Overview

overview

7

Static

static

1

brawl-star...23.exe

windows7-x64

7

brawl-star...23.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brawl-stars-gameloop-2-0-11646-123.exe

  • Size

    9.4MB

  • MD5

    f5e7ba37555932ecea7fbd874108d47e

  • SHA1

    009c388a6e381f502dee72c587f553a03838436c

  • SHA256

    2f6e75e0384b85cbaffbb9947cea5c1b2e4acf4952c3ab6fae919c8a965e1d43

  • SHA512

    7ac31e4e877d4e7058cb7927e63d02e07272ba81c06b23c70734ed91bde435ee77effba5e8ced2dfb2480e4115a3ab735438bdb5e330e6f2c7dddde76cf30ede

  • SSDEEP

    196608:hkb78tqlUgN7AktVweDO8emQmG5eWWi/zio/ia:q+2O84wWrX/

Score
7/10
bootkitdiscoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brawl-stars-gameloop-2-0-11646-123.exe
    "C:\Users\Admin\AppData\Local\Temp\brawl-stars-gameloop-2-0-11646-123.exe"
    1⤵
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
      C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2552
    • C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall delete rule name="腾讯手游助手下载器组件"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:568
    • C:\Windows\SysWOW64\Netsh.exe
      "C:\Windows\system32\Netsh.exe" advfirewall firewall delete rule name="腾讯手游助手下载器"
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL_core.dll
    Filesize

    543KB

    MD5

    11d65a68132e918bd80e7e0a09029730

    SHA1

    c1978c02176e1e370c66d1597e964eab908847dc

    SHA256

    36c18dedac0429375c583fcf9420cdc9ace8a38bbac9f33378b5b4d6739da511

    SHA512

    34278a85cfdad1b2086b9368368b6eada08829c3237d02d0afbfced4f32df38e95a5ca0a600fc8d8c98c33d6cc8d4ac82c3279ccdba36cb0ed4738c1c0648315

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\p2papp.dll
    Filesize

    2.9MB

    MD5

    b1b101d86c417286e60f471fc8b79bb1

    SHA1

    b602bee2a25ed63a1f9cda72c83bdadd44dcd07c

    SHA256

    91cfa1769be449dfdfbf6bcc8049ce5c9218df6deaa66a0879528526b204a51a

    SHA512

    0a1d03364e1a52c08d6992a52b31b29f54c3781c009562427c560338db5428b74b55fab41f9c48c7018ddce41ab6a7f8593fbf12a75ae472c11590a36b42682b

    Download Submit

  • \Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.dll
    Filesize

    523KB

    MD5

    34431eb1ae2d3ac86e3415d8c3e977a3

    SHA1

    b2eae82dffecdbe02ef877d5a4d28de83b84bd59

    SHA256

    8379e09c7a3a51bdb652418781ceed8067e324b656c7d5a307b9a77c899f0806

    SHA512

    32b1d12630ced494b5168037a1d0899b3576970f603b5e69bf48fd915a4dad51d877e97bc91660929719e3a1395344ec39d5cc5b761111096c4523563d3bdd5e

    Download Submit

  • \Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe
    Filesize

    167KB

    MD5

    8fb4e336f4c145eb6e379701c3ac59d1

    SHA1

    ad53b732cabd515035784f187aeaab4d8a6b67c7

    SHA256

    d7a59b5ba3f0fb3906ebaa7a67c76088995a1f37652a2ae9893977c19754d9bf

    SHA512

    c83b726e867f47c9fdabaf3151ae74c07e2b74be47f8ec41685fee744eba41c81614faaf473fcd28cabc044545eddcad5cbbaf67e90109d916e109c1b5d6a770

    Download Submit

  • \Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\dr.dll
    Filesize

    74KB

    MD5

    2814acbd607ba47bdbcdf6ac3076ee95

    SHA1

    50ab892071bed2bb2365ca1d4bf5594e71c6b13b

    SHA256

    5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

    SHA512

    34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

    Download Submit

  • memory/2440-21-0x0000000000150000-0x0000000000161000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2440-25-0x0000000000170000-0x0000000000171000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-28-0x0000000002210000-0x00000000024FF000-memory.dmp

    Filesize

    2.9MB

    Download