Analysis
-
max time kernel
1348s -
max time network
1423s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
21-11-2024 15:26
General
-
Target
WorldBox.God.Simulator.v0.22.9.558/Game/_Redist/xnafx40_redist.msi
-
Size
6.7MB
-
MD5
97c2eebb30c5a88c68c8f24f37183f1d
-
SHA1
49efdc29f65fc8263c196338552c7009fc96c5de
-
SHA256
e6c41d692ebcba854dad4b1c52bb7ddd05926bad3105595d6596b8bab01c25e7
-
SHA512
c9d1017b274ceb1b4ee624cf7e628787c32a727c64f715fbce1f1ae929d9114f8fe1291e34583cec615619b0128c01206b07efc878e7a5c57b792453f73fd0da
-
SSDEEP
98304:wynfL329J1XswfXO6wiBB+4RZg6aENaCZAU5PMO0MntfERyJGH2YPq/:wYD3C1XXfzH+4cLHU5PM/Mnt+YGlq
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 21 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 29 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 53 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WorldBox.God.Simulator.v0.22.9.558\Game\_Redist\xnafx40_redist.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:42⤵
-
-
C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe"C:\Program Files (x86)\Microsoft XNA\XNA Game Studio\v4.0\Redist\DX Redist\DXSETUP.exe" /silent2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD523a0c661e9ec53e3d426157209ff391b
SHA1c5d49647e6bfefc75e2c5a438b95cee4aaeb14ec
SHA25625cd53a31cd28203612dd10a596dc51a7b4e0faf3c23b107ef02c4037e9fb308
SHA512c90b80b7f4b8172014a49c01583fa7eee79efffb19c4177aeff58d91d2ec2994237174c85eafb1fe0615f160d1504b6fb6054b88ab20bb091a6203a6fbcfd3f3
-
Filesize
596B
MD59d060318a5c140f65a241c2c05f4db2e
SHA1a1a72a670e74612c30e7464b6c0f1942ac21562d
SHA256d6dad488777a528d2709bb767c76943715f9c01af2b77ab2f22b827d1c6db03e
SHA51263273290bfb3604a30e4579d6594c428338c8b28146109030d505fa7b706c007baffd77f45cb05d11a499092be5f2e1a06a141639e2671a733533321a5f2bf25
-
Filesize
1.5MB
MD53676d740157493e80e7b8641289c003c
SHA18135aeeab67151dd4e2418d4907077f646e72873
SHA256219441f975c200352a12dc3d8f82811fc7b53ed28d63761327933afbb660f876
SHA512abfc5ea36a7368a34193c8f3771ae4e36c0d570ae0a20b11892184cd4e384d6abe6542769e3c890293b4e640faecf6392f84f5733017d8d86c65456caa24c6f7
-
Filesize
55KB
MD5f83f54f45ac15a32dc17614c4f6882d4
SHA1fc8542fcd33bb9e669806409f677edec9bfb64fb
SHA2565ab7bb15394e4ece850da5453413ab1de2ea97d5c93f86482b75073aaa05da9c
SHA512e4dcccc3a4299d262b94b24ff4b29394bed71e211b80a8a457acc4ab89325500082e6a9b597bc7b1dbc35746d01a9aa038a9c3a401aa42a426fcc3d15f410c9a
-
Filesize
20KB
MD5ed093ce20bddc7c42ede4daf772ed5aa
SHA121beb0ef8130be1c62b8467dfb67bf3f7548cea1
SHA2567fbf09682fd15d721ff2c5cb110b5ffcf5982cd2dd8d72b708cf3cd0bc4fa250
SHA512734e397f4ed2554944e1d1f6f799794c4027792a06e9da25bab58e6e4ff58146058d8b45ff0cb9c861f77989cad029164945f22ffcb459432e1d3a2c7172525c
-
Filesize
90KB
MD55cf3585c99a59319ac10e18cc92f0024
SHA1c48c25e6b7094eaf337fa986960f9895e5f465ba
SHA2560ba00c41443639dea9b816fa2608088ccef5dbe850531dff4c1e7993804b0b60
SHA51226b8213a5105b37912632c8abc1a07381210836e620f8f70d77b3b412a406e2e38df7af037001fe27f2da874e143c59aa7dbff90a9183e7619a8e5af0a23b158
-
Filesize
270KB
MD55da6e4a80fa53568d2fdde31cbff2979
SHA19606fda70427cd9f4eb8e67b625417e2775e6876
SHA256281bb0e12f617e9ae7fe3301a7d4a08201b377caa0311a886e8cddc2526f734a
SHA512649fc2578388064267ebe8e55daada29d2e51ae6422b10088b6bfacd229bc0439aafdc4f9af7b3b5e187df179c72b4d85f70839a8c91505d17da06d53a40cf3b
-
Filesize
1.5MB
MD50fdd6e4e5dfc5d913261355746402214
SHA1a80c28755c9d3ca163bd377d1bd951a1c111733c
SHA2565146e15d4c65590704286bfcfbbcc31e98a6832f8a7cc3bfdcb1e7fa5a647bb1
SHA5129eb85c4507881fc1004c906ee954273bfbea8979d70b2321f197a3cf82121734225103e4239a9bfb591a980b70400a5d19b93482abc108c46614a20476a81f90
-
Filesize
93KB
MD5c187448c8104d30087f3f25a9d112014
SHA1b64ac3e44f2f38a3bf8400f11a40a39039fc9caa
SHA25654d68f154058433865708ee0dbf3ecf2d609ffbd618e84a1056440379494d9fd
SHA5129148cece409557444eeaf66dee58e2a6043a64d7b76b91e6c4074a5ba0d066cd1ebb2c60d44e1c7a40ca1dc63d72aa7afcc410202901d5afbf2116e3ba8b0f11
-
Filesize
46KB
MD5ba187b4db5dae1bee29e6f18b7775b8b
SHA1efce87100c26165cfd7eb627534e42cb72ddb5b7
SHA25611bcc9f47d9b0397f6d78c08e7208ee812cbef54bb02a8c3a681608879471c8c
SHA512c9c2c3760e495c611a925bb5ae162d4c4ac90f53e2c0a9d20f68085ab43cc0f0a7ad1d201564649e4cf67ef4402d874626c6911f01f8a055da0b993730afc12c
-
Filesize
1.6MB
MD57c7cc9feb1026678c48bbabe84ea57c2
SHA14fe9c466fc65cf07af0e1440743b1822ab65849b
SHA256a5c6df12f9fe2edab2a22fe7abf3cb17eac110a6fd469f2570ba04afc88ad767
SHA512d9cca6dfd5966d45342b87afb6091bc8ad3beff039f9bc9c523f8118dc6723337c279cd652c19624250ed3934d8f4a2b15670652867c0114b7e785bbab4212e0
-
Filesize
512KB
MD511dd6e8ab9759d1ac91ffe0d0e4949cb
SHA12a86774d0c87050d5c7aa9738cc3975303a40d0e
SHA25616953a202265db5655b3dd972b855619728da76545a2f94bcbb6c43262f48d5b
SHA51206828f51b3866f7c2b29861707bf8552b742e366783115b3062f08a9c0005c96507ecf1fff92ad41dc0318ad715176c39c84ff0424372b080bf7c031e4f307de
-
Filesize
91KB
MD54d48dbe4d3a06c497435014e5c583f34
SHA1159cbc37080b7ea3ceae8d25125b99f9f4948341
SHA2569d47b4fa2dcce6a02a51324cfb97f5e153086c2eb8832b211e175cbe5fb850b3
SHA512b8029bde36e4d6581916c131ec51d74f4a2b03abf5a238c503e1c7b19980d0946606375f0b4c3bd10b9c514e084368c356be8536b282bee887037d7d7f139732
-
Filesize
1KB
MD5e84adf38d499ae39090ad60fd76d76e3
SHA16af4d58bc04aac2723e8b97649f1b35fb1aca84c
SHA256d4da3e530982812d1e2a31570b80af541fac1b13c72997d2aad7ea3bfeaf4a4a
SHA5126714992e7aee7bd0798fbec68f92c97ee502127580e21e1b6693ed6737312b44dbc9fd9ef579fe552590e9e5a4904df94e4116334265a34699a04aa76ab87c24
-
Filesize
1KB
MD582c10b720e33be099f69e4010d44ecd2
SHA1e95a2eb23db3fd610d71089500aad523f93c9469
SHA256e850fdb84bcac0f667927e53fee943efd3f43be6c6a0ae1e17f3fff83ddb2635
SHA512853261c439b26cdc8991ac289b9f9925976452ed613481b0cf09e75444882805ffa15633eba441d8e1a04641f5f6378b68e2270a6a48d3911d7f9c2c0b1235bd
-
Filesize
1KB
MD5e6e942a2cfbb587bfcc4203b5bb34fd4
SHA12e0172ea1936911a98e11a6e98990703e24172c0
SHA25674c827ef94881099761e04397ef8f162fd0ccaf4876a5503c4b53a5216d2acca
SHA5123d70d76e6f459819a1703c5019a2e10fe518ee6e8eb5d3313fe57d3d1b6313b52c4904398a26841c78a9ecf9d715e1201e834ab3df47265e070ec94417a78e4d
-
Filesize
1KB
MD5b37a5ff044eb65521a290c79ba1a3e00
SHA1ed505464894bd3e52654834487f3821ae117edfe
SHA256bd29711cc2ecd924990167ffa95f48842e24aeed3acef1023717040240b4bbb6
SHA512eae4408cfa7f9c39b101489688cc570a184b8a57f3d20d3b0452a581fb80c4f485dc2f512a39669a92a5bde81fbf474e1585f566ff482e87610780c23126c21e
-
Filesize
21KB
MD5c811e70c8804cfff719038250a43b464
SHA1ec48da45888ccea388da1425d5322f5ee9285282
SHA256288c701bdedf1d45c63dd0b7d424a752f8819f90feb5088c582f76bc98970ba3
SHA51209f2f4d412485ef69aceacc90637c90fad25874f534433811c5ed88225285559db1d981a3ab7bc3a20336e96fb43b4801b4b48a3668c64c21436ee3ea3c32f45
-
Filesize
72KB
MD5e4ce2af32f501a7f7dddd908704a0ee6
SHA19dc2976efb15b6fba08bebdeb98929b6961063a5
SHA2560aee44b12913a95840ee6431d90518b0d72c54a27392e21ee6995e2151554a06
SHA512ec14a58414d595a36c6b575cdae690f11481cd3f0b35fd2f4c6a6d162a6272882cfe03da865e09a34972775790529f51c80b69056a2fcb909f25b549ed2f7f01
-
Filesize
515KB
MD54976243bd70fae3d1d24e49739ab2710
SHA16ef27b10bcf4e697fe77c3e964b326be11e4444f
SHA25661b57170f7c6365714396072d22cb98746718c0f44c9f0d5c62fdb1b218639c7
SHA512af2d6aaad44bed880a1a2ee947618b142c76a5eca42d4608196b74df9108a9649059d8207e84a58b76ad43aefe9b66ffcc519f8126667177011cf4199f163e83
-
Filesize
1KB
MD5044cae9c30c88bda73727243f5e5206d
SHA1de744e349cf4ea458b10657d510966d21ad08d67
SHA256349a09a2791d697bffffc61410a536cdcf258f0d7c86dda44a297e8aec4bdf00
SHA51218e501142004afbcd28b41bdd3a9b19e2eebc047d7858ee11a9135f19759cfd8c643ff074a51e937bbcab7162888fd95effc146be21fe63dfc300ef03ed44056
-
Filesize
1KB
MD5e188f534500688cec2e894d3533997b4
SHA1f073f8515b94cb23b703ab5cdb3a5cfcc10b3333
SHA2561c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5
SHA512332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7
-
Filesize
3.3MB
MD5cdb1cd22baff21f48606b3c1a18b000b
SHA19315b5db975a34dbebdb4dcae652ba1db01c482c
SHA256c6b7b2ad7742dde5dd8d1a35fdc1c185e586e551ad9c74d3fb21759cd8ca4da8
SHA512c5fb24de8f1ee6fc1ed6e74580b5d22599ea4eb6c3589645fff0b15dc8dca051c4917e60fbc00ca86542dd63a8f5e40da92ea77e24826c0c6bdba9b58c36d4db
-
Filesize
4.0MB
MD53fa06cf5079b84155d18b05c08f7131b
SHA1fafe52876151a08f39dbb6b4aa137dd85558ba5f
