Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:56

General

  • Target

    theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

  • Size

    6.1MB

  • MD5

    910e90ff062405be912274a4d7220319

  • SHA1

    17b2b28b0dcefa014bc91da00909740e73b8e6c6

  • SHA256

    3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1

  • SHA512

    91e9402b5f21dc3a726afb73c40da0c21b53da3b195591a74242c232626dd3d905e9f51e6f7bab3f06fea30464cf1e7cbc264ea77e0923e59f4c5c0291fabe6e

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
    "C:\Users\Admin\AppData\Local\Temp\theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
      "C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Writes to the Master Boot Record (MBR)
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of UnmapMainImage
      PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
    Filesize

    22KB

    MD5

    02dbde777dfce88e4c86f9887004b497

    SHA1

    1b4ec38ee01bf6add9b45181d56818ff7324df84

    SHA256

    3001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08

    SHA512

    a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc

  • C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\xsandbox.bin
    Filesize

    16B

    MD5

    ec3d19e8e9b05d025cb56c2a98ead8e7

    SHA1

    748532edeb86496c8efe5e2327501d89ec1f13df

    SHA256

    edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

    SHA512

    175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

  • C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x49BBDEDFB9F663A6\sxs\manifests\theHunter Call of the Wild Trainer.exe_0x13CCF9DC8091A09B39552A81004D9F1B.1.manifest
    Filesize

    2KB

    MD5

    53aea569dc9abbfd282f59c518e07c32

    SHA1

    d3c3778bdb9d6fe2b32e6f7eee3f1bfc62f85c70

    SHA256

    5cbb9ec3ae77c4208f5bc384dcd015e66ef2aafd95bcb04476c68eba598b36df

    SHA512

    8b94f977d91f7554cd2e8030f22feb966415acbffd6efaaf138c63adea143e56e56923a3f5007365106bf73d684568d9f1dc4fa0524ddd4d2036d9e0d13c0554

  • \Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
    Filesize

    22KB

    MD5

    02dbde777dfce88e4c86f9887004b497

    SHA1

    1b4ec38ee01bf6add9b45181d56818ff7324df84

    SHA256

    3001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08

    SHA512

    a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc

  • \Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
    Filesize

    22KB

    MD5

    02dbde777dfce88e4c86f9887004b497

    SHA1

    1b4ec38ee01bf6add9b45181d56818ff7324df84

    SHA256

    3001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08

    SHA512

    a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc

  • \Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
    Filesize

    22KB

    MD5

    02dbde777dfce88e4c86f9887004b497

    SHA1

    1b4ec38ee01bf6add9b45181d56818ff7324df84

    SHA256

    3001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08

    SHA512

    a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc

  • memory/1932-55-0x0000000003060000-0x000000000321D000-memory.dmp
    Filesize

    1.7MB

  • memory/1932-61-0x0000000003060000-0x000000000321D000-memory.dmp
    Filesize

    1.7MB

  • memory/1932-66-0x0000000003060000-0x000000000321D000-memory.dmp
    Filesize

    1.7MB

  • memory/1932-67-0x000007FEFB751000-0x000007FEFB753000-memory.dmp
    Filesize

    8KB

  • memory/1932-68-0x0000000000EB0000-0x000000000127F000-memory.dmp
    Filesize

    3.8MB

  • memory/1932-54-0x0000000076B10000-0x0000000076C2F000-memory.dmp
    Filesize

    1.1MB

  • memory/1976-98-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-107-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-87-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-86-0x00000000012A0000-0x000000000166F000-memory.dmp
    Filesize

    3.8MB

  • memory/1976-93-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-94-0x000007FEFA8C0000-0x000007FEFA92F000-memory.dmp
    Filesize

    444KB

  • memory/1976-96-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-97-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-99-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-101-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-102-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-100-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-80-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-104-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-105-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-103-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-106-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-85-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-108-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-109-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-110-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-111-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-112-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-113-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-114-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-115-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-116-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-117-0x0000000003280000-0x000000000343D000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-118-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-119-0x0000000000400000-0x00000000008E6000-memory.dmp
    Filesize

    4.9MB

  • memory/1976-120-0x0000000076D30000-0x0000000076ED9000-memory.dmp
    Filesize

    1.7MB

  • memory/1976-121-0x00000000246E0000-0x00000000247F0000-memory.dmp
    Filesize

    1.1MB

  • memory/1976-122-0x00000000034C6000-0x00000000034E5000-memory.dmp
    Filesize

    124KB

  • memory/1976-72-0x0000000076B10000-0x0000000076C2F000-memory.dmp
    Filesize

    1.1MB

  • memory/1976-70-0x0000000000000000-mapping.dmp
  • memory/1976-125-0x000000002CAE0000-0x000000002D286000-memory.dmp
    Filesize

    7.6MB