Analysis
-
max time kernel
173s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:56
Static task
static1
Behavioral task
behavioral1
Sample
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe
Resource
win10v2004-20220414-en
General
-
Target
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe
-
Size
6.1MB
-
MD5
910e90ff062405be912274a4d7220319
-
SHA1
17b2b28b0dcefa014bc91da00909740e73b8e6c6
-
SHA256
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1
-
SHA512
91e9402b5f21dc3a726afb73c40da0c21b53da3b195591a74242c232626dd3d905e9f51e6f7bab3f06fea30464cf1e7cbc264ea77e0923e59f4c5c0291fabe6e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1564 theHunter Call of the Wild Trainer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
theHunter Call of the Wild Trainer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion theHunter Call of the Wild Trainer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion theHunter Call of the Wild Trainer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
theHunter Call of the Wild Trainer.exedescription ioc process File opened for modification \??\PhysicalDrive0 theHunter Call of the Wild Trainer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exedescription pid process Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: 33 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe Token: SeIncBasePriorityPrivilege 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1564 theHunter Call of the Wild Trainer.exe 1564 theHunter Call of the Wild Trainer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
theHunter Call of the Wild Trainer.exepid process 1564 theHunter Call of the Wild Trainer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exedescription pid process target process PID 3268 wrote to memory of 1564 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 3268 wrote to memory of 1564 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 3268 wrote to memory of 1564 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe PID 3268 wrote to memory of 1564 3268 3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe theHunter Call of the Wild Trainer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe"C:\Users\Admin\AppData\Local\Temp\3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe"C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe" /864A627C-C6B2-464A-AA13-25D62F282BD82⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exeFilesize
22KB
MD502dbde777dfce88e4c86f9887004b497
SHA11b4ec38ee01bf6add9b45181d56818ff7324df84
SHA2563001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08
SHA512a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc
-
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\xsandbox.binFilesize
16B
MD5ec3d19e8e9b05d025cb56c2a98ead8e7
SHA1748532edeb86496c8efe5e2327501d89ec1f13df
SHA256edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4
SHA512175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349
-
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x49BBDEDFB9F663A6\sxs\manifests\theHunter Call of the Wild Trainer.exe_0x13CCF9DC8091A09B39552A81004D9F1B.1.manifestFilesize
2KB
MD553aea569dc9abbfd282f59c518e07c32
SHA1d3c3778bdb9d6fe2b32e6f7eee3f1bfc62f85c70
SHA2565cbb9ec3ae77c4208f5bc384dcd015e66ef2aafd95bcb04476c68eba598b36df
SHA5128b94f977d91f7554cd2e8030f22feb966415acbffd6efaaf138c63adea143e56e56923a3f5007365106bf73d684568d9f1dc4fa0524ddd4d2036d9e0d13c0554
-
memory/1564-141-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1564-147-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1564-132-0x0000000000000000-mapping.dmp
-
memory/1564-136-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1564-151-0x000000002FC80000-0x0000000030426000-memory.dmpFilesize
7.6MB
-
memory/1564-150-0x00007FF8F2400000-0x00007FF8F2EC1000-memory.dmpFilesize
10.8MB
-
memory/1564-142-0x00007FF8FB430000-0x00007FF8FB495000-memory.dmpFilesize
404KB
-
memory/1564-143-0x0000000001370000-0x000000000173F000-memory.dmpFilesize
3.8MB
-
memory/1564-145-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1564-146-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/1564-134-0x00007FF90F880000-0x00007FF90F93E000-memory.dmpFilesize
760KB
-
memory/1564-148-0x00007FF910810000-0x00007FF910A05000-memory.dmpFilesize
2.0MB
-
memory/1564-149-0x0000000000400000-0x00000000008E6000-memory.dmpFilesize
4.9MB
-
memory/3268-130-0x00007FF90F880000-0x00007FF90F93E000-memory.dmpFilesize
760KB
-
memory/3268-131-0x00000000010D0000-0x000000000149F000-memory.dmpFilesize
3.8MB