Analysis
-
max time kernel
25s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
Gaming Chair.exe
Resource
win7-20240903-en
General
-
Target
Gaming Chair.exe
-
Size
2.1MB
-
MD5
6b1ae040f09a43a4f0eee6fd964e2a47
-
SHA1
5d5ae0e6d89612fa55286f12f3a09443408ac1df
-
SHA256
d1163ec121ee6bdd11496c227b5f09a69cd2172aca93d111fac1be0cf73be0f2
-
SHA512
e6a7ad8d8245b7fa009b77c77e5d85059bcc6802247b72a5bf927a97390650d446f83984c43a3fd6cd5f5a35f747bda6b5d1e408aa59f212a856cc9eaca861a1
-
SSDEEP
49152:NMi7EDQljtuC9Ss8k9yi83GMB5rr3KJPjFJa9Ndcs8Mcs8Mcs8Mcs8M7Lbr7Lbr6:NBYDQ1th9SVk99scB
Malware Config
Signatures
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 2880 sc.exe 2884 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gaming Chair.execmd.exesc.execmd.exesc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaming Chair.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Gaming Chair.exepid Process 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe 2444 Gaming Chair.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Gaming Chair.execmd.execmd.exedescription pid Process procid_target PID 2444 wrote to memory of 2748 2444 Gaming Chair.exe 31 PID 2444 wrote to memory of 2748 2444 Gaming Chair.exe 31 PID 2444 wrote to memory of 2748 2444 Gaming Chair.exe 31 PID 2444 wrote to memory of 2748 2444 Gaming Chair.exe 31 PID 2748 wrote to memory of 2880 2748 cmd.exe 32 PID 2748 wrote to memory of 2880 2748 cmd.exe 32 PID 2748 wrote to memory of 2880 2748 cmd.exe 32 PID 2748 wrote to memory of 2880 2748 cmd.exe 32 PID 2444 wrote to memory of 2868 2444 Gaming Chair.exe 33 PID 2444 wrote to memory of 2868 2444 Gaming Chair.exe 33 PID 2444 wrote to memory of 2868 2444 Gaming Chair.exe 33 PID 2444 wrote to memory of 2868 2444 Gaming Chair.exe 33 PID 2868 wrote to memory of 2884 2868 cmd.exe 34 PID 2868 wrote to memory of 2884 2868 cmd.exe 34 PID 2868 wrote to memory of 2884 2868 cmd.exe 34 PID 2868 wrote to memory of 2884 2868 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gaming Chair.exe"C:\Users\Admin\AppData\Local\Temp\Gaming Chair.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start FairplayKD > NUL 2>&12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\sc.exesc start FairplayKD3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop %c > NUL 2>&12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\sc.exesc stop %c3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2884
-
-