Analysis

  • max time kernel
    302s
  • max time network
    279s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/07/2023, 02:40

General

  • Target

    https://cdn.discordapp.com/attachments/1115090015719014461/1124892236954476655/modest-menu_v0.9.9_unknowncheats.me_.zip

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.discordapp.com/attachments/1115090015719014461/1124892236954476655/modest-menu_v0.9.9_unknowncheats.me_.zip
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc5d879758,0x7ffc5d879768,0x7ffc5d879778
      2⤵
        PID:4972
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
        2⤵
          PID:3096
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:2
          2⤵
            PID:2400
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
            2⤵
              PID:4928
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:1
              2⤵
                PID:1480
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:1
                2⤵
                  PID:3908
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
                  2⤵
                    PID:3764
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
                    2⤵
                      PID:3304
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
                      2⤵
                        PID:3540
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
                        2⤵
                          PID:3684
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3500 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5012
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1840,i,17771277597618276489,7874418583461717892,131072 /prefetch:8
                          2⤵
                            PID:1828
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                          1⤵
                            PID:4516
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:1392
                            • C:\Program Files\7-Zip\7zG.exe
                              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_\" -spe -an -ai#7zMap2154:134:7zEvent19858
                              1⤵
                              • Suspicious use of FindShellTrayWindow
                              PID:220
                            • C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_\modest-menu.exe
                              "C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_\modest-menu.exe"
                              1⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3332

                            Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                    Filesize

                                    1KB

                                    MD5

                                    3f8022c4a2c45b49b3ecb7eb79135c86

                                    SHA1

                                    9a487ee34ee24a430291453eb47cc6845d76fcbf

                                    SHA256

                                    62319ced84b49b37cd094112234fa5b04e912e2ccf597d646aa0b8ce496f7afd

                                    SHA512

                                    e65d6da1c5e3ca1705a7bf7574b1813100226b37e9de41505932ec970a8c570de7587048e7c292985641c221498e298c188919e6a7b5fc2b04b0180e2cf0da1a

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    03e443add11ca0a637760c27890f3fe0

                                    SHA1

                                    9a9ad507a09ac9c788c6a3bbd7cdea93bc857d79

                                    SHA256

                                    d03b44d30a48d7971f9988425ec6bd15c12663267c9a0b2f04d0892e16c293db

                                    SHA512

                                    855daf6c9b41ee3dc7dbce634152b5994624bbba63ed2b071ef2ed20ef7d02380c949f6557c5f5df2bd9ce4ab8ef37d0ad19c85168c78379c79103f7cd9bce12

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    e9d725b4c56fa3041a0d66a0b89636bb

                                    SHA1

                                    4c4d2a60ce41fe726bbec541ef0a95ed5fa97124

                                    SHA256

                                    150533a2cba4d3c692da4611ff0bee572e0e1996a260d3d5fb305fc3d756520b

                                    SHA512

                                    8eab538bedd2b894e1eee7c8029bc244fb6342271d9aa5b0962cf5ba4c74fb2d2c98ea1f5c4c79f102c9374603d3a2de2b94741d516a8e1644e20244935211cf

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    de39dac7f62f67d99e8f02ae54cff5b7

                                    SHA1

                                    37995ee67d79ab490689fcdcebb1f9760566a553

                                    SHA256

                                    ea95a4da0f2b4c7975fdb6502a203e98ff5105ea07f3623cc5f440150586c838

                                    SHA512

                                    162f6380dc5d0c7b3e7e948fcbab01e3f91a27d1b67a4930381574e36f514788237a2cdfb31b62094566763f6f244eaa73921ec6abc4c277db8308d634526fa1

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                    Filesize

                                    12KB

                                    MD5

                                    be9d0b3a95c8e5b41f43d3008e7af550

                                    SHA1

                                    d28c8357086c64f281c89fb3b6924fcf57351e41

                                    SHA256

                                    e0e98b52184000a709b5888b937ff09b38589a74510fe3e2640e86e7fbcaa007

                                    SHA512

                                    3a248c88276f8d6f7b621d8abdfa6a816045ac08d61f41c04f9f0563ac11bde77954422ebf251fbe6d6e0cf9213bf9fec50f8651e9bab110d6505f84c05ff951

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    172KB

                                    MD5

                                    eb2b9e0ec46b7f562d63097f98172f06

                                    SHA1

                                    bb5cd42b632ccd8325fcb2368e774de2484e9ba2

                                    SHA256

                                    d874c2560bb3b225307af1043a29cc4dd488dbed2b6804200c8a4836e9ddbc41

                                    SHA512

                                    90bbca79d1b12e09297c5942940f2ad23811b37981b6ab5c67f553d14080475e56d4c019d753fc3b84cfc194ed93f403d67320d24e41d9754561f5580929765a

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                    Filesize

                                    103KB

                                    MD5

                                    5628c65d27a65b35ab2132f390547678

                                    SHA1

                                    c80ea1ffe080e91d1519ff808cea90f6fefd1c2d

                                    SHA256

                                    f4d24f0d363382027ec7a08b5c4ee0b19ee343d1c2221866c9b9405de8b312f1

                                    SHA512

                                    a61b3ac4ba6385fe2c56b53b91a3c04215f95ad3af919fe73dbc1a6ad721f3c251f85b3c2c6f82b7e42347585e926f4c3e5de9a7ff4da3cf86f3221ecc4ff602

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a5006.TMP

                                    Filesize

                                    100KB

                                    MD5

                                    0190d3bc5ee4c00a9dcfd48b0fa21fe0

                                    SHA1

                                    e516b76f8910aac1104be3270de652340b4257bd

                                    SHA256

                                    e1d64931089599907f03ba8ae246a6d7f7c4f9c15789f1979eb2dd30c88f167c

                                    SHA512

                                    bf48f5f4e9c19894333ac1f17003a197d869be6fa63c9126cfa5866e8a6671979b64e3b671d760bbefbbbdde8433b9ce9426bbe543b05e186cd9b0c019593ad4

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                    Filesize

                                    2B

                                    MD5

                                    99914b932bd37a50b983c5e7c90ae93b

                                    SHA1

                                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                    SHA256

                                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                    SHA512

                                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                  • C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_.zip

                                    Filesize

                                    13.3MB

                                    MD5

                                    65b1b713197fe21f70f9159b6efa3f81

                                    SHA1

                                    9d309e2d750aeb887f5c702d378408bfd543fc9a

                                    SHA256

                                    bc36e8a60fecff1ec9c7f4598622ac83e1449ba6e968b9d0b65e3739a2d69279

                                    SHA512

                                    777b77653567a692560eb138b81b2a9254069eb5d0da9f162b87196db8482278061ceb8cf748e3b899810ab1382b7c06e58ea38a6708ae60f661dbd00054761d

                                  • C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_.zip.crdownload

                                    Filesize

                                    13.3MB

                                    MD5

                                    65b1b713197fe21f70f9159b6efa3f81

                                    SHA1

                                    9d309e2d750aeb887f5c702d378408bfd543fc9a

                                    SHA256

                                    bc36e8a60fecff1ec9c7f4598622ac83e1449ba6e968b9d0b65e3739a2d69279

                                    SHA512

                                    777b77653567a692560eb138b81b2a9254069eb5d0da9f162b87196db8482278061ceb8cf748e3b899810ab1382b7c06e58ea38a6708ae60f661dbd00054761d

                                  • C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_\modest-menu.exe

                                    Filesize

                                    13.4MB

                                    MD5

                                    3413334382103ad0226875fbc649a967

                                    SHA1

                                    c81b42f196d1998237761ea1a881fbe6bfec501e

                                    SHA256

                                    a125169de0b250012c98f9cc1f719c599e86f3020669d832e6d956b7b7362194

                                    SHA512

                                    318eb119a0edb0ef2a1c33ef3f0816ee9689749b71d3af2e6cb58b824402dd97f02cbda95e785432f5046ecc20513ad0b920f2e8832e9b4567af21813212b055

                                  • C:\Users\Admin\Downloads\modest-menu_v0.9.9_unknowncheats.me_\modest-menu.exe

                                    Filesize

                                    13.4MB

                                    MD5

                                    3413334382103ad0226875fbc649a967

                                    SHA1

                                    c81b42f196d1998237761ea1a881fbe6bfec501e

                                    SHA256

                                    a125169de0b250012c98f9cc1f719c599e86f3020669d832e6d956b7b7362194

                                    SHA512

                                    318eb119a0edb0ef2a1c33ef3f0816ee9689749b71d3af2e6cb58b824402dd97f02cbda95e785432f5046ecc20513ad0b920f2e8832e9b4567af21813212b055

                                  • memory/3332-235-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-236-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-237-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-238-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-239-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-240-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-241-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-242-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-243-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB

                                  • memory/3332-245-0x00007FF726CC0000-0x00007FF728D4D000-memory.dmp

                                    Filesize

                                    32.6MB