Analysis
-
max time kernel
152s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:56
Static task
static1
Behavioral task
behavioral1
Sample
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe
Resource
win10v2004-20220414-en
General
-
Target
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe
-
Size
6.1MB
-
MD5
910e90ff062405be912274a4d7220319
-
SHA1
17b2b28b0dcefa014bc91da00909740e73b8e6c6
-
SHA256
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1
-
SHA512
91e9402b5f21dc3a726afb73c40da0c21b53da3b195591a74242c232626dd3d905e9f51e6f7bab3f06fea30464cf1e7cbc264ea77e0923e59f4c5c0291fabe6e
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1724 theHunter Call of the Wild Trainer.exe 1240 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
theHunter Call of the Wild Trainer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion theHunter Call of the Wild Trainer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion theHunter Call of the Wild Trainer.exe -
Loads dropped DLL 2 IoCs
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exepid process 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe 1240 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
theHunter Call of the Wild Trainer.exedescription ioc process File opened for modification \??\PhysicalDrive0 theHunter Call of the Wild Trainer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
theHunter Call of the Wild Trainer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main theHunter Call of the Wild Trainer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exetheHunter Call of the Wild Trainer.exedescription pid process Token: 33 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 1724 theHunter Call of the Wild Trainer.exe Token: SeIncBasePriorityPrivilege 1724 theHunter Call of the Wild Trainer.exe Token: 33 1724 theHunter Call of the Wild Trainer.exe Token: SeIncBasePriorityPrivilege 1724 theHunter Call of the Wild Trainer.exe Token: SeDebugPrivilege 1724 theHunter Call of the Wild Trainer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1724 theHunter Call of the Wild Trainer.exe 1724 theHunter Call of the Wild Trainer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1724 theHunter Call of the Wild Trainer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exedescription pid process target process PID 2032 wrote to memory of 1724 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 2032 wrote to memory of 1724 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 2032 wrote to memory of 1724 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 2032 wrote to memory of 1724 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 2032 wrote to memory of 1724 2032 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe"C:\Users\Admin\AppData\Local\Temp\3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe"C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe" /864A627C-C6B2-464A-AA13-25D62F282BD82⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exeFilesize
22KB
MD502dbde777dfce88e4c86f9887004b497
SHA11b4ec38ee01bf6add9b45181d56818ff7324df84
SHA2563001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08
SHA512a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc
-
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\xsandbox.binFilesize
16B
MD5ec3d19e8e9b05d025cb56c2a98ead8e7
SHA1748532edeb86496c8efe5e2327501d89ec1f13df
SHA256edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4
SHA512175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349
-
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x49BBDEDFB9F663A6\sxs\manifests\theHunter Call of the Wild Trainer.exe_0x13CCF9DC8091A09B39552A81004D9F1B.1.manifestFilesize
2KB
MD553aea569dc9abbfd282f59c518e07c32
SHA1d3c3778bdb9d6fe2b32e6f7eee3f1bfc62f85c70
SHA2565cbb9ec3ae77c4208f5bc384dcd015e66ef2aafd95bcb04476c68eba598b36df
SHA5128b94f977d91f7554cd2e8030f22feb966415acbffd6efaaf138c63adea143e56e56923a3f5007365106bf73d684568d9f1dc4fa0524ddd4d2036d9e0d13c0554
-
\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exeFilesize
22KB
MD502dbde777dfce88e4c86f9887004b497
SHA11b4ec38ee01bf6add9b45181d56818ff7324df84
SHA2563001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08
SHA512a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc
-
\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exeFilesize
22KB
MD502dbde777dfce88e4c86f9887004b497
SHA11b4ec38ee01bf6add9b45181d56818ff7324df84
SHA2563001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08
SHA512a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc
-
\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exeFilesize
22KB
MD502dbde777dfce88e4c86f9887004b497
SHA11b4ec38ee01bf6add9b45181d56818ff7324df84
SHA2563001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08
SHA512a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc
-
memory/1724-100-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-105-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-124-0x000000002C540000-0x000000002CCE6000-memory.dmpFilesize
7.6MB
-
memory/1724-72-0x0000000077090000-0x00000000771AF000-memory.dmpFilesize
1.1MB
-
memory/1724-121-0x000000000B466000-0x000000000B485000-memory.dmpFilesize
124KB
-
memory/1724-80-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-85-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-86-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1724-120-0x0000000024440000-0x0000000024550000-memory.dmpFilesize
1.1MB
-
memory/1724-92-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1724-94-0x00000000010C0000-0x000000000148F000-memory.dmpFilesize
3.8MB
-
memory/1724-93-0x000007FEFAE40000-0x000007FEFAEAF000-memory.dmpFilesize
444KB
-
memory/1724-96-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1724-97-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1724-98-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1724-99-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-119-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1724-101-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-102-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-103-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-104-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-70-0x0000000000000000-mapping.dmp
-
memory/1724-106-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-107-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-108-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-109-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-110-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-111-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-112-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-113-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-114-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-115-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-116-0x0000000003050000-0x000000000320D000-memory.dmpFilesize
1.7MB
-
memory/1724-117-0x00000000772B0000-0x0000000077459000-memory.dmpFilesize
1.7MB
-
memory/1724-118-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/2032-54-0x0000000077090000-0x00000000771AF000-memory.dmpFilesize
1.1MB
-
memory/2032-65-0x0000000000EB0000-0x000000000127F000-memory.dmpFilesize
3.8MB
-
memory/2032-67-0x0000000002FF0000-0x00000000031AD000-memory.dmpFilesize
1.7MB
-
memory/2032-61-0x0000000002FF0000-0x00000000031AD000-memory.dmpFilesize
1.7MB
-
memory/2032-55-0x0000000002FF0000-0x00000000031AD000-memory.dmpFilesize
1.7MB
-
memory/2032-68-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmpFilesize
8KB