Overview

overview

8

Static

static

3

winprofile

windows7-x64

8

winprofile

windows10-1703-x64

8

Analysis

  • max time kernel
    295s
  • max time network
    278s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42ceb2252fec41fd0acc6874b41c91e0ba07c367045d6a9a7850d59781c2584c.exe

  • Size

    286KB

  • MD5

    60172ca946de57c3529e9f05cc502870

  • SHA1

    de8f59d6973a5811bb10a9a4410801fa63bc8b56

  • SHA256

    42ceb2252fec41fd0acc6874b41c91e0ba07c367045d6a9a7850d59781c2584c

  • SHA512

    15d37af3cab96fc9026a1898e09c775fe0d277098a3fe20c2e591272de996a243850d43f3b48b4c037c5fed359e57795a7cf1652547d7ad8b16b186ab9508792

  • SSDEEP

    3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Modifies Control Panel 5 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42ceb2252fec41fd0acc6874b41c91e0ba07c367045d6a9a7850d59781c2584c.exe
    "C:\Users\Admin\AppData\Local\Temp\42ceb2252fec41fd0acc6874b41c91e0ba07c367045d6a9a7850d59781c2584c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
        C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Control Panel
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
          "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
            "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies Control Panel
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
              "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
              6⤵
              • Executes dropped EXE
              • Modifies Control Panel
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1128
              • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
                "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
                7⤵
                • Executes dropped EXE
                • Modifies Control Panel
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1696
              • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
                "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2104
              • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
                "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:112
              • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
                "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2060
              • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
                "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2300
              • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
                "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2552
            • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
              "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:264
            • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
              "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2900
            • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
              "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2492
            • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
              "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1636
            • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
              "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
              6⤵
              • Executes dropped EXE
              PID:2480
          • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
            "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
          • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
            "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
            "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
            "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1920
          • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
            "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3020
        • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
          "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
          "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1584
        • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
          "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2908
        • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
          "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:908
        • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
          "C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsj7A41.tmp\liteFirewall.dll
    Filesize

    81KB

    MD5

    165e1ef5c79475e8c33d19a870e672d4

    SHA1

    965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

    SHA256

    9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

    SHA512

    cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nst2271.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    faa7f034b38e729a983965c04cc70fc1

    SHA1

    df8bda55b498976ea47d25d8a77539b049dab55e

    SHA256

    579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

    SHA512

    7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\GamePall\GamePall.exe
    Filesize

    289KB

    MD5

    7a3502c1119795d35569535de243b6fe

    SHA1

    da0d16bc66614c7d273c47f321c5ee0652fb5575

    SHA256

    b18fefb56ed7b89e45cec8a5494fbec81e36a5cb5538ccbb8de41cce960faa30

    SHA512

    258b111ac256cd8145cbe212d59dff5840d67e70effd7cddc157b2a3461b398bbc3446004980131faa6a8762c19305f56e7b793f045331b56b8bd17d85b884c4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\GamePall\Uninstall.exe
    Filesize

    210KB

    MD5

    9d21a25aa1b5985a2c8cbce7f7007295

    SHA1

    86ebf56352b4dbb831fae0cca180b4add951240d

    SHA256

    e41f984c39183ba4fd1578134d71e203f4a7a8c23f278924562876326fc40ee2

    SHA512

    ee4a1ac97968f2dda3c54a49ac33d3fce28c4dae72032d9fdd1f8d8ba41b07a1d78d15e11586da54ad5e0f2bd4a48c79a0cbac84de3d957b2ac6c1b5f41a33bb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nst2271.tmp\INetC.dll
    Filesize

    21KB

    MD5

    92ec4dd8c0ddd8c4305ae1684ab65fb0

    SHA1

    d850013d582a62e502942f0dd282cc0c29c4310e

    SHA256

    5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

    SHA512

    581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nst2271.tmp\blowfish.dll
    Filesize

    22KB

    MD5

    5afd4a9b7e69e7c6e312b2ce4040394a

    SHA1

    fbd07adb3f02f866dc3a327a86b0f319d4a94502

    SHA256

    053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

    SHA512

    f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

    Download Submit
  • \Users\Admin\AppData\Roaming\GamePall\Newtonsoft.Json.dll
    Filesize

    560KB

    MD5

    8f81c9520104b730c25d90a9dd511148

    SHA1

    7cf46cb81c3b51965c1f78762840eb5797594778

    SHA256

    f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

    SHA512

    b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

    Download Submit
  • \Users\Admin\AppData\Roaming\GamePall\Xilium.CefGlue.dll
    Filesize

    855KB

    MD5

    b03c7f6072a0cb1a1d6a92ee7b82705a

    SHA1

    6675839c5e266075e7e1812ad8e856a2468274dd

    SHA256

    f561713347544e9d06d30f02a3dfcec5fe593b38894593aeedf5700666b35027

    SHA512

    19d6792eb9ba8584b94d0d59e07ce9d1c9c4da5516490f4abce5ae0d7d55b357bda45b2093b3e9eb9d6858061e9d3f530a6655c4779a50c911501ae23925c566

    Download Submit
  • \Users\Admin\AppData\Roaming\GamePall\log4net.dll
    Filesize

    269KB

    MD5

    7ea1429e71d83a1ccaa0942c4d7f1c41

    SHA1

    4ce6acf4d735354b98f416b3d94d89af0611e563

    SHA256

    edec54da1901e649588e8cb52b001ab2aec76ed0430824457a904fcc0abd4299

    SHA512

    91c90845a12a377b617140b67639cfa71a0648300336d5edd422afc362e65c6ccd3a4ff4936d4262b0eaf7bae2b9624bcd3c7eec79f7e7ca18abe1ec62c4c869

    Download Submit
  • memory/1384-199-0x0000000000A00000-0x0000000000A90000-memory.dmp
    Filesize

    576KB

    Download
  • memory/2600-143-0x0000000001170000-0x00000000011BE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2600-147-0x0000000000280000-0x00000000002CA000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2600-153-0x0000000004890000-0x000000000496C000-memory.dmp
    Filesize

    880KB

    Download
  • memory/2600-157-0x0000000000AD0000-0x0000000000B60000-memory.dmp
    Filesize

    576KB

    Download