Overview

overview

10

Static

static

Minecraft ....0.exe

windows7_x64

10

Minecraft ....0.exe

windows10_x64

10

Analysis

  • max time kernel
    83s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    29-03-2021 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Minecraft Dungeons v1.0-v1.5.0.exe

  • Size

    1.3MB

  • MD5

    7500541e652d09f6be348ceb12b890ec

  • SHA1

    dabc37870b4a050c440f69daab481c49b5910148

  • SHA256

    d40f5e1c9a29042f8414cf2aedce4624df56a434880dcb6fbc7e25b4601ed4b1

  • SHA512

    b4432c5f882e1a0d54d3c2cd5b4cd904b09668aa7e1d4f75f512062ca91e190e6c9c246ed2225554c7781022c7b41e1864439a1b5781c67ec929b42ef4c206c9

Score
10/10
r77rootkitspywarestealer

Malware Config

Signatures

  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77
  • r77 rootkit payload 3 IoCs

    Detects the payload of the r77 rootkit.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
      "C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Users\Admin\AppData\Local\Temp\update.exe
      "C:\Users\Admin\AppData\Local\Temp\update.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1332
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:1364
            • C:\Windows\system32\findstr.exe
              findstr All
              4⤵
                PID:1836
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1612
              • C:\Windows\system32\chcp.com
                chcp 65001
                4⤵
                  PID:1704
                • C:\Windows\system32\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:1948
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpABDC.tmp.bat
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1004
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    4⤵
                      PID:1320
                    • C:\Windows\system32\taskkill.exe
                      TaskKill /F /IM 1988
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:884
                    • C:\Windows\system32\timeout.exe
                      Timeout /T 2 /Nobreak
                      4⤵
                      • Delays execution with timeout.exe
                      PID:1336
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1980

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/932-27-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

                Filesize

                2.5MB

                Download

              • memory/1364-32-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1484-25-0x000000001B0EB000-0x000000001B0EC000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1484-22-0x000000001B0C7000-0x000000001B0C8000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1484-20-0x000000001B0C6000-0x000000001B0C7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1484-24-0x000000001B0CC000-0x000000001B0EB000-memory.dmp

                Filesize

                124KB

                Download

              • memory/1484-26-0x000000001B0EC000-0x000000001B0ED000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1484-19-0x000000001B0C4000-0x000000001B0C6000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1484-18-0x000000001B0C2000-0x000000001B0C4000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1484-6-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/1484-13-0x0000000000240000-0x000000000026D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1988-33-0x000000001B506000-0x000000001B525000-memory.dmp

                Filesize

                124KB

                Download

              • memory/1988-16-0x0000000000750000-0x00000000007BF000-memory.dmp

                Filesize

                444KB

                Download

              • memory/1988-39-0x000000001CAA0000-0x000000001CAA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1988-12-0x000000013F6B0000-0x000000013F6B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1988-21-0x000000001B500000-0x000000001B502000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1988-17-0x00000000007C0000-0x00000000007C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1988-11-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp

                Filesize

                9.9MB

                Download