Overview

overview

10

Static

static

10

Dead Risin...un.exe

windows7_x64

8

Dead Risin...un.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    166s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe

  • Size

    4.5MB

  • MD5

    6b9ca8364ec6156c290efee44fcdc00b

  • SHA1

    e6423b1275e1e7d05235349acde61d0792497e3d

  • SHA256

    35eac12914408c58b4985e3db398c6942546a3495bff5e20230736fee684e1a0

  • SHA512

    db9e17b3c6a422a215bec89ce2ce0e3d8e4dae2417837cd232a7f48ef98ae0f68690fd0c398e56cbaa01dfaf2e994ce8b5eabcfa0f05b53878295ae78fb2e189

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 53 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
    "C:\Users\Admin\AppData\Local\Temp\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
      "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
        "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\CET_Archive.dat
    Filesize

    4.1MB

    MD5

    142554e17d391eea418a6bdc30dde100

    SHA1

    6b0e905a9be00d4d21f448d36c64e6f44df895f9

    SHA256

    438a2af264a67044d746fa3816af78474bf99e6a7e8577951524c6ef6f1447b3

    SHA512

    c2b7cfe36e886ac7cdd80ac671bab286ec2c2ac328ab870129b44d19dd990213325c8cb0d569bcf215f313d68a503fffbc6007cad467d1522c4b71ddd5f77163

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
    Filesize

    193KB

    MD5

    6852660b8cbb67ee3f1e31bf2f1e0afd

    SHA1

    c1b790e062f3a13d3e2f90c58e92ded585abbe3b

    SHA256

    cd86234cf14dfc0e66ae9e575326fd0cf74723a5a60337f7079c0540b6da5c8b

    SHA512

    5722ebf6bef799721464094c6d6a81931bf8f78bdd1fbe12b153cf7b0e4e9e7307fa7a01e0cc16ce885c20c3a0a3cc95d6a7d86413f0c61cca3450fa565dd6a8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\CET_TRAINER.CETRAINER
    Filesize

    538KB

    MD5

    ce32dae729492ab457da98b554d1a667

    SHA1

    f9ae4453c57f15cf1a4180b8e26c3158de50583a

    SHA256

    64000a034968bdf5b9432a53a339ee4b8113a510c943e8a1e9bedaf5b6f69fe1

    SHA512

    85911f1378d32e7eb7bba9fe5913664c8ddef34cef66b1496b60f5f4001f1a7a6d8a1ea22a28195195310b04b04d569b77a3e58493e39ca0cc51d11c7e5c187a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
    Filesize

    10.4MB

    MD5

    45996e41a50873d5dd6d37901ca3d4c5

    SHA1

    c851ee71e40ba498d76fb4a94ea514c7889a00ff

    SHA256

    a2558b4f3bb16ecc13fe69a697b24d72ee2e893f8b692c09e9b38720ddef7301

    SHA512

    f2fd316593fb08ae22ea1b2c5ca4a8ad58034bb41e613363c8c2cb318a551f858ec9502c45f7f30398bef5e9fcdf48a3b90982dce5c22c0f71cf80b7ccc36ad5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
    Filesize

    10.4MB

    MD5

    45996e41a50873d5dd6d37901ca3d4c5

    SHA1

    c851ee71e40ba498d76fb4a94ea514c7889a00ff

    SHA256

    a2558b4f3bb16ecc13fe69a697b24d72ee2e893f8b692c09e9b38720ddef7301

    SHA512

    f2fd316593fb08ae22ea1b2c5ca4a8ad58034bb41e613363c8c2cb318a551f858ec9502c45f7f30398bef5e9fcdf48a3b90982dce5c22c0f71cf80b7ccc36ad5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\defines.lua
    Filesize

    5KB

    MD5

    1dc41a0a351e745085fcc98a3933d91f

    SHA1

    bf1e7d333e6d7b3d4bfe5cdcada19af1931dbe15

    SHA256

    a2e02dd32f0245ff31190288b368b3efbbe7c48a95dd22c321231c2f46597d9b

    SHA512

    76f171411d028e72613859332f381f8f26e85d1844c143a8888e4937ca72d7b38ffe66ce617eee5e8155ba034dcc559a9417b5def056bb74227b9bae392d1440

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\lua53-64.dll
    Filesize

    500KB

    MD5

    476cbd8e116ef838a0b161100ff744be

    SHA1

    72a6b00754ff4a1a6f2bbb75fbce9d2fdd475e81

    SHA256

    c33f2e8ba61e5517b2598d7920b672326ff117ed5a5bdcddc125c6a5a328886e

    SHA512

    b12dee6fdc493bdc7e65d446433d942802c79564f6a1f56a1c1a7e2e3f76d270af9e3d162d368fa82d314a37d98fef1569bf90f275b0e059ca0eca49c56086d8

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
    Filesize

    193KB

    MD5

    6852660b8cbb67ee3f1e31bf2f1e0afd

    SHA1

    c1b790e062f3a13d3e2f90c58e92ded585abbe3b

    SHA256

    cd86234cf14dfc0e66ae9e575326fd0cf74723a5a60337f7079c0540b6da5c8b

    SHA512

    5722ebf6bef799721464094c6d6a81931bf8f78bdd1fbe12b153cf7b0e4e9e7307fa7a01e0cc16ce885c20c3a0a3cc95d6a7d86413f0c61cca3450fa565dd6a8

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\Dead Rising 4 V3.0.1.2 Trainer +10 MrAntiFun.exe
    Filesize

    10.4MB

    MD5

    45996e41a50873d5dd6d37901ca3d4c5

    SHA1

    c851ee71e40ba498d76fb4a94ea514c7889a00ff

    SHA256

    a2558b4f3bb16ecc13fe69a697b24d72ee2e893f8b692c09e9b38720ddef7301

    SHA512

    f2fd316593fb08ae22ea1b2c5ca4a8ad58034bb41e613363c8c2cb318a551f858ec9502c45f7f30398bef5e9fcdf48a3b90982dce5c22c0f71cf80b7ccc36ad5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cetrainers\CET3B1E.tmp\extracted\lua53-64.dll
    Filesize

    500KB

    MD5

    476cbd8e116ef838a0b161100ff744be

    SHA1

    72a6b00754ff4a1a6f2bbb75fbce9d2fdd475e81

    SHA256

    c33f2e8ba61e5517b2598d7920b672326ff117ed5a5bdcddc125c6a5a328886e

    SHA512

    b12dee6fdc493bdc7e65d446433d942802c79564f6a1f56a1c1a7e2e3f76d270af9e3d162d368fa82d314a37d98fef1569bf90f275b0e059ca0eca49c56086d8

    Download Submit
  • memory/1004-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-61-0x000007FEFC221000-0x000007FEFC223000-memory.dmp
    Filesize

    8KB

    Download