	powershell.exe
Token: SeUndockPrivilege	3992	powershell.exe
Token: SeManageVolumePrivilege	3992	powershell.exe
Token: 33	3992	powershell.exe
Token: 34	3992	powershell.exe
Token: 35	3992	powershell.exe
Token: 36	3992	powershell.exe
Token: SeIncreaseQuotaPrivilege	1344	powershell.exe
Token: SeSecurityPrivilege	1344	powershell.exe
Token: SeTakeOwnershipPrivilege	1344	powershell.exe
Token: SeLoadDriverPrivilege	1344	powershell.exe
Token: SeSystemProfilePrivilege	1344	powershell.exe
Token: SeSystemtimePrivilege	1344	powershell.exe
Token: SeProfSingleProcessPrivilege	1344	powershell.exe
Token: SeIncBasePriorityPrivilege	1344	powershell.exe
Token: SeCreatePagefilePrivilege	1344	powershell.exe
Token: SeBackupPrivilege	1344	powershell.exe
Token: SeRestorePrivilege	1344	powershell.exe
Token: SeShutdownPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeSystemEnvironmentPrivilege	1344	powershell.exe
Token: SeRemoteShutdownPrivilege	1344	powershell.exe
Token: SeUndockPrivilege	1344	powershell.exe
Token: SeManageVolumePrivilege	1344	powershell.exe
Token: 33	1344	powershell.exe
Token: 34	1344	powershell.exe
Token: 35	1344	powershell.exe
Token: 36	1344	powershell.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe
Token: SeCreatePagefilePrivilege	4628	LomebuGame.exe
Token: SeShutdownPrivilege	4628	LomebuGame.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3204	4628	LomebuGame.exe	86
PID 4628 wrote to memory of 3204	4628	LomebuGame.exe	86
PID 3204 wrote to memory of 4624	3204	cmd.exe	88
PID 3204 wrote to memory of 4624	3204	cmd.exe	88
PID 4628 wrote to memory of 4924	4628	LomebuGame.exe	89
PID 4628 wrote to memory of 4924	4628	LomebuGame.exe	89
PID 4628 wrote to memory of 1344	4628	LomebuGame.exe	91
PID 4628 wrote to memory of 1344	4628	LomebuGame.exe	91
PID 4628 wrote to memory of 3992	4628	LomebuGame.exe	92
PID 4628 wrote to memory of 3992	4628	LomebuGame.exe	92
PID 4628 wrote to memory of 1692	4628	LomebuGame.exe	93
PID 4628 wrote to memory of 1692	4628	LomebuGame.exe	93
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 1228	4628	LomebuGame.exe	97
PID 4628 wrote to memory of 2700	4628	LomebuGame.exe	98
PID 4628 wrote to memory of 2700	4628	LomebuGame.exe	98
PID 4628 wrote to memory of 3740	4628	LomebuGame.exe	100
PID 4628 wrote to memory of 3740	4628	LomebuGame.exe	100
PID 3740 wrote to memory of 2476	3740	cmd.exe	102
PID 3740 wrote to memory of 2476	3740	cmd.exe	102
PID 4628 wrote to memory of 3724	4628	LomebuGame.exe	111
PID 4628 wrote to memory of 3724	4628	LomebuGame.exe	111

C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
"C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 --field-trial-handle=1860,i,18271975307492710049,4216440686319860870,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --mojo-platform-channel-handle=2092 --field-trial-handle=1860,i,18271975307492710049,4216440686319860870,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:2476
- C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2652 --field-trial-handle=1860,i,18271975307492710049,4216440686319860870,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
50c591ec2a1e49297738ea9f28e3ad23

SHA1
137e36b4c7c40900138a6bcf8cf5a3cce4d142af

SHA256
7648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447

SHA512
33b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\04cb7732-efad-4818-b873-f50483ab2124.tmp.node

Filesize
131KB

MD5
4bcefe873798966491bc7cf2ee25d7bf

SHA1
b3240ef4971cb2e2bdcdd06791fe528267035ee4

SHA256
e96f77361e9c2443a70e7dd9ab62f4b6c9967f80115565f1c284342a78192df4

SHA512
0e1cdb77848f56e75f2c932fbf3e28bc99e59c9f06b89be8848b95746291b6e539a6e0252345cf3172bd11893dd1806b58ce14cab6336ea533b0f4dba6d3ea06

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hv3mbp11.s3s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\da11cfc4-aba1-465e-96d9-8c138ebace5a.tmp.node

Filesize
1.8MB

MD5
84319927155ec1c7e297a00d8bf8ed11

SHA1
8fc08f22de1d85a499941d5a8ffdb86485439c23

SHA256
fbbce4b12e31bd69e21bedcaef8ee9467b97117a335bd99cfa89cbdafdfd83ba

SHA512
caf12012769e565653c2f216b77e34303d9943056e3895ce38baa869a1a72e0bb6872d8b40cde0b41dc673c40740355e52abdeaeb3da416ab8b94c1e534a5165

Download Submit
memory/1692-16-0x0000015D72F60000-0x0000015D72F82000-memory.dmp

Filesize
136KB

Download
memory/1692-40-0x0000015D73A70000-0x0000015D73AB4000-memory.dmp

Filesize
272KB

Download
memory/1692-41-0x0000015D73E90000-0x0000015D73F06000-memory.dmp

Filesize
472KB

Download
memory/3724-66-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-76-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-75-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-74-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-73-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-72-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-71-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-70-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-65-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3724-64-0x00000194F82B0000-0x00000194F82B1000-memory.dmp

Filesize
4KB

Download
memory/3992-45-0x000002219C150000-0x000002219C174000-memory.dmp

Filesize
144KB

Download
memory/3992-44-0x000002219C150000-0x000002219C17A000-memory.dmp

Filesize
168KB

Download