Analysis Overview
SHA256
cffa4eb314b127eb8818700e7b431cb723d9ef334c26f3013057ef4742723ac5
Threat Level: Likely malicious
The file Grand_Theft_Auto_VI.zip was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 10:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:28
Platform
win11-20240802-en
Max time kernel
438s
Max time network
459s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2440 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe
"C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/2440-0-0x00007FFE03153000-0x00007FFE03155000-memory.dmp
memory/2440-1-0x0000000000240000-0x000000000029E000-memory.dmp
memory/2440-2-0x000000001B200000-0x000000001B31C000-memory.dmp
memory/2440-3-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
memory/2440-4-0x0000000000BF0000-0x0000000000BFA000-memory.dmp
memory/2440-5-0x000000001AF90000-0x000000001AFA2000-memory.dmp
memory/2440-6-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
memory/2440-7-0x000000001BF50000-0x000000001BF82000-memory.dmp
memory/2440-8-0x000000001BF10000-0x000000001BF20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xur0fdg4.tgu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1952-28-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
memory/1952-27-0x000002548E4A0000-0x000002548E4C2000-memory.dmp
memory/1952-29-0x00000254A6850000-0x00000254A687A000-memory.dmp
memory/1952-30-0x00000254A6850000-0x00000254A6874000-memory.dmp
memory/1952-31-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
memory/1952-32-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
memory/1952-35-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
memory/2440-36-0x0000000020890000-0x00000000208C8000-memory.dmp
memory/2440-37-0x000000001DF60000-0x000000001DF6E000-memory.dmp
memory/2440-39-0x0000000020C60000-0x0000000020C68000-memory.dmp
memory/2440-38-0x000000001DFA0000-0x000000001DFA8000-memory.dmp
memory/2440-40-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:28
Platform
win11-20240802-en
Max time kernel
447s
Max time network
489s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wdmode.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wdmode.exe
"C:\Users\Admin\AppData\Local\Temp\wdmode.exe"
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:24
Platform
win11-20240802-en
Max time kernel
413s
Max time network
415s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hardcodet.Wpf.TaskbarNotification.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:24
Platform
win11-20240802-en
Max time kernel
430s
Max time network
432s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Languages\Tatauro.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
memory/664-0-0x00007FFEE7F43000-0x00007FFEE7F45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvomhixv.sz2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/664-9-0x0000027C5BBF0000-0x0000027C5BC12000-memory.dmp
memory/664-10-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp
memory/664-11-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp
memory/664-12-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp
memory/664-15-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:25
Platform
win11-20240802-en
Max time kernel
447s
Max time network
448s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MahApps.Metro.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:25
Platform
win11-20240802-en
Max time kernel
435s
Max time network
437s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.WindowsAPICodePack.Shell.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:27
Platform
win11-20240802-en
Max time kernel
439s
Max time network
441s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.WindowsAPICodePack.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:28
Platform
win11-20240802-en
Max time kernel
437s
Max time network
439s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Windows.Interactivity.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:22
Platform
win11-20240802-en
Max time kernel
439s
Max time network
442s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ControlzEx.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:24
Platform
win11-20240802-en
Max time kernel
430s
Max time network
432s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Languages\Hunsabi.ps1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/2776-0-0x00007FFB7D873000-0x00007FFB7D875000-memory.dmp
memory/2776-1-0x000002116F5D0000-0x000002116F5F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fugw21hz.jih.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2776-10-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp
memory/2776-11-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp
memory/2776-12-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp
memory/2776-15-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:28
Platform
win11-20240802-en
Max time kernel
433s
Max time network
435s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\YLLibs.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |