Overview

overview

7

Static

static

3

33994da609...43.exe

windows7-x64

7

33994da609...43.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13/08/2024, 23:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    33994da6090887deef1a718a2dff12077706d9ffd04c8e6e0e9588f56ebfd243.exe

  • Size

    7.3MB

  • MD5

    b8d6211e17f5046af5f3d357b87d0e2c

  • SHA1

    6841e69f029822fc98a0a95259661aa0afa8a8e2

  • SHA256

    33994da6090887deef1a718a2dff12077706d9ffd04c8e6e0e9588f56ebfd243

  • SHA512

    1e40cb851ffa8a6cd892eb3518fb9dec352f4f7906ab3c2c59970039e66d4bab52fbcf6c1efed0cdf3c4eea02e3d7d2f17c85695f7cd3eab9b089bae573ea6dd

  • SSDEEP

    196608:K2kSKEko1nisbpW2/JuoLl5oSwf669WxvWU1ZMNZuc:ESKETnrdW2xuoLl5oSIrcIUzY

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 53 IoCs
  • Checks for any installed AV software in registry 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33994da6090887deef1a718a2dff12077706d9ffd04c8e6e0e9588f56ebfd243.exe
    "C:\Users\Admin\AppData\Local\Temp\33994da6090887deef1a718a2dff12077706d9ffd04c8e6e0e9588f56ebfd243.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Program Files (x86)\GameAssistant\GameAssistant.exe
      "C:\Program Files (x86)\GameAssistant\GameAssistant.exe" --tray --setup --from=setup --param=" --startup-id=879"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files (x86)\GameAssistant\Wallpaper.exe
        "C:\Program Files (x86)\GameAssistant\Wallpaper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Program Files (x86)\GameAssistant\LocalServer.exe
          "C:\Program Files (x86)\GameAssistant\LocalServer.exe" --local-path=C:\Users\Admin\AppData\Roaming\360GameAssistant\Wallpaper\Screensaver --outer-path=/resources --port=8081
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2396
  • C:\Program Files (x86)\GameAssistant\GameAssistant.exe
    "C:\Program Files (x86)\GameAssistant\GameAssistant.exe" --from=--from=tray --startup-id=879
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2240

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\GameAssistant\360Base.dll
          Filesize

          965KB

          MD5

          4f241e5de9091f6d78469bf1dc141cbd

          SHA1

          dec02d084f94049a4087a0f23db063ecaf98269a

          SHA256

          b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

          SHA512

          2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

          Download Submit

        • C:\Program Files (x86)\GameAssistant\360Util.dll
          Filesize

          664KB

          MD5

          d1b5dfc13bc47b666d0bffa3520d4c29

          SHA1

          a6dc1e9bcddda234acb2bfd80c76a6b2131983bc

          SHA256

          8733f13c9161db106b1b547fe8e8e29ae006e9311ec4ca510783720d5331923e

          SHA512

          abdf5b9072a741202cfce4d2f05bc9c9f634ade38c5e4657a7c379496c43d3795c7ad299e0fe55562d0c4069722531edcb14fe6cae55068f416f81ca8325077a

          Download Submit

        • C:\Program Files (x86)\GameAssistant\360netbase.dll
          Filesize

          1.4MB

          MD5

          14c6b4bbd31f6fd13530bc941cc71d1a

          SHA1

          ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

          SHA256

          401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

          SHA512

          c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

          Download Submit

        • C:\Program Files (x86)\GameAssistant\CrashReport.dll
          Filesize

          171KB

          MD5

          a1015b3bd68bdcf4627decca879685ee

          SHA1

          e8a18669a4ec1d1ce8d16f321beb7c492db272b1

          SHA256

          e5126f27a767c2ec225e06bb0352945557127c47d1c2ecce3c7e4ae952d411f7

          SHA512

          a701f37a890c92331780e0414739881a11841e7effd4107a62f427cb10b6682e36aa0c20a4e1b4907b03779d2d800f2934c743f68d8e212ef2a2bb8c713253e5

