d51776621cd1ac69169b594b2bc892ca4d9c6040bb6aadd62207285e51cc79b9

Analysis

max time kernel
24s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix_device_gameloop/._cache_fix_device.exe
Size

897KB
MD5

8b07d76ec57ec6318ba2b11184d4660b
SHA1

dd19f8115c74474280e0a111e4aed880589c4a9e
SHA256

db9d357b2ec908814f357d54bd0657d22d43d82f5b76de43201f99b68e2bc5b2
SHA512

25c317f85407274a3aaa4d3b218df9dae672943f95f5166c463105b7aafa1554c65772c71718a9306b34d940055ea1fdfb58f4eecc25a65f2ae1c340eae8c2d9
SSDEEP

12288:Yak7dFemNsqI3etnBHYPpAkApyRV3jRfP4S5LH28U3mcQuKXQoggdnYgafCEZTj:YasdFeWsN3skA4RV1Hom2KXMmHaqEZTj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3392	svchost.exe
1672	._cache_fix_device.exe
1284	svchost.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000023b7d-8.dat	autoit_exe
behavioral1/memory/1672-9-0x0000000000AB0000-0x0000000000B8E000-memory.dmp	autoit_exe
behavioral1/memory/1672-15-0x0000000000AB0000-0x0000000000B8E000-memory.dmp	autoit_exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	._cache_fix_device.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_fix_device.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_fix_device.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3392	960	._cache_fix_device.exe	84
PID 960 wrote to memory of 3392	960	._cache_fix_device.exe	84
PID 960 wrote to memory of 3392	960	._cache_fix_device.exe	84
PID 3392 wrote to memory of 1672	3392	svchost.exe	85
PID 3392 wrote to memory of 1672	3392	svchost.exe	85
PID 3392 wrote to memory of 1672	3392	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
    "C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1672

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

Filesize
862KB

MD5
bb6313c9386fec91dee75c4782b43687

SHA1
3793824aa931adefaad27d29e8e17886966e6ba6

SHA256
33c85146a06edc2d7bbe77e277e88a27a3ea9109a7bd14025bf30d66937f6a26

SHA512
2c87791c0ecc922c947b4337ea1ff56145e40e8fd5d20352518249d3725e9838d35f8bbd5b13252ec11eb06847abe9ae800cb8988ad486cd83976e09e9e5c0e5

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/960-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1284-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1672-9-0x0000000000AB0000-0x0000000000B8E000-memory.dmp

Filesize
888KB

Download
memory/1672-15-0x0000000000AB0000-0x0000000000B8E000-memory.dmp

Filesize
888KB

Download
memory/3392-11-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download