43463ae3d8e085f1202ca2b623ec3aa9e0e4c1f1128985abc5e8b27bb647945e

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamebbx.exe
Size

4.4MB
MD5

fa13ce2cbeb6c168384ede609e2a8b47
SHA1

c0ae1ea8514ed078b3843865fac31e25004d3cea
SHA256

d8b8485a9cd927008d6e75214ae9acb07d234af577ae2c699ea14a52dee8f776
SHA512

1958ae3aee4aad3bfbcc149439bb2cccf109ea603ba5031d8e3675921fb1ee2eba0d6a389489d351b551bffbb8b93f86a3ebb82fce334af37ddf2f11faa43030
SSDEEP

98304:r2w51VjP9fIRqW/5ehKiugj51tkZiRcIIIkkoVZM:rV5Db9wFIo0tkZi/o3M

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3416	gamebbx.tmp

Loads dropped DLL 3 IoCs

pid	Process
3416	gamebbx.tmp
3416	gamebbx.tmp
3416	gamebbx.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamebbx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamebbx.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	gamebbx.tmp
3416	gamebbx.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3416	3932	gamebbx.exe	84
PID 3932 wrote to memory of 3416	3932	gamebbx.exe	84
PID 3932 wrote to memory of 3416	3932	gamebbx.exe	84

C:\Users\Admin\AppData\Local\Temp\gamebbx.exe
"C:\Users\Admin\AppData\Local\Temp\gamebbx.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\is-IMHBE.tmp\gamebbx.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IMHBE.tmp\gamebbx.tmp" /SL5="$5023C,4283141,221696,C:\Users\Admin\AppData\Local\Temp\gamebbx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-IMHBE.tmp\gamebbx.tmp

Filesize
872KB

MD5
8466d1f908959b327432f78e121a40d0

SHA1
502a9c5ccb06f6c5cec3de931da359d0bb9db832

SHA256
07b08630de7c0d0b2d4acffc872b41e4a76ba100b23b007c39e9c1c8c895caef

SHA512
72c2ec3a13c84fe7508fa49ae26374a1b1cb1e7e8a9d8c9b736a5415ed9860451414004bcc58f660b010db6d0c04d50f59d4a7bfb378508cf8878d5789dca5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SPPM0.tmp\UpdateIcon.dll

Filesize
32KB

MD5
9da5e5c13c7cdb9d40a6d48dc144f103

SHA1
9ca63e96a74cd6e15650381713a9f21f74b2bfd0

SHA256
06bc5482590c17db6d3a8a2ed284d507ed93e239690e508a44a8af6c461cd218

SHA512
914b31962ebeea3957a1e600365197744420ee73ae36b5b9aec9a32ba24310d133f1cb377dc53b04017815a3010b0f0875e250641d40e063369627ac1c67d7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SPPM0.tmp\psvince.dll

Filesize
36KB

MD5
a4e5c512b047a6d9dc38549161cac4de

SHA1
49d3e74f9604a6c61cda04ccc6d3cda87e280dfb

SHA256
c7f1e7e866834d9024f97c2b145c09d106e447e8abd65a10a1732116d178e44e

SHA512
2edb8a492b8369d56dda735a652c9e08539a5c4709a794efaff91adcae192a636d0545725af16cf8c31b275b34c2f19e4b019b57fb9050b99de65a4c08e3eee1

Download Submit
memory/3416-12-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3416-17-0x0000000003AA0000-0x0000000003AAE000-memory.dmp

Filesize
56KB

Download
memory/3416-26-0x0000000003AA0000-0x0000000003AAE000-memory.dmp

Filesize
56KB

Download
memory/3416-25-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3416-32-0x0000000003AA0000-0x0000000003AAE000-memory.dmp

Filesize
56KB

Download
memory/3416-65-0x0000000003AA0000-0x0000000003AAE000-memory.dmp

Filesize
56KB

Download
memory/3932-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3932-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3932-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download