Analysis
-
max time kernel
19s -
max time network
26s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2024 07:48
General
-
Target
game.exe
-
Size
202KB
-
MD5
344e63414eabf4e9a367a35575f3f912
-
SHA1
873c62937ddf8e8e4f1f8de50fd9e5e85891f26f
-
SHA256
b311a4b65d33d41491e14d50598168da43f75894d30776205213a05248646e86
-
SHA512
c1373ecfef42a24b545d863c81af8837ac01b89870106e9312ca84adbbd78d01fbd5ed5c4a514520b88db38c217617e4e4ed70495b83b68c4e2b82d37408f0d6
-
SSDEEP
6144:wLV6Bta6dtJmakIM5YSxxV2Pvj3Y+w5Ay:wLV6Btpmka2PvTc
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
game.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsv.exe" game.exe -
Processes:
game.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA game.exe -
Drops file in Program Files directory 2 IoCs
Processes:
game.exedescription ioc process File created C:\Program Files (x86)\SMTP Service\smtpsv.exe game.exe File opened for modification C:\Program Files (x86)\SMTP Service\smtpsv.exe game.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4312 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
game.exepid process 4416 game.exe 4416 game.exe 4416 game.exe 4416 game.exe 4416 game.exe 4416 game.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
game.exepid process 4416 game.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
game.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4416 game.exe Token: SeDebugPrivilege 4416 game.exe Token: SeDebugPrivilege 4312 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
game.execmd.exedescription pid process target process PID 4416 wrote to memory of 2640 4416 game.exe schtasks.exe PID 4416 wrote to memory of 2640 4416 game.exe schtasks.exe PID 4416 wrote to memory of 2640 4416 game.exe schtasks.exe PID 4416 wrote to memory of 3544 4416 game.exe schtasks.exe PID 4416 wrote to memory of 3544 4416 game.exe schtasks.exe PID 4416 wrote to memory of 3544 4416 game.exe schtasks.exe PID 4416 wrote to memory of 2784 4416 game.exe cmd.exe PID 4416 wrote to memory of 2784 4416 game.exe cmd.exe PID 4416 wrote to memory of 2784 4416 game.exe cmd.exe PID 2784 wrote to memory of 4312 2784 cmd.exe taskkill.exe PID 2784 wrote to memory of 4312 2784 cmd.exe taskkill.exe PID 2784 wrote to memory of 4312 2784 cmd.exe taskkill.exe PID 2784 wrote to memory of 3204 2784 cmd.exe PING.EXE PID 2784 wrote to memory of 3204 2784 cmd.exe PING.EXE PID 2784 wrote to memory of 3204 2784 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\game.exe"C:\Users\Admin\AppData\Local\Temp\game.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "SMTP Service"2⤵PID:2640
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "SMTP Service Task"2⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /f /im "game.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\Admin\AppData\Local\Temp\game.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\game.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "game.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4312 -
C:\Windows\SysWOW64\PING.EXEping -n 1 -w 3000 1.1.1.13⤵
- Runs ping.exe
PID:3204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4416-0-0x0000000073651000-0x0000000073652000-memory.dmpFilesize
4KB
-
memory/4416-1-0x0000000073650000-0x0000000073C00000-memory.dmpFilesize
5.7MB
-
memory/4416-2-0x0000000073650000-0x0000000073C00000-memory.dmpFilesize
5.7MB
-
memory/4416-19-0x0000000073650000-0x0000000073C00000-memory.dmpFilesize
5.7MB