9026f8300c35cbc1294e290cedfd94dab0d4fc29db03bc21bbf0d3814ec2ff66

General

Target

theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Size

6.1MB
MD5

910e90ff062405be912274a4d7220319
SHA1

17b2b28b0dcefa014bc91da00909740e73b8e6c6
SHA256

3911090c49c42ddc26c497467f1509e5bf09f33a2b8ecf922e87c1dcb30567a1
SHA512

91e9402b5f21dc3a726afb73c40da0c21b53da3b195591a74242c232626dd3d905e9f51e6f7bab3f06fea30464cf1e7cbc264ea77e0923e59f4c5c0291fabe6e

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

theHunter Call of the Wild Trainer.exe

pid process

2720 theHunter Call of the Wild Trainer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

theHunter Call of the Wild Trainer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	theHunter Call of the Wild Trainer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	theHunter Call of the Wild Trainer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

theHunter Call of the Wild Trainer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 theHunter Call of the Wild Trainer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	theHunter Call of the Wild Trainer.exe

Modifies registry class 1 IoCs

Processes:

theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

theHunter Call of the Wild Trainer.exe

pid	process
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe
2720	theHunter Call of the Wild Trainer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

description	pid	process
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: 33	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
Token: SeIncBasePriorityPrivilege	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

theHunter Call of the Wild Trainer.exe

pid process

2720 theHunter Call of the Wild Trainer.exe
2720 theHunter Call of the Wild Trainer.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

theHunter Call of the Wild Trainer.exe

pid process

2720 theHunter Call of the Wild Trainer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe

description	pid	process	target process
PID 2760 wrote to memory of 2720	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe	theHunter Call of the Wild Trainer.exe
PID 2760 wrote to memory of 2720	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe	theHunter Call of the Wild Trainer.exe
PID 2760 wrote to memory of 2720	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe	theHunter Call of the Wild Trainer.exe
PID 2760 wrote to memory of 2720	2760	theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe	theHunter Call of the Wild Trainer.exe

C:\Users\Admin\AppData\Local\Temp\theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\theHunter Call of the Wild v1.0-v1.21 Plus +13 Trainer.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
"C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe" /864A627C-C6B2-464A-AA13-25D62F282BD8
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\local\stubexe\0x0A0709E0753073B0\theHunter Call of the Wild Trainer.exe
Filesize
22KB

MD5
02dbde777dfce88e4c86f9887004b497

SHA1
1b4ec38ee01bf6add9b45181d56818ff7324df84

SHA256
3001be0b53308fd446d8cda627425392af426c0e014df8cc0be874fa8fa05c08

SHA512
a1f32141ef4f9c79b962e0e4e8c923cceeaf0316c2a2219e2779384ea8f68be5fbe9579be37b8584b78beea2f8d69df70b31ee7cfef5386d60166b27891ceccc

Download Submit
C:\Users\Admin\AppData\Local\FutureXGame.com\1.21.0.0\xsandbox.bin
Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x49BBDEDFB9F663A6\sxs\manifests\theHunter Call of the Wild Trainer.exe_0x13CCF9DC8091A09B39552A81004D9F1B.1.manifest
Filesize
2KB

MD5
53aea569dc9abbfd282f59c518e07c32

SHA1
d3c3778bdb9d6fe2b32e6f7eee3f1bfc62f85c70

SHA256
5cbb9ec3ae77c4208f5bc384dcd015e66ef2aafd95bcb04476c68eba598b36df

SHA512
8b94f977d91f7554cd2e8030f22feb966415acbffd6efaaf138c63adea143e56e56923a3f5007365106bf73d684568d9f1dc4fa0524ddd4d2036d9e0d13c0554

Download Submit
memory/2720-143-0x00007FFEFDCD0000-0x00007FFEFDD35000-memory.dmp

Filesize
404KB

Download
memory/2720-150-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-132-0x0000000000000000-mapping.dmp

Download
memory/2720-136-0x0000000001370000-0x000000000173F000-memory.dmp

Filesize
3.8MB

Download
memory/2720-137-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-153-0x000000002F660000-0x000000002FE06000-memory.dmp

Filesize
7.6MB

Download
memory/2720-142-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-152-0x00007FFEFD150000-0x00007FFEFDC11000-memory.dmp

Filesize
10.8MB

Download
memory/2720-145-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-146-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-147-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-148-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2720-149-0x00007FFF1B3D0000-0x00007FFF1B5C5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-134-0x00007FFF19420000-0x00007FFF194DE000-memory.dmp

Filesize
760KB

Download
memory/2720-151-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2760-131-0x0000000001170000-0x000000000153F000-memory.dmp

Filesize
3.8MB

Download
memory/2760-130-0x00007FFF19420000-0x00007FFF194DE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads