General

  • Target

    my game.zip

  • Size

    18.3MB

  • Sample

    250106-k1xtdasnax

  • MD5

    10e004e95b0c2a815c75d5513d37618b

  • SHA1

    047a55f7e3a69bb95bf1829029a9e9856965ec8d

  • SHA256

    dc0d189193c4f14229e8c4172c08b42923d538310f583c6a8375e781fe46730c

  • SHA512

    3824c944a0a0c571eee0161756e0fb2fef4242fcd1cd6071c1dda0cc110ae1cdd8b62de6742568b2bade5333dd3ac3b48b3947f56fad3cec3a2ca29716d3e873

  • SSDEEP

    393216:l6X5ypCyR1Afz+o3jGY+U9vjwOMoks939InEus5QJ/p397rJzLu:l6X5yW3jLjBMok639InI5QH9XZC

Malware Config

Targets

    • Target

      my game.zip

    • Size

      18.3MB

    • MD5

      10e004e95b0c2a815c75d5513d37618b

    • SHA1

      047a55f7e3a69bb95bf1829029a9e9856965ec8d

    • SHA256

      dc0d189193c4f14229e8c4172c08b42923d538310f583c6a8375e781fe46730c

    • SHA512

      3824c944a0a0c571eee0161756e0fb2fef4242fcd1cd6071c1dda0cc110ae1cdd8b62de6742568b2bade5333dd3ac3b48b3947f56fad3cec3a2ca29716d3e873

    • SSDEEP

      393216:l6X5ypCyR1Afz+o3jGY+U9vjwOMoks939InEus5QJ/p397rJzLu:l6X5yW3jLjBMok639InI5QH9XZC

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      UnityCrashHandler64.exe

    • Size

      1.0MB

    • MD5

      cd3d03f2fdc2b2000a1e29fe76caeaf4

    • SHA1

      940eff470f3f16f5ea7f5a98098642a66e29d923

    • SHA256

      c2f80e069314e540da503e5dc4b6e591a95a6f85baa2d074852022a87cb881d8

    • SHA512

      0d4c528678566fe62e309e8d752c4c62d629879c0d2de94b24d7bb30add22e10a65952aa9e549c5cb28aa10c3396a919309c91eb8aa16383fad75c4a704fb055

    • SSDEEP

      12288:FlApqXQaWflglXxZgigAxI7eZjTDYocqbmVX:FlApGQaWiHZgd0YKjTDY8bYX

    Score
    1/10
    • Target

      UnityPlayer.dll

    • Size

      24.7MB

    • MD5

      aca60e6be576867d4005333e2c21dc87

    • SHA1

      4a097c1a98530531474c2347583d9719a00a153b

    • SHA256

      e661981f033e2f1d32db6e44d43c0e0c1783b4cb3115caf393e7722673473317

    • SHA512

      67fffc78fea09d0c05beaf675c52e0b143d6dfa647cbf907e3e7f4ff440cf09c55da9a32f82d1afadca0861349ee2d1c068eb6474a7dbbf1970ec211f3566141

    • SSDEEP

      393216:41jDPOx/XttNy2h3dF2vPk76GghiYvwGb:4Et1Fk/Pnb

    Score
    1/10
    • Target

      my game.exe

    • Size

      32.0MB

    • MD5

      1217eb032486aa07a3817155de98c78b

    • SHA1

      9550049f3946bba577505cd00da172923e709859

    • SHA256

      84059e63a6761b009f45551fea6ee623181747853dfc60249b42602b675266cf

    • SHA512

      e0294fbe6d5da99564e4915bdd04996a8032c3fff66055c207815d3b7cf14710a19639d38a8d797db6dba4553abafd082ba9f14584f91c9d13da332ff8a33b48

    • SSDEEP

      98304:STDjWM8JEE1F0amaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRpYRJJcGhEIFWw:ST0neNTfm/pf+xk4dWRpmrbW3jmrV

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      LF}^���.pyc

    • Size

      1KB

    • MD5

      1d57658240ebee57ecf48e845ed0ef21

    • SHA1

      07395e334e8802d68728a62ecb27bc6ab35d3ac6

    • SHA256

      e2ed0a629f4c36d1b175ecea0309c79139cc06917e4dd8f13acc33e186060482

    • SHA512

      75f4c268fc12091a609f8d9a6b1eeb0e239b4053d9fbc19c48800a2648d8d8826c1205891e9d63d826fc3535874bc9886909a98c3a8c80fd09ac6ab51c1475f9

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks