Analysis
-
max time kernel
45s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 16:38
Behavioral task
behavioral1
Sample
Gamesense (1).exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
Gamesense (1).exe
-
Size
18.5MB
-
MD5
0adc1b44d971f3f1dea4b70bd8e47f6f
-
SHA1
3955ef751f91bf0283877dc52c27dbe9a1dbd736
-
SHA256
2097b50fc84922fe4e6bbc4cb80ad01b631e8f4eefdffabc80df08979141bf95
-
SHA512
94fae545b96c234ba4710d4f5e7a5cc2c29f2595df2ff4e4b52e0c759680262043e46e9162f0e82c01d563f36674bdd421f42e20fc3d6fe4440dff5354895808
-
SSDEEP
393216:ZSLpLFG0zW0zkV8GP870Qj3+thpvLpTWwim72/kpW8wxUm:ZSLBz1ABUj3+vpvLpTLim7KiQl
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Gamesense (1).exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Gamesense (1).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Gamesense (1).exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Gamesense (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Gamesense (1).exe -
Processes:
resource yara_rule behavioral1/memory/1684-1-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-4-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-3-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-2-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-0-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-5-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-6-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-7-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-8-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-9-0x000000013F0A0000-0x000000014222D000-memory.dmp themida behavioral1/memory/1684-11-0x000000013F0A0000-0x000000014222D000-memory.dmp themida -
Processes:
Gamesense (1).exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Gamesense (1).exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Gamesense (1).exedescription pid process target process PID 1684 wrote to memory of 2540 1684 Gamesense (1).exe WerFault.exe PID 1684 wrote to memory of 2540 1684 Gamesense (1).exe WerFault.exe PID 1684 wrote to memory of 2540 1684 Gamesense (1).exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gamesense (1).exe"C:\Users\Admin\AppData\Local\Temp\Gamesense (1).exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1684 -s 2642⤵PID:2540