SHA2566ac4df203af419d3f3b7d9a99e14a3490ea3ad307c474bfe36baea642b1421f6
SHA51224d29c3ffb6532da860fef4dd93e61f7532cea3af94928495a3af0231e7dff6db5cad25713451a2e722c076462b94818cd6969a1c7d8905585b0f64e12174d1e
-
Filesize
169KB
MD5c4842e139fca422e265c91c44a1341d6
SHA1299a5ab4644fe7302b515aa10ef0f1715046275c
SHA256b1f954cd75dc3c9d5bc57f1a4c28720ee3639aa8a4306f3da7b27d3c361ff8f5
SHA512e85a35164e0feafa73a676dacf67d275b8e8aa5be40d861743662a7d1ac8135625c2d59a73e5c77fe1e3e8bd8523d9c823c89137aa4cb1b32d392cd9a1b59989
-
Filesize
12KB
MD58c281fcb5546d1ed3cdaf6e3f7303139
SHA1de342a17f2df0386f6584e2f55ae43c558ceb6c4
SHA2567530c6e18dbb522c5f4fbf6714962c185ea318f9eab7aeb833b0cc07cd2fe656
SHA512344ea0a375c8851fcf413f441a1cac3013b3748d1630a4d677da72e98f41823bf9427d896de7e1fe35bf868279538cf3b8322aa6ef20025bff48a6bb7f8c42d3
-
Filesize
233KB
MD5f81c4678a55ffee585ac75825faf5582
SHA18fb2e6cf2a022eaed2ff5e3e225b3ca1e453d1cc
SHA2568a7e7c5ac2e6230f0249d46751522e7ecf85e7490cf7491ab73bf2e7e59e4c0f
SHA5128c8071bc2640d5c0fcf140ad68d4788cbb0706d17313c3cb74e25624a748b282acbf77eda678cf0d5fecf2ec3d583508c6f4eaf5c84073909b616f59b4f4e5fe
-
Filesize
79KB
MD577f595dee5ffacea72b135b1fce1312e
SHA1d2a710b332de3ef7a576e0aed27b0ae66892b7e9
SHA2568d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7
SHA512a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746
-
Filesize
6.7MB
MD597c2eebb30c5a88c68c8f24f37183f1d
SHA149efdc29f65fc8263c196338552c7009fc96c5de
SHA256e6c41d692ebcba854dad4b1c52bb7ddd05926bad3105595d6596b8bab01c25e7
SHA512c9d1017b274ceb1b4ee624cf7e628787c32a727c64f715fbce1f1ae929d9114f8fe1291e34583cec615619b0128c01206b07efc878e7a5c57b792453f73fd0da
-
Filesize
10KB
MD51dc0827f2ed1aed1358b4211378f16d1
SHA121cad22b8c7899b0dc203ce00d6ddf247f1b2f82
SHA256e3b15d8d9e2b5dae80c956b4d10e0277d864ccbdaa81c1ee77d2cbf02766c450
SHA5122996530ba93c8964e270ded1900a8465646c79f29c3b1af1e2b841658e003f42a3798b5adee364e0c7de6711f2ad172ca38843b4bba2e82963d59fae99151de5
-
Filesize
23.9MB
MD5927d45cf4924e50a6e88dd3aa855a72a
SHA104360a19327f31ac12195a5dfd19c9c658af8a04
SHA25649386282907fdbbfae88337ebfb71b470695f26c1a74f5fcc82a6af7060777fe
SHA512eb9f33d8ec12a38c557bc5995a3644e16bbcacad115762e3b063fb5b58130d31d9c67e7e94cd7c048bb40928cc1aeedf84a0048fae4ddf5fdff1f29026aa4ab3
-
Filesize
6KB
MD591f669c7cd60c803b98c6e20b9ca9add
SHA1980c636da7e26e8d6b711fc2c65ce16babcb6b83
SHA2560ced5672cf476b0933eacad2fb2948b5b8700e437b81a8b04baf80f44d7b71d0
SHA512fe14b212dcc252d6feb3fe7b446b0d532689bf8320a5d1650cba2f28b7f50bc87c13215368945cfb37fb2473e6793de7a5f0231d145df9c2bc58607bce456de8
-
Filesize
88KB
-
Filesize
80KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
432KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
680KB
-
Filesize
48KB
-
Filesize
40KB