Analysis Overview
SHA256
296d38386d3176443601f1494db4a8dbec3254d4a7625ca25233016b9387d6d6
Threat Level: Known bad
The file Minecraft_Dungeons_v1.0-v1.5.0.rar was found to be: Known bad.
Malicious Activity Summary
r77
r77 rootkit payload
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Program crash
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-29 13:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-29 13:52
Reported
2021-03-29 13:55
Platform
win7v20201028
Max time kernel
83s
Max time network
87s
Command Line
Signatures
r77
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpABDC.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\taskkill.exe
TaskKill /F /IM 1988
C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | flingtrainer.com | udp |
| N/A | 104.21.35.160:443 | flingtrainer.com | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | icanhazip.com | udp |
| N/A | 104.22.19.188:80 | icanhazip.com | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | crl.microsoft.com | udp |
| N/A | 88.221.25.155:80 | crl.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 104.99.234.13:80 | www.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
| N/A | 8.8.8.8:53 | ocsp.verisign.com | udp |
| N/A | 23.51.123.27:80 | ocsp.verisign.com | tcp |
| N/A | 104.22.19.188:80 | icanhazip.com | tcp |
| N/A | 104.22.19.188:80 | icanhazip.com | tcp |
| N/A | 8.8.8.8:53 | usa.megumin.cloud | udp |
| N/A | 104.21.68.3:443 | usa.megumin.cloud | tcp |
Files
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp
\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
memory/1484-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
memory/1988-8-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | ca0b14884c8aff3242f025f003190dcd |
| SHA1 | 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05 |
| SHA256 | 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21 |
| SHA512 | e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47 |
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | ca0b14884c8aff3242f025f003190dcd |
| SHA1 | 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05 |
| SHA256 | 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21 |
| SHA512 | e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47 |
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | ca0b14884c8aff3242f025f003190dcd |
| SHA1 | 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05 |
| SHA256 | 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21 |
| SHA512 | e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47 |
memory/1988-11-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp
memory/1484-6-0x000007FEF6050000-0x000007FEF6A3C000-memory.dmp
memory/1484-13-0x0000000000240000-0x000000000026D000-memory.dmp
memory/1988-12-0x000000013F6B0000-0x000000013F6B1000-memory.dmp
memory/1988-16-0x0000000000750000-0x00000000007BF000-memory.dmp
memory/1988-17-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/1484-18-0x000000001B0C2000-0x000000001B0C4000-memory.dmp
memory/1484-19-0x000000001B0C4000-0x000000001B0C6000-memory.dmp
memory/1484-20-0x000000001B0C6000-0x000000001B0C7000-memory.dmp
memory/1988-21-0x000000001B500000-0x000000001B502000-memory.dmp
memory/1484-22-0x000000001B0C7000-0x000000001B0C8000-memory.dmp
\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
memory/1484-25-0x000000001B0EB000-0x000000001B0EC000-memory.dmp
memory/1484-24-0x000000001B0CC000-0x000000001B0EB000-memory.dmp
memory/1484-26-0x000000001B0EC000-0x000000001B0ED000-memory.dmp
memory/932-27-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp
memory/1968-28-0x0000000000000000-mapping.dmp
memory/1332-29-0x0000000000000000-mapping.dmp
memory/1364-30-0x0000000000000000-mapping.dmp
memory/1836-31-0x0000000000000000-mapping.dmp
memory/1364-32-0x000007FEFC601000-0x000007FEFC603000-memory.dmp
memory/1988-33-0x000000001B506000-0x000000001B525000-memory.dmp
memory/1612-34-0x0000000000000000-mapping.dmp
memory/1704-35-0x0000000000000000-mapping.dmp
memory/1948-36-0x0000000000000000-mapping.dmp
memory/1988-39-0x000000001CAA0000-0x000000001CAA1000-memory.dmp
memory/1004-40-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpABDC.tmp.bat
| MD5 | 49545f0ad13c1d9ecd1bb44d459a9248 |
| SHA1 | 43e30261b8b78e6b945f691e29266b3769feec2b |
| SHA256 | b7a2b153690708e6dd9d82e470eac5089dbe5248f2cc3a9b93a8609b25b83347 |
| SHA512 | b6a87f6c41f2075d9ba04d0df345192eac676a3d27e0e019bc7f58ad909fdbb11770577582f925aa92d25209379de09639200ef8e13e91db9047288c443bbfef |
memory/1320-42-0x0000000000000000-mapping.dmp
memory/884-43-0x0000000000000000-mapping.dmp
memory/1336-44-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
| MD5 | 6d1c62ec1c2ef722f49b2d8dd4a4df16 |
| SHA1 | 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6 |
| SHA256 | 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c |
| SHA512 | c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-29 13:52
Reported
2021-03-29 13:55
Platform
win10v20201028
Max time kernel
150s
Max time network
129s
Command Line
Signatures
r77
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\update.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 416 -s 3060
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | flingtrainer.com | udp |
| N/A | 104.21.35.160:443 | flingtrainer.com | tcp |
| N/A | 8.8.8.8:53 | ctldl.windowsupdate.com | udp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | icanhazip.com | udp |
| N/A | 104.22.19.188:80 | icanhazip.com | tcp |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
| N/A | 8.8.8.8:53 | s2.symcb.com | udp |
| N/A | 23.51.123.27:80 | s2.symcb.com | tcp |
| N/A | 8.8.8.8:53 | sv.symcd.com | udp |
| N/A | 23.51.123.27:80 | sv.symcd.com | tcp |
| N/A | 8.8.8.8:53 | ocsp.verisign.com | udp |
| N/A | 23.51.123.27:80 | ocsp.verisign.com | tcp |
| N/A | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| N/A | 23.51.123.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| N/A | 8.8.8.8:53 | ctldl.windowsupdate.com | udp |
| N/A | 8.8.8.8:53 | www.3dmgame.com | udp |
| N/A | 180.101.45.57:443 | www.3dmgame.com | tcp |
Files
memory/3640-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
memory/416-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | ca0b14884c8aff3242f025f003190dcd |
| SHA1 | 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05 |
| SHA256 | 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21 |
| SHA512 | e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47 |
C:\Users\Admin\AppData\Local\Temp\update.exe
| MD5 | ca0b14884c8aff3242f025f003190dcd |
| SHA1 | 21dbd3f9c14d40f4ec7906fb0d9567bb00cdaa05 |
| SHA256 | 94df09b79972441ec73f429a6be45b1cb3c18d49e6d755c907728308c7582f21 |
| SHA512 | e240b1c701eabb203896550476e6bf98cef4b4903cd860383ce02858ae096db36b93890ea223b1b0d17c621da05f0dc03e8bec73a26ce46c9f9451a228064b47 |
memory/416-9-0x00007FF8030F0000-0x00007FF803ADC000-memory.dmp
memory/3640-7-0x00007FF8030F0000-0x00007FF803ADC000-memory.dmp
memory/3640-10-0x000001B5F6DC0000-0x000001B5F6DED000-memory.dmp
memory/416-11-0x0000000000840000-0x0000000000841000-memory.dmp
memory/416-14-0x0000000001100000-0x000000000116F000-memory.dmp
memory/3640-15-0x000001B5F78C0000-0x000001B5F78C2000-memory.dmp
memory/3640-16-0x000001B5F78C3000-0x000001B5F78C5000-memory.dmp
memory/416-18-0x0000000001070000-0x0000000001071000-memory.dmp
memory/3640-17-0x000001B5F78C6000-0x000001B5F78C7000-memory.dmp
memory/416-19-0x000000001C2E0000-0x000000001C2E2000-memory.dmp
memory/3640-20-0x000001B5F78C7000-0x000001B5F78C8000-memory.dmp
memory/3640-21-0x000001B5F78C8000-0x000001B5F78CA000-memory.dmp
memory/3640-22-0x000001B5F78CA000-0x000001B5F78CF000-memory.dmp
memory/1764-23-0x0000000000000000-mapping.dmp
memory/3240-24-0x0000000000000000-mapping.dmp
memory/2296-25-0x0000000000000000-mapping.dmp
memory/2992-26-0x0000000000000000-mapping.dmp
memory/3404-27-0x0000000000000000-mapping.dmp
memory/3544-28-0x0000000000000000-mapping.dmp
memory/1948-29-0x0000000000000000-mapping.dmp
memory/1180-30-0x0000028FAD710000-0x0000028FAD711000-memory.dmp