Analysis

  • max time kernel
    25s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 22:06

General

  • Target

    Gaming Chair.exe

  • Size

    2.1MB

  • MD5

    6b1ae040f09a43a4f0eee6fd964e2a47

  • SHA1

    5d5ae0e6d89612fa55286f12f3a09443408ac1df

  • SHA256

    d1163ec121ee6bdd11496c227b5f09a69cd2172aca93d111fac1be0cf73be0f2

  • SHA512

    e6a7ad8d8245b7fa009b77c77e5d85059bcc6802247b72a5bf927a97390650d446f83984c43a3fd6cd5f5a35f747bda6b5d1e408aa59f212a856cc9eaca861a1

  • SSDEEP

    49152:NMi7EDQljtuC9Ss8k9yi83GMB5rr3KJPjFJa9Ndcs8Mcs8Mcs8Mcs8M7Lbr7Lbr6:NBYDQ1th9SVk99scB

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gaming Chair.exe
    "C:\Users\Admin\AppData\Local\Temp\Gaming Chair.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start FairplayKD > NUL 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\sc.exe
        sc start FairplayKD
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop %c > NUL 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\sc.exe
        sc stop %c
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads