Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 00:19
Behavioral task
behavioral1
Sample
rocket league.exe
Resource
win7-20240221-en
General
-
Target
rocket league.exe
-
Size
5.2MB
-
MD5
a66c11e16baaf08400416e305b5118c4
-
SHA1
3d49238bc8e4865871306416ed8d308745aa4fa4
-
SHA256
38992ee97c1b46dc373cdd5f32fb5de1e5bb8da4e81734d84f860dc92fd41cf2
-
SHA512
440a6a8b1de909e3e20fb768ef55596bb530413c4b4df317d8a145be8f1527c0b8788d415f705893b1b1be07a42e80f57f044aa1b1f65197a56b98afe3692de7
-
SSDEEP
98304:onD+rKIDTGpzoLLJ3TbwaVvrZE0IdeyoFQK15W8ASLmbNYJERw1jrTH31DzZGYn:onqeIm9onJ5hrZEReyiU8AdZYJERurTr
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.bat rocket league.exe -
Loads dropped DLL 6 IoCs
pid Process 1880 rocket league.exe 1880 rocket league.exe 1880 rocket league.exe 1880 rocket league.exe 1880 rocket league.exe 1880 rocket league.exe -
pid Process 940 powershell.exe 2956 powershell.exe 3824 powershell.exe 2892 powershell.exe 4456 powershell.exe 2756 powershell.exe 516 powershell.exe 3204 powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4456 powershell.exe 4456 powershell.exe 2756 powershell.exe 2756 powershell.exe 516 powershell.exe 516 powershell.exe 3204 powershell.exe 3204 powershell.exe 940 powershell.exe 940 powershell.exe 2956 powershell.exe 2956 powershell.exe 3824 powershell.exe 3824 powershell.exe 2892 powershell.exe 2892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeDebugPrivilege 3204 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1880 2280 rocket league.exe 83 PID 2280 wrote to memory of 1880 2280 rocket league.exe 83 PID 1880 wrote to memory of 4456 1880 rocket league.exe 84 PID 1880 wrote to memory of 4456 1880 rocket league.exe 84 PID 1880 wrote to memory of 2756 1880 rocket league.exe 89 PID 1880 wrote to memory of 2756 1880 rocket league.exe 89 PID 2756 wrote to memory of 1844 2756 powershell.exe 90 PID 2756 wrote to memory of 1844 2756 powershell.exe 90 PID 1844 wrote to memory of 4288 1844 net.exe 91 PID 1844 wrote to memory of 4288 1844 net.exe 91 PID 1880 wrote to memory of 516 1880 rocket league.exe 92 PID 1880 wrote to memory of 516 1880 rocket league.exe 92 PID 516 wrote to memory of 3956 516 powershell.exe 95 PID 516 wrote to memory of 3956 516 powershell.exe 95 PID 1880 wrote to memory of 3204 1880 rocket league.exe 96 PID 1880 wrote to memory of 3204 1880 rocket league.exe 96 PID 3204 wrote to memory of 3952 3204 powershell.exe 97 PID 3204 wrote to memory of 3952 3204 powershell.exe 97 PID 1880 wrote to memory of 940 1880 rocket league.exe 98 PID 1880 wrote to memory of 940 1880 rocket league.exe 98 PID 940 wrote to memory of 4824 940 powershell.exe 99 PID 940 wrote to memory of 4824 940 powershell.exe 99 PID 1880 wrote to memory of 2956 1880 rocket league.exe 100 PID 1880 wrote to memory of 2956 1880 rocket league.exe 100 PID 2956 wrote to memory of 1388 2956 powershell.exe 101 PID 2956 wrote to memory of 1388 2956 powershell.exe 101 PID 1880 wrote to memory of 3824 1880 rocket league.exe 102 PID 1880 wrote to memory of 3824 1880 rocket league.exe 102 PID 3824 wrote to memory of 4872 3824 powershell.exe 104 PID 3824 wrote to memory of 4872 3824 powershell.exe 104 PID 1880 wrote to memory of 2892 1880 rocket league.exe 105 PID 1880 wrote to memory of 2892 1880 rocket league.exe 105 PID 2892 wrote to memory of 1572 2892 powershell.exe 106 PID 2892 wrote to memory of 1572 2892 powershell.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\rocket league.exe"C:\Users\Admin\AppData\Local\Temp\rocket league.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\rocket league.exe"C:\Users\Admin\AppData\Local\Temp\rocket league.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "sc config WinDefend start= disabled"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "net stop WinDefend"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" stop WinDefend4⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop WinDefend5⤵PID:4288
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵PID:3956
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\" /v NoAutoUpdate /t REG_DWORD /d 1 /f"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f4⤵PID:3952
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\" /v DisableNotificationCenter /t REG_DWORD /d 1 /f"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f4⤵PID:4824
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization\" /v NoLockScreen /t REG_DWORD /d 1 /f"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization /v NoLockScreen /t REG_DWORD /d 1 /f4⤵PID:1388
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "reg add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\" /v DisableTaskMgr /t REG_DWORD /d 1 /f"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵PID:4872
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "reg add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\" /v NoControlPanel /t REG_DWORD /d 1 /f"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f4⤵PID:1572
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
Filesize
944B
MD51542328a8546914b4e2f1aef9cb42bea
SHA17a0ac5969dfb20eb974e8a3bd8707243fa68f94f
SHA2567584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737
SHA512b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286
-
Filesize
944B
MD52b09a4ee48534faf0a8f91aee9a1c92a
SHA158db278bbe8453eb341294e7f303c2f2fca5815f
SHA2560cc656020d2efb13b0140e35229d04b3f10c64f0d2bc7813ef07160a65468263
SHA5123ba905d6b0e33804bef1917ab50666a3a6ec71a47e186f095aa4db4606ea189559b9192187d00895fe1f7a50f603076f4071ad33bf37a867ba960a11102e3a2a
-
Filesize
1KB
MD588be3bc8a7f90e3953298c0fdbec4d72
SHA1f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA5124fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c
-
Filesize
64B
MD5421e2421d469a848255625b722ebff12
SHA1fe15054bd7268165f377de43706226af644e5af9
SHA25654436d18ea4ca55d4673917f78ea644b12d65f1f27cdee4b32e6987bc1deefed
SHA512f464f642f2a934e9507a64bf9d3043d4254405b15855a4d42af0d97341df9851b494cf6d164d6ac393d635040654bf4a33cc3c159b6ea8e05947d829c575e4e3
-
Filesize
944B
MD58857491a4a65a9a1d560c4705786a312
SHA14f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660
-
Filesize
944B
MD5a316ebd4efa11d6b6daf6af0cc1aebce
SHA1ab338dd719969c70590dbc039b90e2758c741762
SHA256f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014
SHA51267a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a
-
Filesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
Filesize
83KB
MD56c7565c1efffe44cb0616f5b34faa628
SHA188dd24807da6b6918945201c74467ca75e155b99
SHA256fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a
SHA512822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22
-
Filesize
122KB
MD529da9b022c16da461392795951ce32d9
SHA10e514a8f88395b50e797d481cbbed2b4ae490c19
SHA2563b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372
SHA5125c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a
-
Filesize
264KB
MD5ce4df4dfe65ab8dc7ae6fcdebae46112
SHA1cdbbfda68030394ac90f6d6249d6dd57c81bc747
SHA256ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96
SHA512fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9
-
Filesize
63KB
MD5f377a418addeeb02f223f45f6f168fe6
SHA15d8d42dec5d08111e020614600bbf45091c06c0b
SHA2569551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac
SHA5126f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280
-
Filesize
157KB
MD5b5355dd319fb3c122bb7bf4598ad7570
SHA1d7688576eceadc584388a179eed3155716c26ef5
SHA256b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5
SHA5120e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5
-
Filesize
77KB
MD5f5dd9c5922a362321978c197d3713046
SHA14fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA2564494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99
-
Filesize
822KB
MD5d3a47ef5b669b3ab59aa27a54b015d24
SHA1d646309640b93ce05d268a00104d8a6ee6ee4463
SHA256b89ba73c7ce7a7800237401b351b047996f3c975f9e6ed401864f5481acf644f
SHA51209095fc7042a77f0c35f6a79d2c180b2660b613a82697a29662e39db80b3ed442c0433f915d17a271aba2f4f5c39615af2bac274de7095dd907413414d630dcc
-
Filesize
3.2MB
MD5cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6
-
Filesize
26KB
MD57a442bbcc4b7aa02c762321f39487ba9
SHA10fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA2561dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA5123433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c
-
Filesize
1.1MB
MD58320c54418d77eba5d4553a5d6ec27f9
SHA1e5123cf166229aebb076b469459856a56fb16d7f
SHA2567e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae
SHA512b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82