029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
27-06-2023 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minecraft Checker by xRisky.exe
Size

5.6MB
MD5

682fcac2b949bc9fcb3b039b2ddb5ff2
SHA1

94eb1e61b975c65f95c5519d0bfb128906c3dcbb
SHA256

029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e
SHA512

c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28
SSDEEP

98304:MQsAE8NRnJFKRhwnA8K8s0n2uiR3dN1mnRsMEZQ8kSZvIgi+1RWQ:zNVJFKP98K8sVR37knuWSpli+y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1388	Tags.exe
1172	Tags.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1388 set thread context of 1172	1388	Tags.exe	37
PID 1172 set thread context of 1916	1172	Tags.exe	39
PID 1916 set thread context of 324	1916	InstallUtil.exe	40

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1344	Minecraft Checker by xRisky.exe
1344	Minecraft Checker by xRisky.exe
484	powershell.exe
1388	Tags.exe
1172	Tags.exe
1172	Tags.exe
1172	Tags.exe
1172	Tags.exe
1916	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	Minecraft Checker by xRisky.exe
Token: SeDebugPrivilege	1332	Minecraft Checker by xRisky.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	1388	Tags.exe
Token: SeDebugPrivilege	1172	Tags.exe
Token: SeDebugPrivilege	1916	InstallUtil.exe
Token: SeDebugPrivilege	324	InstallUtil.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1296	1344	Minecraft Checker by xRisky.exe	28
PID 1344 wrote to memory of 1296	1344	Minecraft Checker by xRisky.exe	28
PID 1344 wrote to memory of 1296	1344	Minecraft Checker by xRisky.exe	28
PID 1344 wrote to memory of 1296	1344	Minecraft Checker by xRisky.exe	28
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1344 wrote to memory of 1332	1344	Minecraft Checker by xRisky.exe	29
PID 1768 wrote to memory of 484	1768	taskeng.exe	33
PID 1768 wrote to memory of 484	1768	taskeng.exe	33
PID 1768 wrote to memory of 484	1768	taskeng.exe	33
PID 432 wrote to memory of 1388	432	taskeng.exe	36
PID 432 wrote to memory of 1388	432	taskeng.exe	36
PID 432 wrote to memory of 1388	432	taskeng.exe	36
PID 432 wrote to memory of 1388	432	taskeng.exe	36
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1388 wrote to memory of 1172	1388	Tags.exe	37
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 840	1172	Tags.exe	38
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1172 wrote to memory of 1916	1172	Tags.exe	39
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40
PID 1916 wrote to memory of 324	1916	InstallUtil.exe	40

C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe"
  2⤵
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1332

C:\Windows\system32\taskeng.exe
taskeng.exe {5525A07E-CD15-4DC4-81AA-8C441A7E49F3} S-1-5-21-3297628651-743815474-1126733160-1000:HHVWDVKF\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484

C:\Windows\system32\taskeng.exe
taskeng.exe {6F869B97-0386-435F-AC24-9D244A6DFFAE} S-1-5-21-3297628651-743815474-1126733160-1000:HHVWDVKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe
  C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe
    C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe

Filesize
5.6MB

MD5
682fcac2b949bc9fcb3b039b2ddb5ff2

SHA1
94eb1e61b975c65f95c5519d0bfb128906c3dcbb

SHA256
029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

SHA512
c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28

Download Submit
C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe

Filesize
5.6MB

MD5
682fcac2b949bc9fcb3b039b2ddb5ff2

SHA1
94eb1e61b975c65f95c5519d0bfb128906c3dcbb

SHA256
029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

SHA512
c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28

Download Submit
C:\Users\Admin\AppData\Local\SecurityZone\loeim\Tags.exe

Filesize
5.6MB

MD5
682fcac2b949bc9fcb3b039b2ddb5ff2

SHA1
94eb1e61b975c65f95c5519d0bfb128906c3dcbb

SHA256
029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

SHA512
c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28

Download Submit
memory/324-9878-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download
memory/324-7768-0x0000000001050000-0x0000000001090000-memory.dmp

Filesize
256KB

Download
memory/484-3334-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/484-3331-0x0000000019E80000-0x000000001A162000-memory.dmp

Filesize
2.9MB

Download
memory/484-3332-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/484-3333-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/484-3336-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/484-3335-0x0000000000F40000-0x0000000000FC0000-memory.dmp

Filesize
512KB

Download
memory/1172-4396-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1172-4479-0x0000000005000000-0x0000000005040000-memory.dmp

Filesize
256KB

Download
memory/1172-6604-0x0000000005000000-0x0000000005040000-memory.dmp

Filesize
256KB

Download
memory/1332-1114-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1332-3325-0x00000000055A0000-0x00000000055F4000-memory.dmp

Filesize
336KB

Download
memory/1332-3324-0x00000000027A0000-0x00000000027F6000-memory.dmp

Filesize
344KB

Download
memory/1332-3323-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1332-1116-0x0000000004DE0000-0x0000000004EC6000-memory.dmp

Filesize
920KB

Download
memory/1332-1115-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1344-80-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-86-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-94-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-96-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-98-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-100-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-102-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-104-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-106-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-108-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-110-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-112-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-114-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-116-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-118-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-120-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-661-0x0000000005050000-0x0000000005090000-memory.dmp

Filesize
256KB

Download
memory/1344-1102-0x0000000006930000-0x0000000006BD4000-memory.dmp

Filesize
2.6MB

Download
memory/1344-1103-0x0000000000980000-0x00000000009CC000-memory.dmp

Filesize
304KB

Download
memory/1344-90-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-88-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-92-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-84-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-82-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-54-0x0000000000CB0000-0x0000000001246000-memory.dmp

Filesize
5.6MB

Download
memory/1344-78-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-76-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-74-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-72-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-70-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-68-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-66-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-64-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-55-0x0000000005090000-0x00000000053BC000-memory.dmp

Filesize
3.2MB

Download
memory/1344-56-0x0000000005050000-0x0000000005090000-memory.dmp

Filesize
256KB

Download
memory/1344-62-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-60-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-57-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1344-58-0x0000000005090000-0x00000000053B7000-memory.dmp

Filesize
3.2MB

Download
memory/1388-3384-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download
memory/1388-3339-0x0000000000FF0000-0x0000000001586000-memory.dmp

Filesize
5.6MB

Download
memory/1916-6615-0x0000000000400000-0x0000000000996000-memory.dmp

Filesize
5.6MB

Download
memory/1916-6665-0x0000000001140000-0x0000000001180000-memory.dmp

Filesize
256KB

Download