          Download Submit

        • C:\Program Files (x86)\GameAssistant\KitTip.dll
          Filesize

          899KB

          MD5

          2412599c3516eed54c2d283859d4ca41

          SHA1

          39f2a32652451efedf005ec3d49525c5a1546965

          SHA256

          a3d84f02f58f7afb7dedea22feef432b5758987e461e621b4c2cb1ba07f5dbfb

          SHA512

          729dbad16bc751a34b39762603d867331f8890876384ce04d0654ffd749c4cbc03a7150079da676216370ff73992a08001f121133ec8465191553753a9c9d782

          Download Submit

        • C:\Program Files (x86)\GameAssistant\LocalServer.exe
          Filesize

          411KB

          MD5

          2b2ebbdb95ccb946a4996d7ed4b63382

          SHA1

          70b23942b6dcd78b59a9a3b6eeac5ef1711e824e

          SHA256

          7d917cd4eb6838ce6781a12d1f7c1902f93a12bd1e6b8f304bd34880f849b62e

          SHA512

          42da489392939fd717c70ace1614c89bee75237b1ada0791d129aa9a0bf5e070b6a8138a31cfc98b34fa5711dfeb6568bf30c1ff8363bd859784e3f71662d6ee

          Download Submit

        • C:\Program Files (x86)\GameAssistant\Wallpaper.exe
          Filesize

          1.6MB

          MD5

          6c9a03cfeac3333e0f23e022ae5f10e8

          SHA1

          5f543b4da8d3a28603781a94c4c1fbee58e654a6

          SHA256

          46b1eb517a9d772f377f972e76db6f2caedaa576aa8022ac7cddfd87d656d389

          SHA512

          075696d7bbc59c9c5ad6d0d1dc70e9608fddd35b3644246e9c0f8d18ab4841d08ca197cf66cf2508691cbd84ff5f3f79dadfb8d123bddad0df385521fc9ed468

          Download Submit

        • C:\Program Files (x86)\GameAssistant\cacert.dat
          Filesize

          240KB

          MD5

          fddaa2c6ed188018bb28f38066b56d79

          SHA1

          38a2d83f5ce482299f6ca38dbac184112a612b62

          SHA256

          04f4445461ff76c45a932deef2aba90a9f6c192fb81431b026d3fd01c6d2bcbc

          SHA512

          19853eb627387db0365497cf7699888574d154e15ae893be8fe906253c1b193b639c5e6aadc7f4c57b16df606a40bbdcc1fd3b1e8bb1b3ffe2b2559ca27b84d1

          Download Submit

        • \Program Files (x86)\GameAssistant\GameAssistant.exe
          Filesize

          2.0MB

          MD5

          b21504f1734e75fdfbd6a34cea7e553f

          SHA1

          0915b9d3688c32a4e916d4768f788d93b7058004

          SHA256

          1e93646172f6b857d18485658d2a09151272335a6c6288cffbe9847a220622b2

          SHA512

          c5fdf20d9f2c95714fd5c14da62da9ec279a6dd521f98ab5c44563f87e49b2f3c63878aef3af68d8eea796115f78cb0c7e07209894176e294e133c21acbc13da

          Download Submit

        • \Program Files (x86)\GameAssistant\Uninst.exe
          Filesize

          1.3MB

          MD5

          a72bccd8eddc5eef53a9b73235042716

          SHA1

          cac8264e3483ec2dc40a9d45b566a7beccf7ccbd

          SHA256

          ffc150ad2569ed092a5848f59776110b7b21831a27103bbf81ce81717914316d

          SHA512

          3f75cb2e4477f4000edd151fc343f202a077dd6950b8995a2ca99d14f1fa3abd9f1db206db49805f00da7067fa721138ef392742d590ec17277f75114987ce4a

          Download Submit

        • memory/3028-47-0x0000000000350000-0x0000000000351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3028-48-0x00000000003C0000-0x00000000003C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3028-93-0x0000000000350000-0x0000000000351000-memory.dmp

          Filesize

          4KB

          Download