0beaf87bd85cd3155264917446b1469f2810eda047d3ed2a4a86c1d5970455cc

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/09/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YemozaGameV32.exe
Size

172.3MB
MD5

cf970c41bbba09a8290f47edaf73fe90
SHA1

1e6fcc8c47ca4215ac4f200fde7da6465190da66
SHA256

346ed97119f69b3c7a295392f8ce50b68b06a0fd926d243a3170488a72f46e56
SHA512

7628384cea9d0d5717df97b27a1b8d436c4afcd4d905e3fc54e5682443bfad41d719ff08f0d16f31cef2450b9bf1164c6fec909097d56545c924579fad9d165c
SSDEEP

1572864:hbrOrBzMzME3lL+fpSICUfmmgcAeWgIdTykJN+wszjdxSrsxkyuYhPLaQvX:f1kJ+Qv

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1180	YemozaGameV32.exe
1180	YemozaGameV32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe
Token: SeShutdownPrivilege	3044	YemozaGameV32.exe
Token: SeCreatePagefilePrivilege	3044	YemozaGameV32.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 1672	3044	YemozaGameV32.exe	78
PID 3044 wrote to memory of 3320	3044	YemozaGameV32.exe	79
PID 3044 wrote to memory of 3320	3044	YemozaGameV32.exe	79
PID 3044 wrote to memory of 1180	3044	YemozaGameV32.exe	80
PID 3044 wrote to memory of 1180	3044	YemozaGameV32.exe	80

C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe
"C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe
  "C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\YemozaGameV32" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,12984245713850915118,8474703777013264173,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe
  "C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\YemozaGameV32" --field-trial-handle=2024,i,12984245713850915118,8474703777013264173,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2020 /prefetch:11
  2⤵
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe
  "C:\Users\Admin\AppData\Local\Temp\YemozaGameV32.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\YemozaGameV32" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2468,i,12984245713850915118,8474703777013264173,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-5-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-7-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-6-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-17-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-16-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-15-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-14-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download
memory/1180-11-0x000002E4E2720000-0x000002E4E2721000-memory.dmp

Filesize
4KB

Download