ec069915e5fa8d167ee6967140d5fbbcb59f0d0befa5f6d0cae899fd71ee5da9

Resubmissions

23/02/2024, 05:58

240223-gn5rnsch55 7

23/02/2024, 05:52

240223-gk6vkacc5z 7

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minecraft.exe
Size

22.1MB
MD5

86dc20f843bfa46275568d0a4d5e1d2d
SHA1

01d0e36b281f4fff62378d97398cd7b688201197
SHA256

ec069915e5fa8d167ee6967140d5fbbcb59f0d0befa5f6d0cae899fd71ee5da9
SHA512

28e9a7860ef4c146d34952a38c6380bc36452f3c8bdf54d6aecd98fd3ad3c758765de46eebd411abd647022afcc65b6119ebeb84f3af6425deefa58800181404
SSDEEP

393216:pOqGolKT5VhfpjWUjw1O484xLUJO78Tlxf12Fovy4:wqGvVhfpjWE43GO7a1H

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x002d000000015db7-45.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1296	cmd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002d000000015db7-45.dat	upx

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2380	PING.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2652	2008	minecraft.exe	28
PID 2008 wrote to memory of 2652	2008	minecraft.exe	28
PID 2008 wrote to memory of 2652	2008	minecraft.exe	28
PID 2652 wrote to memory of 2876	2652	cmd.exe	30
PID 2652 wrote to memory of 2876	2652	cmd.exe	30
PID 2652 wrote to memory of 2876	2652	cmd.exe	30
PID 2008 wrote to memory of 2396	2008	minecraft.exe	31
PID 2008 wrote to memory of 2396	2008	minecraft.exe	31
PID 2008 wrote to memory of 2396	2008	minecraft.exe	31
PID 2008 wrote to memory of 1296	2008	minecraft.exe	33
PID 2008 wrote to memory of 1296	2008	minecraft.exe	33
PID 2008 wrote to memory of 1296	2008	minecraft.exe	33
PID 1296 wrote to memory of 2380	1296	cmd.exe	35
PID 1296 wrote to memory of 2380	1296	cmd.exe	35
PID 1296 wrote to memory of 2380	1296	cmd.exe	35
PID 1296 wrote to memory of 2744	1296	cmd.exe	36
PID 1296 wrote to memory of 2744	1296	cmd.exe	36
PID 1296 wrote to memory of 2744	1296	cmd.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c javaw -Dhttp.proxyHost=betacraft.pl -jar natives/error437.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\javaw.exe
    javaw -Dhttp.proxyHost=betacraft.pl -jar natives/error437.dll
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd natives /s /q
  2⤵
  PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c 437.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2380
- - C:\Windows\system32\attrib.exe
    attrib -h -s -r -a 437.bat
    3⤵
    - Views/modifies file attributes
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\437.bat

Filesize
155B

MD5
240b3c9d478cc688a4211ab2cae3817f

SHA1
3532f5f01e28304372cca782ab87975baf635663

SHA256
24b9f31bdf04478a691280c05eb3ea52149d6c6154803977e15a7e6f599b8599

SHA512
06f6d75eb730f32a5f0c7d557040934038c07ab9a4ff1af560596b79031b3afb3dc712be4fd427ad24c68a4ad8ac8e0c3afeddf66d12efdf7aa2355a3ad2ed09

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\CONSOL~1.DLL

Filesize
11KB

MD5
ed94f741f3e5d56d1e8433591bfaa24a

SHA1
5b08de7e9c33fb14ce9368598ba319ab0e78a4e9

SHA256
06975d86502cbaec870b611a5df9a5bc5822a8f387efb0a29b2a19a2a631bd5b

SHA512
74d9d4960fe7cec449ee5155bee182a91e27cb856e18e69ced274a2c8abb25bb7405fa725353f8fa92252a9d84790be4591a13c7ef960e6cd3e243fd9986c5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\CONSOL~2.DLL

Filesize
14KB

MD5
9fd4366231018993914ec6546e3e6083

SHA1
ca8a03e81aefeccbbaf766b91b116da4bb53c34d

SHA256
d7cd5122b1ae19a8b95ec9e5db5c3055e3936a546bc22c4f1c7911c3629ab021

SHA512
9b2b013747593f540874adb9c6e9cc64a2985e0975af2ef86dbb63682d967fce028cab43aa2211e76a1fc5ecc037b6dcc4a80503ca55421fd85166dcbda95364

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\JI77A9~1.DLL

Filesize
55KB

MD5
fe9d38049703eb52abadb634109cf1fb

SHA1
c3f1fb834bf2926debe7cd5ba915fbedbaa18514

SHA256
57f4333f590766a29105e1457fefd4592728e555d7127353ca611620127e8b7c

SHA512
3c55475bb2583fd3e7f4e57b6531fbbf15ef4e4af4de98950934a22b8c50433d611aebcd313cdb64e4f43aef1d1e1f8fbcc1b2ebca2044b7529967e24e4550a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\JINPUT~1.DLL

Filesize
60KB

MD5
dc6a0bd257b5ec616a49f0ae64cf02be

SHA1
8ddb0c4ef1fdd9005dee31d441ef48339ba15dc6

SHA256
c772fd2952e66feb7179798f70b12730599295be8486ba8399059c3bb8c28a89

SHA512
f20fc1e41b11a51059ea849170f5bd958e85418c7589758a7ca3f60684a950ffcfdc04bd6bb077c3abf43581d5f34483f60a095f8d65bb1180f2bd327780d9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\JINPUT~2.DLL

