05451b195a176fa75fb7a8de600068e1f08b2a0b5cef42eef8439ec28ed26a59

Resubmissions

27/04/2024, 19:36

240427-ybnfasfc9t 7

27/04/2024, 19:12

240427-xwpy7afb2v 7

27/04/2024, 18:20

240427-wy4ppaed6x 7

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LomebuGame.exe
Size

152.7MB
MD5

88719f2009bf17f5be9713212f520ab4
SHA1

0b843803935d15ff0179cbc83a66768eed88f381
SHA256

cde6587e39b95f9debf34ce7c2af0932c8711597fc81609f4d300e63b2fe39dd
SHA512

c1fa450234e5571d4c6cfa4a19e7ef5859bcf2300a25462e9eb16198618b9dfdcdb1f15fce309571de58c38c1107c26ad47a65d03eaf1e72ec538b0410784b0b
SSDEEP

1572864:gLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:gypCmJctBjj2+Jv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3712	LomebuGame.exe
3712	LomebuGame.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3824	powershell.exe
3068	powershell.exe
3068	powershell.exe
684	LomebuGame.exe
684	LomebuGame.exe
3936	powershell.exe
3824	powershell.exe
3936	powershell.exe
1156	LomebuGame.exe
1156	LomebuGame.exe
1156	LomebuGame.exe
1156	LomebuGame.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeIncreaseQuotaPrivilege	3068	powershell.exe
Token: SeSecurityPrivilege	3068	powershell.exe
Token: SeTakeOwnershipPrivilege	3068	powershell.exe
Token: SeLoadDriverPrivilege	3068	powershell.exe
Token: SeSystemProfilePrivilege	3068	powershell.exe
Token: SeSystemtimePrivilege	3068	powershell.exe
Token: SeProfSingleProcessPrivilege	3068	powershell.exe
Token: SeIncBasePriorityPrivilege	3068	powershell.exe
Token: SeCreatePagefilePrivilege	3068	powershell.exe
Token: SeBackupPrivilege	3068	powershell.exe
Token: SeRestorePrivilege	3068	powershell.exe
Token: SeShutdownPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeSystemEnvironmentPrivilege	3068	powershell.exe
Token: SeRemoteShutdownPrivilege	3068	powershell.exe
Token: SeUndockPrivilege	3068	powershell.exe
Token: SeManageVolumePrivilege	3068	powershell.exe
Token: 33	3068	powershell.exe
Token: 34	3068	powershell.exe
Token: 35	3068	powershell.exe
Token: 36	3068	powershell.exe
Token: SeIncreaseQuotaPrivilege	3936	powershell.exe
Token: SeSecurityPrivilege	3936	powershell.exe
Token: SeTakeOwnershipPrivilege	3936	powershell.exe
Token: SeLoadDriverPrivilege	3936	powershell.exe
Token: SeSystemProfilePrivilege	3936	powershell.exe
Token: SeSystemtimePrivilege	3936	powershell.exe
Token: SeProfSingleProcessPrivilege	3936	powershell.exe
Token: SeIncBasePriorityPrivilege	3936	powershell.exe
Token: SeCreatePagefilePrivilege	3936	powershell.exe
Token: SeBackupPrivilege	3936	powershell.exe
Token: SeRestorePrivilege	3936	powershell.exe
Token: SeShutdownPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeSystemEnvironmentPrivilege	3936	powershell.exe
Token: SeRemoteShutdownPrivilege	3936	powershell.exe
Token: SeUndockPrivilege	3936	powershell.exe
Token: SeManageVolumePrivilege	3936	powershell.exe
Token: 33	3936	powershell.exe
Token: 34	3936	powershell.exe
Token: 35	3936	powershell.exe
Token: 36	3936	powershell.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe
Token: SeCreatePagefilePrivilege	3712	LomebuGame.exe
Token: SeShutdownPrivilege	3712	LomebuGame.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4448	3712	LomebuGame.exe	84
PID 3712 wrote to memory of 4448	3712	LomebuGame.exe	84
PID 4448 wrote to memory of 1428	4448	cmd.exe	86
PID 4448 wrote to memory of 1428	4448	cmd.exe	86
PID 3712 wrote to memory of 2084	3712	LomebuGame.exe	87
PID 3712 wrote to memory of 2084	3712	LomebuGame.exe	87
PID 3712 wrote to memory of 3936	3712	LomebuGame.exe	89
PID 3712 wrote to memory of 3936	3712	LomebuGame.exe	89
PID 3712 wrote to memory of 3068	3712	LomebuGame.exe	90
PID 3712 wrote to memory of 3068	3712	LomebuGame.exe	90
PID 3712 wrote to memory of 3824	3712	LomebuGame.exe	91
PID 3712 wrote to memory of 3824	3712	LomebuGame.exe	91
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 1516	3712	LomebuGame.exe	95
PID 3712 wrote to memory of 684	3712	LomebuGame.exe	96
PID 3712 wrote to memory of 684	3712	LomebuGame.exe	96
PID 3712 wrote to memory of 264	3712	LomebuGame.exe	98
PID 3712 wrote to memory of 264	3712	LomebuGame.exe	98
PID 264 wrote to memory of 3500	264	cmd.exe	100
PID 264 wrote to memory of 3500	264	cmd.exe	100
PID 3712 wrote to memory of 1156	3712	LomebuGame.exe	109
PID 3712 wrote to memory of 1156	3712	LomebuGame.exe	109

C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
"C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1872,i,7840333458757522833,12925890125900579830,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --mojo-platform-channel-handle=2092 --field-trial-handle=1872,i,7840333458757522833,12925890125900579830,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 --field-trial-handle=1872,i,7840333458757522833,12925890125900579830,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
50c591ec2a1e49297738ea9f28e3ad23

SHA1
137e36b4c7c40900138a6bcf8cf5a3cce4d142af

SHA256
7648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447

SHA512
33b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\820d5172-fd31-459c-9885-aa31e8d95cec.tmp.node

Filesize
1.8MB

MD5
84319927155ec1c7e297a00d8bf8ed11

SHA1
8fc08f22de1d85a499941d5a8ffdb86485439c23

SHA256
fbbce4b12e31bd69e21bedcaef8ee9467b97117a335bd99cfa89cbdafdfd83ba

SHA512
caf12012769e565653c2f216b77e34303d9943056e3895ce38baa869a1a72e0bb6872d8b40cde0b41dc673c40740355e52abdeaeb3da416ab8b94c1e534a5165

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2k5wtsle.yny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd107764-1976-4f80-a970-bd134b407e36.tmp.node

Filesize
131KB

MD5
4bcefe873798966491bc7cf2ee25d7bf

SHA1
b3240ef4971cb2e2bdcdd06791fe528267035ee4

SHA256
e96f77361e9c2443a70e7dd9ab62f4b6c9967f80115565f1c284342a78192df4

SHA512
0e1cdb77848f56e75f2c932fbf3e28bc99e59c9f06b89be8848b95746291b6e539a6e0252345cf3172bd11893dd1806b58ce14cab6336ea533b0f4dba6d3ea06

Download Submit
memory/1156-75-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-74-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-70-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-71-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-72-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-64-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-65-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-66-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-76-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/1156-73-0x000001D2B4930000-0x000001D2B4931000-memory.dmp

Filesize
4KB

Download
memory/3068-46-0x0000026B52350000-0x0000026B52374000-memory.dmp

Filesize
144KB

Download
memory/3068-41-0x0000026B523D0000-0x0000026B52446000-memory.dmp

Filesize
472KB

Download
memory/3068-45-0x0000026B52350000-0x0000026B5237A000-memory.dmp

Filesize
168KB

Download
memory/3824-21-0x00000255F0BF0000-0x00000255F0C12000-memory.dmp

Filesize
136KB

Download
memory/3824-40-0x00000255F0C70000-0x00000255F0CB4000-memory.dmp

Filesize
272KB

Download