Malware Analysis Report

2024-11-15 06:15

Sample ID 240224-xtytbacg9t
Target Free hack.rar
SHA256 26d62e6fed349999eb159f73375483523132684770b5034549124069748aeb6b
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26d62e6fed349999eb159f73375483523132684770b5034549124069748aeb6b

Threat Level: Known bad

The file Free hack.rar was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 19:09

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

97s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1144 set thread context of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1144 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe

"C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1144-0-0x0000000000750000-0x000000000079E000-memory.dmp

memory/1144-1-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/1252-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1144-8-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/1252-9-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1144-10-0x0000000002CD0000-0x0000000004CD0000-memory.dmp

memory/1252-12-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1252-11-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1144-13-0x0000000002CD0000-0x0000000004CD0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

138s

Max time network

160s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x32.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x32.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x64.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

92s

Max time network

117s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x64.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:09

Platform

win7-20240221-en

Max time kernel

2s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2180 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe

"C:\Users\Admin\AppData\Local\Temp\Raysen cheat\Raysen hack v4.25.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 256

Network

N/A

Files

memory/2180-0-0x00000000012F0000-0x000000000133E000-memory.dmp

memory/2180-2-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2544-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2180-5-0x0000000002740000-0x0000000004740000-memory.dmp

memory/2544-6-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-8-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-7-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-9-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-12-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2544-16-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2180-15-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2544-17-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\auto-update.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\auto-update.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

157s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\config.cfg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\config.cfg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:13

Platform

win7-20240221-en

Max time kernel

119s

Max time network

148s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\inject.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\inject.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

164s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\inject.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\inject.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\read me.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\read me.txt"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\xfeo.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\xfeo.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

91s

Max time network

126s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\auto-update.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\auto-update.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win7-20240215-en

Max time kernel

120s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\config.cfg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cfg_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cfg_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.cfg\ = "cfg_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cfg_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cfg_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cfg_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.cfg C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\config.cfg"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Raysen cheat\config.cfg

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\config.cfg"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2191738f8809edba5d47e3a72a9377ee
SHA1 3119b62106510ef301fbe8bae085235cf3cb32a7
SHA256 da4184353035b62f4764947bd22ea079f5bcafeadde2cbfb80a5843d2202ff23
SHA512 32f1f3627571fe1284f980f3645b68cb6cd6446811f6c6a57af07eb478f8fd57b01d6d3d38cd52d776abfb3ad7f9e305e09dac03e8a778c7cf895a0bd8eeba05

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\read me.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\read me.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x32.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\x32.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-24 19:09

Reported

2024-02-24 19:12

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\xfeo.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Raysen cheat\xfeo.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A