d5a224fbaae6973995669dfa116f87205d1bf6aa41800a7d9de5294a681609f5

Analysis

max time kernel
138s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RJ332432 - Zombie Party/Game.exe
Size

1.5MB
MD5

9ebc7dd20fa66f5deabfd8873a4ed8c6
SHA1

cf1b1da0e5215738a8e972077be5804cb326b8ed
SHA256

487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b4492da586c7bc82a9474
SHA512

5d0a052edec070ee573bc43ed9eb7eb92c0460efe60a5abc31d1200e092937b91eafce5492cd945d46645f9029f0f80a37907fe6292639d37f15f58dae377271
SSDEEP

24576:5XVhPcthsRP/d3qI4N+Nl49LPSncvK51CvO8ofTWIZAmOLB:R5RP/d6IxNIKnL5mO8ofTrZAmm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Game.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{00912ADC-337F-444E-B6D2-F57B96873A37}	Game.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Game.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Game.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Game.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4804	Game.exe
4804	Game.exe
2796	Game.exe
2796	Game.exe
4684	Game.exe
4684	Game.exe
2796	Game.exe
2796	Game.exe
1572	Game.exe
1572	Game.exe
2004	Game.exe
2004	Game.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	916	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	Game.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 3684	2796	Game.exe	88
PID 2796 wrote to memory of 3684	2796	Game.exe	88
PID 2796 wrote to memory of 3684	2796	Game.exe	88
PID 2796 wrote to memory of 4804	2796	Game.exe	89
PID 2796 wrote to memory of 4804	2796	Game.exe	89
PID 2796 wrote to memory of 4804	2796	Game.exe	89
PID 2796 wrote to memory of 4684	2796	Game.exe	90
PID 2796 wrote to memory of 4684	2796	Game.exe	90
PID 2796 wrote to memory of 4684	2796	Game.exe	90
PID 2796 wrote to memory of 1572	2796	Game.exe	99
PID 2796 wrote to memory of 1572	2796	Game.exe	99
PID 2796 wrote to memory of 1572	2796	Game.exe	99
PID 2796 wrote to memory of 2004	2796	Game.exe	100
PID 2796 wrote to memory of 2004	2796	Game.exe	100
PID 2796 wrote to memory of 2004	2796	Game.exe	100

C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe
"C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe
  "C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\nwjs\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\nwjs\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\nwjs\User Data" --annotation=plat=Win32 --annotation=prod= --annotation=ver= --initial-client-data=0x2d4,0x2d8,0x2dc,0x2d0,0x2e0,0x7570d0e0,0x7570d0f0,0x7570d0fc
  2⤵
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe
  "C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe" --type=gpu-process --field-trial-handle=1656,10087065245544324503,6259521941534583569,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party" --gpu-preferences=KAAAAAAAAAAABwCAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=10.0.19041.868 --gpu-driver-date=6-21-2006 --user-data-dir="C:\Users\Admin\AppData\Local\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party" --service-request-channel-token=F4E5FA5B2A47C23A441B93915B631B9C --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe
  "C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe" --type=renderer --js-flags=--expose-gc --no-sandbox --no-zygote --field-trial-handle=1656,10087065245544324503,6259521941534583569,131072 --service-pipe-token=729B703801CB3CA41DF0FD41FEE032F3 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party" --nwjs --extension-process --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFetchForDocWrittenScriptsInMainFrameOnSlowConnections=true,cssExternalScannerNoPreload=false,cssExternalScannerPreload=true --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-checker-imaging --enable-compositor-image-animations --service-request-channel-token=729B703801CB3CA41DF0FD41FEE032F3 --renderer-client-id=3 --mojo-platform-channel-handle=2464 /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe
  "C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe" --type=utility --field-trial-handle=1656,10087065245544324503,6259521941534583569,131072 --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party" --service-request-channel-token=406EE78245AABEA13304985D0875BE57 --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe
  "C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party\Game.exe" --type=utility --field-trial-handle=1656,10087065245544324503,6259521941534583569,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\RJ332432 - Zombie Party" --service-request-channel-token=B6D65B2ECD10B99E8C973D97BB22849A --mojo-platform-channel-handle=4008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x3d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\User Data\1c76fc12-a8e2-4ce5-b41c-3e3f2d3c3b11.tmp

Filesize
1KB

MD5
ccd6c2dfd11cc66629aa9c45b6d6a4da

SHA1
9eae3d20e5dd5d662b301644accb38731964e066

SHA256
5d83844752cc7426229cefd2337fed3411e1e58694976f7591a0aecdbfc7b263

SHA512
c71b6a1dd28f56b3d71b1891d8f1e0499face9a44f7344ca90800601eb380487031f4c84751f9118091acc370bfe11b293c235315e26a5b52e4aec12634fb834

Download Submit
C:\Users\Admin\AppData\Local\User Data\86a9b690-161d-453c-8d06-fb283564bdb5.tmp

Filesize
1KB

MD5
068a76c45d2c4a874ca3404341fa20c5

SHA1
ef5dc3da9987ef94f08accb7f830cb826897f400

SHA256
f736a0b1494fee897f6f8df43bf7834860e5c4779c65d470a5f1136af66980de

SHA512
dfcb606d789a3af816a566ae506f1261b892b1f39f42834a55274e77753a2200af666dd921da6a6f5f344ac103096383e7e9ddc02819a70108e72a199a7d972f

Download Submit
C:\Users\Admin\AppData\Local\User Data\Default\7466b192-2cd3-41d7-8c0a-1cae8d6b808b.tmp

Filesize
1KB

MD5
5c4366c4a6231fa7503f886d76948eb9

SHA1
ea5510e74bf4baafc7c4eddcf0338b2d0125d105

SHA256
cad56e4a9a66154d26105873cf4ab4dec262a5dcc1f2402bfe9e4284ab0f43f1

SHA512
2da2cab43747b05f74179ab934c7d9faff82012fa4f33f050c3d07a2c692bce97820e021fb1d820db10db5510e1cba2349e684b418d066be1484a427e6713641

Download Submit
C:\Users\Admin\AppData\Local\User Data\Default\Download Service\EntryDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\User Data\Default\Preferences~RFe58a488.TMP

Filesize
1KB

MD5
af923e2fa34e1570724edf05fb72aae5

SHA1
07517a947b6261c4c990ae638ca941d1625af4e1

SHA256
a26d462f0560fc103b9262478def40c8e230f569e7b00ff47e8eec5d77ac51b3

SHA512
b1231cdf9e1dea0d60a7c5dc3bb0abee6ce090ae9383e46df3cd95f55639d9a3c64b2dba530ca71b0c0111caed9551d34e652e15a63b9304347ac977a1f3c0a5

Download Submit
C:\Users\Admin\AppData\Local\User Data\Default\Thumbnails\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\User Data\Local State~RFe58437c.TMP

Filesize
1KB

MD5
068084af8d99b1ce21f71a49101ecf30

SHA1
197c2e299c9cd901f29e02ae6bfa0695be4397e0

SHA256
25d0af7e877c03976b72c3ca3e6b0ff5eac817ac917ff4281ec781cc5da60baa

SHA512
3c3a4842baaa61d7f08ac865ae51804c21d4523a0f0cede42a409c384f08ea6e65b84c81480f363b4a372a5620b3f4c05f914f818719176bbe038507d4ae3be3

Download Submit
C:\Users\Admin\AppData\Local\User Data\b75d5a2f-c6b4-4d22-ab5a-b44e83b23836.tmp

Filesize
3KB

MD5
465768242c1b40d47cca705c4603a028

SHA1
a8634058675f666de903a87435a209f841d2dd54

SHA256
c602acc992b13325cd52197815a553f60ee4042ef2d6e0bb4d9f12bb3037d2ec

SHA512
e3509f237205f82f1fa31ac76049e107911fa167b5c2e212e4426b213490c65ad7d30e60fb64afdaecb8c58d766108957592738dbf222fdb6dd1749a21e7357f

Download Submit
C:\Users\Admin\AppData\Local\nwjs\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b823b71cb66e69c6d7480c716f89bf60

SHA1
53cd4857f63359f53e8943571f1a9fd298225d42

SHA256
c421b5532c966b8f4d306673f0517b1612cb1fc6d859c38b29f16a09b770e2ec

SHA512
6abb92aac8ec3bf74605570fd8404362cd0c9a1111ff84cd06093b90e1c54fcd61830cd386a84497354eb73c58dfb0d643189ef59074305fc710fc61a6051242

Download Submit