d3adeaf1732c6e95f833ec3533065ee6954c44c3195a8387a02156090b7b8160

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Self-Activator_Gamekeys_biz/vpn_pl.exe
Size

31KB
MD5

4d654caf87aef53b1f70da9ea7390daa
SHA1

4f2b05837ec2ce31508a036ff91ccd73c92bf40b
SHA256

ade6cd3f8f8b38b7925f6787b0a7494441d783e7fbcc40ecc78b3ee1ab2e4229
SHA512

b366a1c9e73101494417a3d1233429f800a4942bb94b23bcb76c13647a2cc042f0149a030ff0887e8c50335b018bd208cc4778bff891f86f63f48127abc7ca19
SSDEEP

768:Kodef6PAs68pfZP04YsubvbtbKxHVCZRSLiDSFDh/aSk1vmm4:KodeiPfJxYfK86GmDh/aQm

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2604	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1744	3012	vpn_pl.exe	31
PID 3012 wrote to memory of 1744	3012	vpn_pl.exe	31
PID 3012 wrote to memory of 1744	3012	vpn_pl.exe	31
PID 1744 wrote to memory of 2568	1744	cmd.exe	32
PID 1744 wrote to memory of 2568	1744	cmd.exe	32
PID 1744 wrote to memory of 2568	1744	cmd.exe	32
PID 1744 wrote to memory of 2604	1744	cmd.exe	33
PID 1744 wrote to memory of 2604	1744	cmd.exe	33
PID 1744 wrote to memory of 2604	1744	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\Self-Activator_Gamekeys_biz\vpn_pl.exe
"C:\Users\Admin\AppData\Local\Temp\Self-Activator_Gamekeys_biz\vpn_pl.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1FA1.tmp\vpn_pl.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\rasdial.exe
    rasdial vpn-pl.overplay.co nothingname gamekeysbiz /phonebook:..\Self-Activator_Gamekeys_biz\rasphone.pbk
    3⤵
    PID:2568
- - C:\Windows\system32\PING.EXE
    ping -n 600 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1FA1.tmp\vpn_pl.bat

Filesize
388B

MD5
2f8cc3cc6ff3b44c30663d1d9e4634b3

SHA1
c149a5ae4df78434f270ac1194b6e16b8c048358

SHA256
92155a9602d76629c3bd6d54049a28a82aa50aeb784a372e56bc9fc6a9742112

SHA512
5bb63c643b039956cac582361d8d110cbafc24a79222c96b440463cb97b75f7413252178b12d0e48b76aebc593ae989f9c99a3d184e6d7fec9f7f66f0392d783

Download Submit
memory/3012-0-0x0000000140000000-0x0000000140017000-memory.dmp

Filesize
92KB

Download
memory/3012-9-0x0000000140000000-0x0000000140017000-memory.dmp

Filesize
92KB

Download