Analysis
-
max time kernel
30s -
max time network
24s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
12/10/2023, 16:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Kinky_PUBGM_Cheat.exe
Resource
win10-20230915-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
Kinky_PUBGM_Cheat.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
Kinky_PUBGM_Cheat.exe
-
Size
11.9MB
-
MD5
3b2a5f25e230d22e2193d0b9fe817952
-
SHA1
fea199e51e2d2a05e41a15d3a36933f2ffd23274
-
SHA256
da4a44e6a32525edbe1dc1e36c27baa7b6ee755f0dec3cbad2da1ffdb2dbf821
-
SHA512
d75efba879f22a8da3998d6a4903a4f799874e0fb955151f40a0386e570d3198d95c8d2fa3dc223025ffcd06a04736075f3e46dc8b60554610506dbff2d0dbc2
-
SSDEEP
196608:RZWNWwDbWWpgx+2zmhMNIiKXwBBR89+lK7JU/x/rHe+tnDHsakSdlhMMQguDB8Ro:RZqWuRpL2z+nXwBDlK7QJr++xLY+tRIl
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3676 taskmgr.exe Token: SeSystemProfilePrivilege 3676 taskmgr.exe Token: SeCreateGlobalPrivilege 3676 taskmgr.exe Token: 33 3676 taskmgr.exe Token: SeIncBasePriorityPrivilege 3676 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe 3676 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kinky_PUBGM_Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Kinky_PUBGM_Cheat.exe"1⤵PID:4760
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3676