Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/08/2024, 17:36

General

  • Target

    savedgames/slot1/game01.savegamedata

  • Size

    350KB

  • MD5

    e0ced6a746d0cfedcfcf3675fc6a46e6

  • SHA1

    84364e1205aa34f32eeb7e4569f86f5f0b3699be

  • SHA256

    94474cb64862312f09df08c1ba1e4f78260d4083b0b85953ecd205f51b1c5e48

  • SHA512

    7efd766900daad15dc6bed28dac008d35a144549f6c0b9a886822a057b8e42e80dab612034ff3f6a267ce782303e22ee89b5ffcf56002c3fdf42d9d80f78ee5f

  • SSDEEP

    1536:0Wfjf8akDtQFT0XSWwZCyWfjf8akDtQFT0XSWwZCyWfjf8akDu:BlT0XSWjlT0XSWjB

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\savedgames\slot1\game01.savegamedata
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\savedgames\slot1\game01.savegamedata
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\savedgames\slot1\game01.savegamedata"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    10b183601c737d6f9252b08872df2ba0

    SHA1

    454c9d1b07e74a8f31cd320e605da5c3bd033306

    SHA256

    e9433060349d356bfa4b411d02423c1cf11d1ae3f22e755b38fa6de645a90c7a

    SHA512

    5d6b15bd211fd5c2bb944323d65e16ca2cb8ff98e4c79a61bc7d7183cec5aa86476038a928fa170416fe73b4b12d4d9c38f6cf8068d332cdc796a74d8013fa83