This blog post details a comprehensive analysis of a malicious executable file disguised as a popular game (GTA VI). The analysis covers various aspects such as PE structure, static and dynamic behavior, and crafting a YARA signature to detect the malware in the future. The file exhibited suspicious behavior including altering the Windows registry and executing PowerShell commands for persistence. Affected: malware, software security
Keypoints :
- The file was disguised as a popular game icon (GTA VI) yet was only 352 KB in size.
- A thorough analysis of the Portable Executable (PE) structure revealed a DOS signature and a 64-bit architecture.
- Static analysis provided hashes, including MD5 and SHA-256, indicating file integrity.
- Suspicious API calls were identified, including registry manipulation and process termination.
- Dynamic analysis showed the file changed registry settings and created persistent behavior.
- Reverse engineering with x64dbg revealed the malware’s core logic and PowerShell commands used for evasion.
- A YARA signature was crafted to detect the malware’s behavior based on specific strings.
- Conclusion emphasized the importance of static and dynamic analysis along with the use of YARA rules for future detection.
MITRE Techniques :
- T1070.001: File and Directory Permissions Modification – Registry manipulation for persistence.
- T1070.004: Indicator Removal on Host – Execution of commands to exclude the malware’s path from Windows Defender.
- T1203: Exploitation for Client Execution – Use of the disguised executable to lure users.
- T1497: Exercise in Non-Obvious Execution – Use of PowerShell to manipulate execution and evade detection.
Indicator of Compromise :
- [MD5] 43954C65D20A13BE0C7DE6D6F6D59501
- [SHA-256] 47a75d7846de1fce05bb879ac195d27281cdc632cb4f615f6660e1b77f13c9b8
- [PowerShell Command] powershell -Command “Add-MpPreference -ExclusionPath …”
- [Registry Key] SoftwareMicrosoftWindowsCurrentVersionRun
- [File Path] C:UsersivangDesktopNixwarex64ReleaseNixware.pdb