53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054

General

Target

53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe
Size

25KB
MD5

1dd84cc8cf8ed0d5cd891c6508dbb215
SHA1

5ce2442b5395b644b28f96739abc85cee0219038
SHA256

53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054
SHA512

182f4082c4832c717722f37f1941dd5983ebb443c695064a7dd0c20e775ce6ae511f490170ab919fa1b8a2d85e664d907cfccd74f0d0fddf103c50659a1176b2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ЧитМайнкрафт.exeServer.exe

pid process

2440 ЧитМайнкрафт.exe
1996 Server.exe

pid	process
2440	ЧитМайнкрафт.exe
1996	Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4568 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exeЧитМайнкрафт.exeServer.exe

pid process

1620 53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe
2440 ЧитМайнкрафт.exe
1996 Server.exe

pid	process
4568	schtasks.exe

pid	process
1620	53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe
2440	ЧитМайнкрафт.exe
1996	Server.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

ЧитМайнкрафт.exe

description	pid	process
Token: SeDebugPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe
Token: 33	2440	ЧитМайнкрафт.exe
Token: SeIncBasePriorityPrivilege	2440	ЧитМайнкрафт.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exeЧитМайнкрафт.exe

description	pid	process	target process
PID 1620 wrote to memory of 2440	1620	53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe	ЧитМайнкрафт.exe
PID 1620 wrote to memory of 2440	1620	53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe	ЧитМайнкрафт.exe
PID 2440 wrote to memory of 4568	2440	ЧитМайнкрафт.exe	schtasks.exe
PID 2440 wrote to memory of 4568	2440	ЧитМайнкрафт.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe
"C:\Users\Admin\AppData\Local\Temp\53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\ЧитМайнкрафт.exe
"C:\Users\Admin\AppData\Local\Temp\ЧитМайнкрафт.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:4568

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
1dd84cc8cf8ed0d5cd891c6508dbb215

SHA1
5ce2442b5395b644b28f96739abc85cee0219038

SHA256
53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054

SHA512
182f4082c4832c717722f37f1941dd5983ebb443c695064a7dd0c20e775ce6ae511f490170ab919fa1b8a2d85e664d907cfccd74f0d0fddf103c50659a1176b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
1dd84cc8cf8ed0d5cd891c6508dbb215

SHA1
5ce2442b5395b644b28f96739abc85cee0219038

SHA256
53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054

SHA512
182f4082c4832c717722f37f1941dd5983ebb443c695064a7dd0c20e775ce6ae511f490170ab919fa1b8a2d85e664d907cfccd74f0d0fddf103c50659a1176b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ЧитМайнкрафт.exe
Filesize
25KB

MD5
1dd84cc8cf8ed0d5cd891c6508dbb215

SHA1
5ce2442b5395b644b28f96739abc85cee0219038

SHA256
53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054

SHA512
182f4082c4832c717722f37f1941dd5983ebb443c695064a7dd0c20e775ce6ae511f490170ab919fa1b8a2d85e664d907cfccd74f0d0fddf103c50659a1176b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ЧитМайнкрафт.exe
Filesize
25KB

MD5
1dd84cc8cf8ed0d5cd891c6508dbb215

SHA1
5ce2442b5395b644b28f96739abc85cee0219038

SHA256
53bf5d8758b0afa2f66bc9be6ef3b373a34b42ab8ca043078887d09d9a4d2054

SHA512
182f4082c4832c717722f37f1941dd5983ebb443c695064a7dd0c20e775ce6ae511f490170ab919fa1b8a2d85e664d907cfccd74f0d0fddf103c50659a1176b2

Download Submit
memory/1620-131-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/1620-132-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/1620-130-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/1620-136-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/1996-144-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/1996-143-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/1996-142-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/2440-133-0x0000000000000000-mapping.dmp

Download
memory/2440-138-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/2440-137-0x00007FFF3A4A0000-0x00007FFF3AF61000-memory.dmp

Filesize
10.8MB

Download
memory/4568-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads