Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    255s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/05/2024, 23:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8.exe

  • Size

    4.2MB

  • MD5

    0f52e5e68fe33694d488bfe7a1a71529

  • SHA1

    11d7005bd72cb3fd46f24917bf3fc5f3203f361f

  • SHA256

    efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

  • SHA512

    238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

  • SSDEEP

    98304:zgwR5qybOM3rY1buPd0+01mQ5YBGUYDU4a6FXg+d70MYVSuEQQpnlJYtDf+8:zgDyaM3qbA0+07YBeDa6a++b5Evn4tF

Score
10/10
xmrigevasionexecutionminer

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 38 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8.exe
    "C:\Users\Admin\AppData\Local\Temp\efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\SysWOW64\sc.exe
        Sc stop GameServerClient
        3⤵
        • Launches sc.exe
        PID:4332
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService remove GameServerClient confirm
        3⤵
        • Executes dropped EXE
        PID:520
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameSyncLink
        3⤵
        • Launches sc.exe
        PID:784
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService remove GameSyncLink confirm
        3⤵
        • Executes dropped EXE
        PID:3740
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        3⤵
        • Executes dropped EXE
        PID:2488
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService start GameSyncLink
        3⤵
        • Executes dropped EXE
        PID:5108
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\sc.exe
        Sc stop GameServerClientC
        3⤵
        • Launches sc.exe
        PID:4432
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService remove GameServerClientC confirm
        3⤵
        • Executes dropped EXE
        PID:4024
      • C:\Windows\SysWOW64\sc.exe
        Sc delete PiercingNetLink
        3⤵
        • Launches sc.exe
        PID:1824
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService remove PiercingNetLink confirm
        3⤵
        • Executes dropped EXE
        PID:68
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        3⤵
        • Executes dropped EXE
        PID:3584
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService start PiercingNetLink
        3⤵
        • Executes dropped EXE
        PID:3464
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameSyncLinks
        3⤵
        • Launches sc.exe
        PID:4344
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService remove GameSyncLinks confirm
        3⤵
        • Executes dropped EXE
        PID:3720
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        3⤵
        • Executes dropped EXE
        PID:1892
      • C:\Program Files (x86)\GameSyncLink\GameService.exe
        GameService start GameSyncLinks
        3⤵
        • Executes dropped EXE
        PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
        PID:1940
    • C:\Program Files (x86)\GameSyncLink\GameService.exe
      "C:\Program Files (x86)\GameSyncLink\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:4596
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:4400
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:2748
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:2512
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:4468
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:2488
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:1772
      • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        2⤵
        • Executes dropped EXE
        PID:2820
    • C:\Program Files (x86)\GameSyncLink\GameService.exe
      "C:\Program Files (x86)\GameSyncLink\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:708
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:4764
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:1440
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:2320
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:3888
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:4176
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:1464
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:1188
      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
        "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        2⤵
        • Executes dropped EXE
        PID:3056
    • C:\Program Files (x86)\GameSyncLink\GameService.exe
      "C:\Program Files (x86)\GameSyncLink\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:2408
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:1844
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:2384
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:4424
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:3080
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:5108
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:4304
      • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
        "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        2⤵
        • Executes dropped EXE
        PID:4452

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\GameSyncLink\GameService.exe
            Filesize

            288KB

            MD5

            d9ec6f3a3b2ac7cd5eef07bd86e3efbc

            SHA1

            e1908caab6f938404af85a7df0f80f877a4d9ee6

            SHA256

            472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

            SHA512

            1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

            Download Submit

          • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
            Filesize

            2.5MB

            MD5

            e6943a08bb91fc3086394c7314be367d

            SHA1

            451d2e171f906fa6c43f8b901cd41b0283d1fa40

            SHA256

            aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

            SHA512

            505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

            Download Submit

          • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
            Filesize

            6.2MB

            MD5

            1bacbebf6b237c75dbe5610d2d9e1812

            SHA1

            3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

            SHA256

            c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

            SHA512

            f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

            Download Submit

          • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
            Filesize

            13.2MB

            MD5

            72b396a9053dff4d804e07ee1597d5e3

            SHA1

            5ec4fefa66771613433c17c11545c6161e1552d5

            SHA256

            d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

            SHA512

            ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

            Download Submit

          • C:\Program Files (x86)\GameSyncLink\installc.bat
            Filesize

            301B

            MD5

            998ab24316795f67c26aca0f1b38c8ce

            SHA1

            a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

            SHA256

            a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

            SHA512

            7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

            Download Submit

          • C:\Program Files (x86)\GameSyncLink\installg.bat
            Filesize

            284B

            MD5

            5dee3cbf941c5dbe36b54690b2a3c240

            SHA1

            82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

            SHA256

            98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

            SHA512

            9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

            Download Submit

          • C:\Program Files (x86)\GameSyncLink\installm.bat
            Filesize

            218B

            MD5

            94b87b86dc338b8f0c4e5869496a8a35

            SHA1

            2584e6496d048068f61ac72f5c08b54ad08627c3

            SHA256

            2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

            SHA512

            b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
            Filesize

            300B

            MD5

            27c3da6bbb6a2d9b3fb65200b887b676

            SHA1

            9007f2c087e0298e8db8f92852460faf57487291

            SHA256

            6ae521d60efedac4a78c3590f2c8a8a387c5e924d716650c3e2ecaf2c3b1d724

            SHA512

            c62ed33a6adacb281b63b17364b0a64534912eddf43d6f40dedeefbba88f702fc163d90dc888c82ef1ec29b34e3358574367ea0eb8b37fac61220a5773485656

            Download Submit