Filesize
63KB

MD5
9a123d6f947bedca2f01c9f6a006083c

SHA1
2082be2a65a40a8f2be26ca7c8a8f46c8b7f1ca0

SHA256
a8c49be05a3c4615abc77ac77729086d6928c999ac10e3fcd686d03a94de76de

SHA512
dc86c9f5b20c428eca9c81028da9ff37b245c8e841cc8e78a40608b8942dfbd939b70c4cde6cb35ddb3a817516a0e3dd9a64b2df06e18f6bad57066062e60f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\JINPUT~3.DLL

Filesize
58KB

MD5
f38ab7d21d437375c987f6de821d6679

SHA1
055242e9103e4af3e9068eb756eb4ebea526d1f4

SHA256
21b53d09a26d3de95a8409e123cfa33ce95a268264f1d2658ed8d8f76af70876

SHA512
011ba785c47dfce4acce7921652e989a65230a16edbb780df3d5dc6551ed6950cee5b138deaaf6f6891fec57473bd171f10b235a530c7ca6e727c064fe657edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\JINPUT~4.DLL

Filesize
61KB

MD5
5b3e3c4f53194c44ffe988e941fcd3de

SHA1
1811ad6094046bd35fc0cee17c9917f7844f39d1

SHA256
4b82be7ff4873c46972b3208b05a6615e2dd5db4f2b4e9f19d4053439503268c

SHA512
233dab54b5830c000e1d10038094a2b3a53208a5982a99cc28af03e82fdd7f9e62cff64826e5be4d20f0a117a976f2cae6c1a8429c7e9bf3a2b70e66fac061a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\OpenAL32.dll

Filesize
381KB

MD5
7e457d00b89df9588b869e7c4064b2e4

SHA1
b7305cec9dcdbd03f2a6e3e5dc53d780516d1e15

SHA256
f30f952a8052103f0abd601ded36f054824f49ff45aa48b99b6b5e5f90b2bc29

SHA512
fa290ceeebfdeb0db4507c5e280f31231d3cc00f3714b506f09dced51507a04ec75d3da0a5204e98d97b493c2e53b5c4751f9c3e767e94d562540e5e7a171f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\OpenAL64.dll

Filesize
373KB

MD5
1c090735a531d60ac22719f9ea0248d1

SHA1
6bedb7dd1ba6803e7755964614723a338e50f5a2

SHA256
ec153256a00f451514e7284e3a8a1949889bc49c93bfb1f16814075d9b7b9a3a

SHA512
11adb464c67f952176ee3aeefdcfdf909c1f04a65dd8219d4f266fc0fc6a18994994b2037c0ddbab42530f97cdd31842a12c3eb90c5faeed01517f53343372db

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\err0r437.dll

Filesize
648KB

MD5
1930033c78ef88a4fb03de9db6042f0d

SHA1
ea2437dc06aae3ae434baf271d5d0d0df9835e58

SHA256
4560cf70d22705561e40bce528b6a74bff83630ea91a5b14e0560a114b31dfe0

SHA512
ab881e4eac21268d3693536b6bb3b3b4b6f8bdc8662240b91befe192f72e34dc64998cc4ed9fa1873f2ba637c62af7102adf066ea6ec29ce8fbe86b663224fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\error437.dll

Filesize
7.9MB

MD5
a4e0086929012722c8149900fb8aaf57

SHA1
c074e67d075dce1d9ebd3e908402a98f4731ef1f

SHA256
a6fc21fb90a96575c2d9877b34430c02ec78ca8b50834f9b1b0c658b0550c28e

SHA512
5f90201d56b152112b5a28ed36f27922e4d2494a07e69e8af76a812ecb7c52c95de7d3a7741e01fd9efb4939d2225627d6e711194bd1f8c3ca220c66fd890c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\lwjgl.dll

Filesize
291KB

MD5
f4a31218fcb01a9a8946f4f315e91aa8

SHA1
6f63e2a98d9bd272e99eec0f4d453a25795298e5

SHA256
cd99d747587038b9488a9b183e30b3004e5c2cb4dfab02b11c6b6c3af2ffc391

SHA512
ffa778ab22c01dc81fce13654efa7a2b34bc938be74bc20aede71bb535e5ca70cad3b778c8f0752aa5acd15c746699cdb8f7c6b16cdf336ffe02576c9f9cceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\lwjgl64.dll

Filesize
303KB

MD5
3fcf8b1bd4c9066ff815d887a4192456

SHA1
d8bc4e20accb989fe9d774ede6c198781c2067c7

SHA256
19ddc120c3f382cebc249da69f7cec7d71f7a665054f8d6f5c6f5bde6cfd2297

SHA512
56ead9bdcd9e83e2651ba22ea2224e83ae205644bf6823776af5b7afee40aba4b355b9cfc0cbf22521236b441899b77904b5ce49b120b3ad717f04d5b8da6d87

Download Submit
memory/2008-40-0x0000000000400000-0x0000000001A28000-memory.dmp

Filesize
22.2MB

Download
memory/2008-56-0x0000000000400000-0x0000000001A28000-memory.dmp

Filesize
22.2MB

Download
memory/2876-42-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2876-37-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2876-29-0x00000000022A0000-0x00000000052A0000-memory.dmp

Filesize
48.0MB

Download