Analysis
-
max time kernel
1631s -
max time network
1595s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 04:03
Static task
static1
Behavioral task
behavioral1
Sample
CF AL CHEATS 2K18/BugTrap.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CF AL CHEATS 2K18/BugTrap.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
CF AL CHEATS 2K18/CF AL CHEATS.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
CF AL CHEATS 2K18/CF AL CHEATS.exe
Resource
win10v2004-20220414-en
General
-
Target
CF AL CHEATS 2K18/BugTrap.dll
-
Size
247KB
-
MD5
b2c2fbcfa93775fc1dfcd7edc8725263
-
SHA1
2b351f25aed5498e1a176cf1078c001950e6eed6
-
SHA256
b0f5173f6e30ba6463111d8c372b9fdc51e46a8f017165b68499931d1e889ff7
-
SHA512
7ecf32c18f2ea8fd01e040c20fbf561e78e2fba1bcb34b26377a85ddf32fb30d73f71e1d0f58146918bdd1fd9bf1b59b7e75582c392930c51660a4bc2c0a99cf
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2112 rundll32.exe 2112 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
rundll32.exedescription pid process Token: SeIncreaseQuotaPrivilege 2112 rundll32.exe Token: SeSecurityPrivilege 2112 rundll32.exe Token: SeTakeOwnershipPrivilege 2112 rundll32.exe Token: SeLoadDriverPrivilege 2112 rundll32.exe Token: SeSystemProfilePrivilege 2112 rundll32.exe Token: SeSystemtimePrivilege 2112 rundll32.exe Token: SeProfSingleProcessPrivilege 2112 rundll32.exe Token: SeIncBasePriorityPrivilege 2112 rundll32.exe Token: SeCreatePagefilePrivilege 2112 rundll32.exe Token: SeBackupPrivilege 2112 rundll32.exe Token: SeRestorePrivilege 2112 rundll32.exe Token: SeShutdownPrivilege 2112 rundll32.exe Token: SeDebugPrivilege 2112 rundll32.exe Token: SeSystemEnvironmentPrivilege 2112 rundll32.exe Token: SeRemoteShutdownPrivilege 2112 rundll32.exe Token: SeUndockPrivilege 2112 rundll32.exe Token: SeManageVolumePrivilege 2112 rundll32.exe Token: 33 2112 rundll32.exe Token: 34 2112 rundll32.exe Token: 35 2112 rundll32.exe Token: 36 2112 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3804 wrote to memory of 2112 3804 rundll32.exe rundll32.exe PID 3804 wrote to memory of 2112 3804 rundll32.exe rundll32.exe PID 3804 wrote to memory of 2112 3804 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\BugTrap.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\CF AL CHEATS 2K18\BugTrap.dll",#12⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2112-130-0x0000000000000000-mapping.dmp