Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 11:40

General

  • Target

    iWinGames.exe

  • Size

    1.5MB

  • MD5

    4851958fad503e3467be9b047517e4d3

  • SHA1

    95d09a8bae10756fe41739336f5768dc14d27dd9

  • SHA256

    2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28

  • SHA512

    7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1

  • SSDEEP

    24576:REZi76e6WbovDyCca0UDOVnYarGqHe32av9/SG8Kppzidtoic8AoI+Ju6BR:wwfU7/cvUcnmau2osKphmx1A96BR

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
      "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4584
    • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s /i "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
        3⤵
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3444
    • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
      "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" StartProcessNoWait "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" "-install"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -install
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3960
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f4 0x494
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3980

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3172-0-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/3172-1-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

          Filesize

          8KB

        • memory/3172-16-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

          Filesize

          8KB

        • memory/3172-17-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/3172-23-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/3960-12-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4584-2-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4584-3-0x0000000000590000-0x0000000000592000-memory.dmp

          Filesize

          8KB

        • memory/4584-5-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4968-6-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4968-10-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB