Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:05
Static task
static1
Behavioral task
behavioral1
Sample
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe
Resource
win10v2004-20220414-en
General
-
Target
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe
-
Size
4.5MB
-
MD5
5e5cb405fe00fce0170ff03b6c27de65
-
SHA1
b71ba01901946acf3dd9c607b0ab744b9bb2d8b3
-
SHA256
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f
-
SHA512
272f1457cf8f843ca00281347fd25a29840e7711773dbd60e1b923df3f2040f7720cd17dfe5c5fc8262fe8e0e03fc0334ac9b99abe6dac8d193d214fb221dea0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Euro Truck Simulator 2 Trainer.exepid process 544 Euro Truck Simulator 2 Trainer.exe 1412 -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exeEuro Truck Simulator 2 Trainer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Euro Truck Simulator 2 Trainer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Euro Truck Simulator 2 Trainer.exe -
Deletes itself 1 IoCs
Processes:
Euro Truck Simulator 2 Trainer.exepid process 544 Euro Truck Simulator 2 Trainer.exe -
Loads dropped DLL 1 IoCs
Processes:
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exepid process 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exeEuro Truck Simulator 2 Trainer.exedescription ioc process File opened for modification \??\PhysicalDrive0 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe File opened for modification \??\PhysicalDrive0 Euro Truck Simulator 2 Trainer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
Euro Truck Simulator 2 Trainer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main Euro Truck Simulator 2 Trainer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exeEuro Truck Simulator 2 Trainer.exepid process 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Euro Truck Simulator 2 Trainer.exepid process 544 Euro Truck Simulator 2 Trainer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exeEuro Truck Simulator 2 Trainer.exedescription pid process Token: SeDebugPrivilege 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe Token: SeDebugPrivilege 544 Euro Truck Simulator 2 Trainer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Euro Truck Simulator 2 Trainer.exepid process 544 Euro Truck Simulator 2 Trainer.exe 544 Euro Truck Simulator 2 Trainer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exedescription pid process target process PID 884 wrote to memory of 544 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe Euro Truck Simulator 2 Trainer.exe PID 884 wrote to memory of 544 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe Euro Truck Simulator 2 Trainer.exe PID 884 wrote to memory of 544 884 5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe Euro Truck Simulator 2 Trainer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe"C:\Users\Admin\AppData\Local\Temp\5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe"C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Deletes itself
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exeFilesize
3.0MB
MD5a622b7290f48eacb5310f08af996c3c6
SHA17d0dfdda1b879c31a480cdc03c0158382938c372
SHA2568cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27
SHA512201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800
-
C:\Users\Admin\FutureXGame\settings.txtFilesize
180B
MD52d996111ced7bd92e7ae6766109f5b99
SHA13655d4037084c09009a764f5a645a53fa808513d
SHA256d36fdac581ded058a6c5599bcdc2f590d1de364ea4d4d9948222eb77201c65c0
SHA512f4eeb81c687863bc4e7c0b8b87c0de12455a55c51648a6e55df8aa25bb97a5b23358f73579e32837fc5f21395acef46a5c3b7d6522263bb3e7e25fc26e6c75c6
-
\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exeFilesize
3.0MB
MD5a622b7290f48eacb5310f08af996c3c6
SHA17d0dfdda1b879c31a480cdc03c0158382938c372
SHA2568cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27
SHA512201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800
-
\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exeFilesize
3.0MB
MD5a622b7290f48eacb5310f08af996c3c6
SHA17d0dfdda1b879c31a480cdc03c0158382938c372
SHA2568cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27
SHA512201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800
-
memory/544-66-0x0000000003236000-0x0000000003255000-memory.dmpFilesize
124KB
-
memory/544-60-0x0000000000000000-mapping.dmp
-
memory/544-62-0x0000000077C50000-0x0000000077DF9000-memory.dmpFilesize
1.7MB
-
memory/544-63-0x00000000001B0000-0x00000000006E8000-memory.dmpFilesize
5.2MB
-
memory/544-64-0x00000000001B0000-0x00000000006E8000-memory.dmpFilesize
5.2MB
-
memory/544-65-0x0000000024BC0000-0x0000000024EC6000-memory.dmpFilesize
3.0MB
-
memory/544-69-0x000000002BA60000-0x000000002C206000-memory.dmpFilesize
7.6MB
-
memory/884-58-0x0000000004E06000-0x0000000004E25000-memory.dmpFilesize
124KB
-
memory/884-57-0x0000000024500000-0x0000000024802000-memory.dmpFilesize
3.0MB
-
memory/884-54-0x0000000000D00000-0x0000000001382000-memory.dmpFilesize
6.5MB
-
memory/884-56-0x0000000077C50000-0x0000000077DF9000-memory.dmpFilesize
1.7MB
-
memory/884-55-0x0000000000D00000-0x0000000001382000-memory.dmpFilesize
6.5MB