Overview
overview
7Static
static
7tenga mi rey.zip
windows7-x64
1tenga mi rey.zip
windows10-2004-x64
1tenga mi r...rk.apk
android-9-x86
tenga mi r...rk.apk
android-10-x64
x-0.png
windows7-x64
3x-0.png
windows10-2004-x64
3x-0000-bat...t.rpyc
windows7-x64
3x-0000-bat...t.rpyc
windows10-2004-x64
3x-0001-bat...r.rpyc
windows7-x64
3x-0001-bat...r.rpyc
windows10-2004-x64
3x-0001-que...s.rpyc
windows7-x64
3x-0001-que...s.rpyc
windows10-2004-x64
3x-0002-bat...t.rpyc
windows7-x64
3x-0002-bat...t.rpyc
windows10-2004-x64
3x-0002-que...r.rpyc
windows7-x64
3x-0002-que...r.rpyc
windows10-2004-x64
3x-0003-bat...t.rpyc
windows7-x64
3x-0003-bat...t.rpyc
windows10-2004-x64
3x-0003-que...a.rpyc
windows7-x64
3x-0003-que...a.rpyc
windows10-2004-x64
3x-0004-bat...e.rpyc
windows7-x64
3x-0004-bat...e.rpyc
windows10-2004-x64
3x-0005-bat...r.rpyc
windows7-x64
3x-0005-bat...r.rpyc
windows10-2004-x64
3x-0006-bat...r.rpyc
windows7-x64
3x-0006-bat...r.rpyc
windows10-2004-x64
3x-0007-mis...s.rpyc
windows7-x64
3x-0007-mis...s.rpyc
windows10-2004-x64
3x-000atl.rpyc
windows7-x64
3x-000atl.rpyc
windows10-2004-x64
3x-000namespaces.rpyc
windows7-x64
3x-000namespaces.rpyc
windows10-2004-x64
3Analysis
-
max time kernel
156s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
11/07/2023, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
tenga mi rey.zip
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
tenga mi rey.zip
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
tenga mi rey/amitypark.apk
Resource
android-x86-arm-20230621-en
Behavioral task
behavioral4
Sample
tenga mi rey/amitypark.apk
Resource
android-x64-20230621-en
Behavioral task
behavioral5
Sample
x-0.png
Resource
win7-20230703-en
Behavioral task
behavioral6
Sample
x-0.png
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
x-0000-battleclass-combatant.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral8
Sample
x-0000-battleclass-combatant.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
x-0001-battleclass-player.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral10
Sample
x-0001-battleclass-player.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
x-0001-quest_class.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral12
Sample
x-0001-quest_class.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
x-0002-battleclass-effect.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral14
Sample
x-0002-battleclass-effect.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
x-0002-quest_manager.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral16
Sample
x-0002-quest_manager.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
x-0003-battleclass-sustainedeffect.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral18
Sample
x-0003-battleclass-sustainedeffect.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
x-0003-quest_data.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral20
Sample
x-0003-quest_data.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
x-0004-battleclass-passive.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral22
Sample
x-0004-battleclass-passive.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
x-0005-battleclass-power.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral24
Sample
x-0005-battleclass-power.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
x-0006-battleclass-manager.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral26
Sample
x-0006-battleclass-manager.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
x-0007-misc-functions.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral28
Sample
x-0007-misc-functions.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral29
Sample
x-000atl.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral30
Sample
x-000atl.rpyc
Resource
win10v2004-20230703-en
Behavioral task
behavioral31
Sample
x-000namespaces.rpyc
Resource
win7-20230703-en
Behavioral task
behavioral32
Sample
x-000namespaces.rpyc
Resource
win10v2004-20230703-en
General
-
Target
x-0001-battleclass-player.rpyc
-
Size
1KB
-
MD5
360394871040ca5760dbd0d903001c81
-
SHA1
9fbfbf7cd435d1640121a1c987376fcf9bc6e0fa
-
SHA256
dd91d5cca38645f9876701803f4a2bf22236d8641dd267b79110372993245014
-
SHA512
dc2cd4783cc76e347cd1771770314ef0379254df566741cebf58af58e7d2792dce830be9271ce96b256d57c2085e55ab4ccc65b9dc7417c41db2b5b1fd86a318
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\rpyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.rpyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.rpyc\ = "rpyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\rpyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\rpyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\rpyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\rpyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\rpyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1672 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1672 AcroRd32.exe 1672 AcroRd32.exe 1672 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2116 3064 cmd.exe 29 PID 3064 wrote to memory of 2116 3064 cmd.exe 29 PID 3064 wrote to memory of 2116 3064 cmd.exe 29 PID 2116 wrote to memory of 1672 2116 rundll32.exe 30 PID 2116 wrote to memory of 1672 2116 rundll32.exe 30 PID 2116 wrote to memory of 1672 2116 rundll32.exe 30 PID 2116 wrote to memory of 1672 2116 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\x-0001-battleclass-player.rpyc1⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\x-0001-battleclass-player.rpyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x-0001-battleclass-player.rpyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5626f399d39bd4972ecdcbfb06a3cd1c9
SHA1414742fe8fb8cc8b2065c86161b6d933c791eab8
SHA256a0b7df332e270a6870befe4d181ded9d5e9a62497512ba789ebf6f84d6307a65
SHA512f0e7f0602a88a8e629e1a9893fddf45cab5f0390eb456a520887b00c1db94a4ab40bf79bcb23c578d60bf170854b4340bfd07cfb0997e3511454532e8dd89a9c