56cae288ee86c68d1bed935233f73d6cbfaf241bc8278b1b967128d29e1f0f9c

Analysis

max time kernel
140s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlayGame.exe
Size

506KB
MD5

76353f66cb6cb640a162c88f717f9201
SHA1

64da2b5e5b1386ede25627479702c3b617624633
SHA256

3ef48a70f5bc9ac34fbacc0add53f11c1f627e90da8a7d75a41ee7117ce32121
SHA512

25e8a53c93167ed7fd0e97670af40a682aa3f5bb77b0f8d11718b95c6b80156395da7f9bbb332b76938aa631524a469f1cb41e1c1bf60b370f54306c2fe06b95
SSDEEP

12288:MrnkzL6RcJq3U+LKyB/AGBZrTBSn7q8G8luor8S+mGv:MoQcJj8KwBSn+Iw3SpU

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlayGame.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2536	PlayGame.exe
2536	PlayGame.exe
2536	PlayGame.exe

C:\Users\Admin\AppData\Local\Temp\PlayGame.exe
"C:\Users\Admin\AppData\Local\Temp\PlayGame.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\load[1]

Filesize
68KB

MD5
4cd4b704684bd716725a7100fac7f672

SHA1
50f49f765bb1fa096fac2554dee5294d7ae707dd

SHA256
7530c8d6745b2af45b321140bcfbea973786976906a1f5285bbebba9b924aeb8

SHA512
3d694f98773139d2a4394a71047c9941bfe1b8b4f7a06d9d854dccadef8c8dab59e3e00d48d80cba1919044e9d6a9a3053ceb139bc30da48b11dc906c527bd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rungame.ini

Filesize
402B

MD5
d8429c865eadb87f5da80092b8533992

SHA1
b3d56702a1326695bdf18aef8d7c1c9f52702c95

SHA256
15ce58ae19e629cc2897e2680ab84ed2eddd68f12f728599432d78d1965031f4

SHA512
f1944d8baf8cedc9210e9ffab47f0fd9a36f9c1cf23800d359b97826bb04b4318c5b45122103e1fab568fd11727d29b342091ff8ffede7812bfe9a4616ba2979

Download Submit
memory/2536-0-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2536-1-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2536-11-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2536-13-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2536-20-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2536-21-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download