Analysis
-
max time kernel
294s -
max time network
274s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
PALWORLD_TRAINER.zip
Resource
win7-20240221-en
General
-
Target
PALWORLD_TRAINER.zip
-
Size
790KB
-
MD5
b90e4f81025d6e293646bd9a83f7b7da
-
SHA1
f11f714c560359fce39dd601e3937190595a0c7a
-
SHA256
61112986a4aa1f2db3e9de8600d239864fcb9987376f7109f45ae1330db3dc8e
-
SHA512
459e9b7f2777ed24654336980ade70c328ca2daaad3d40445926413e0d509943684c40c533066d443f9e49e0ea248d517ce2d5e14d03a90e7ce1610b544311f2
-
SSDEEP
24576:XAjoq5M7qtwDyeg2MWZifOQxl9X7eTSYiZil:XSob1HbiB9XvYiZu
Malware Config
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
spoofer.exepid process 3600 spoofer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
taskmgr.exepid process 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
7zG.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 3428 7zG.exe Token: 35 3428 7zG.exe Token: SeSecurityPrivilege 3428 7zG.exe Token: SeSecurityPrivilege 3428 7zG.exe Token: SeDebugPrivilege 4476 taskmgr.exe Token: SeSystemProfilePrivilege 4476 taskmgr.exe Token: SeCreateGlobalPrivilege 4476 taskmgr.exe Token: 33 4476 taskmgr.exe Token: SeIncBasePriorityPrivilege 4476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
Processes:
7zG.exetaskmgr.exepid process 3428 7zG.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe -
Suspicious use of SendNotifyMessage 60 IoCs
Processes:
taskmgr.exepid process 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe 4476 taskmgr.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\PALWORLD_TRAINER.zip1⤵PID:1544
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2440
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PALWORLD_TRAINER\" -spe -an -ai#7zMap7206:90:7zEvent14991⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3428
-
C:\Users\Admin\Desktop\PALWORLD_TRAINER\PALWORLD TRAINER\spoofer.exe"C:\Users\Admin\Desktop\PALWORLD_TRAINER\PALWORLD TRAINER\spoofer.exe"1⤵
- Executes dropped EXE
PID:3600
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425KB
MD5168d7b4ca5c63b61d5f48f0911868b2c
SHA1daf966bd0ac55c862ce5574ee7d5420123ac94e4
SHA256601c05bd2d1c908d123dac33d1c15552c138acb294124cbdd86b12c9f35e2655
SHA512da5ebb40849fedafc5a3ac7c48a0142c6eb5ccefe788b6c07491a757aa9e9b4f3d8b76e1dacf0600a833aade05c309b9661e8fd40080d4ba8f4cf4ea3d59900f