786c9b8faa465de36f6a9dbbdb7ede07e5e14a61703a6b95b3a45011b6127033

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Size

4.6MB
MD5

873e7b9a07908ccd7005cb13a5879f10
SHA1

277f56a1611d7c27f5934e902db50c57c0e97381
SHA256

6efd4a0fbf13f72e1759fa2c4a5b9e6ac19d6bd654a432d89cab559630894500
SHA512

7ec643dde15969bf05f756cf183273ddcab4a1dfb61de81a3f94976f912464e6f0c4e0e189273fbd8d67ecf0c6c287df862495c04b8191b00ecaa62cc52989e2
SSDEEP

98304:KdP1sBzsvOkTD04/MBxDNhgLnaIgQFgWgXxQeluEC3OF0b:KIBwDZMbZhgLaXigXxZzmOF0b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4940	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Loads dropped DLL 2 IoCs

pid	Process
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\bcryptPrimitives.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\gdi32full.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shcore.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\SHLWAPI.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\MSCTF.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\TextShaping.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\winmm.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\Wldp.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\KERNEL32.DLL	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\kernel.appcore.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\psapi.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\KERNELBASE.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\combase.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\RPCRT4.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\win32u.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\wininet.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ole32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\PROPSYS.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\GDI32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeTcbPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeTcbPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeLoadDriverPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeCreateGlobalPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: 33	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeSecurityPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeTakeOwnershipPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeManageVolumePrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeBackupPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeCreatePagefilePrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeShutdownPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeRestorePrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: 33	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe
Token: SeIncBasePriorityPrivilege	3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3496	Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4940	3596	Titan Quest V1.30 Trainer +8 MrAntiFun.exe	85
PID 3596 wrote to memory of 4940	3596	Titan Quest V1.30 Trainer +8 MrAntiFun.exe	85
PID 3596 wrote to memory of 4940	3596	Titan Quest V1.30 Trainer +8 MrAntiFun.exe	85
PID 4940 wrote to memory of 3496	4940	Titan Quest V1.30 Trainer +8 MrAntiFun.exe	87
PID 4940 wrote to memory of 3496	4940	Titan Quest V1.30 Trainer +8 MrAntiFun.exe	87
PID 4940 wrote to memory of 3496	4940	Titan Quest V1.30 Trainer +8 MrAntiFun.exe	87

C:\Users\Admin\AppData\Local\Temp\Titan Quest V1.30 Trainer +8 MrAntiFun.exe
"C:\Users\Admin\AppData\Local\Temp\Titan Quest V1.30 Trainer +8 MrAntiFun.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\Titan Quest V1.30 Trainer +8 MrAntiFun.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\Titan Quest V1.30 Trainer +8 MrAntiFun.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\Titan Quest V1.30 Trainer +8 MrAntiFun.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\Titan Quest V1.30 Trainer +8 MrAntiFun.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\CET_Archive.dat

Filesize
4.2MB

MD5
f494c981eeae95166eaae4d5c2e8768f

SHA1
299670c28ea76ba0932f59dcaff010a5ede0084e

SHA256
98a7040944ef2ba97d4e438c3ff4fcf531a5274aa7e59c021b02416aefc75d6e

SHA512
a1b27b1997ace690ebe65caa45aea9301aa835b81a570d8425cbc1b1c41959e51dcf109bfdb82633bf9380885b789de8182d06c3f924b49c33d2fcef5b9ae3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Filesize
193KB

MD5
6852660b8cbb67ee3f1e31bf2f1e0afd

SHA1
c1b790e062f3a13d3e2f90c58e92ded585abbe3b

SHA256
cd86234cf14dfc0e66ae9e575326fd0cf74723a5a60337f7079c0540b6da5c8b

SHA512
5722ebf6bef799721464094c6d6a81931bf8f78bdd1fbe12b153cf7b0e4e9e7307fa7a01e0cc16ce885c20c3a0a3cc95d6a7d86413f0c61cca3450fa565dd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
533KB

MD5
5c7418049e53ac2521f44624dee14994

SHA1
3ebf754676ec6edeaa60251a15a6de4516aff099

SHA256
648c08d59efa1a0cd209e3565956bce005f9c15f58d4b5462ad150cfbfc47c2c

SHA512
bea9530b658a50bbfcbd3bee17929a3266a49b4c447c7e1229d7fa0936915c077ff4a3b2c86ead80dc6097692f422425ace7dff724972169b2039e50628be217

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\Titan Quest V1.30 Trainer +8 MrAntiFun.exe

Filesize
7.6MB

MD5
07fc3983fa0c7aeb157a6372db3ac969

SHA1
191d39f80985c76ac280217d79ce00cb7f0dd23a

SHA256
db8dcf1be8218546804d4af6bdc4d00c8999289a12300ec075bb206725cd9376

SHA512
95c6245690bef555ac62d9c9d07d53903cf29547b404a3574bc39eab0291134b26cfa950659e591fd85be502b7c5fdda40b423c482b8d5e09bf5bf48fc12ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\defines.lua

Filesize
5KB

MD5
1dc41a0a351e745085fcc98a3933d91f

SHA1
bf1e7d333e6d7b3d4bfe5cdcada19af1931dbe15

SHA256
a2e02dd32f0245ff31190288b368b3efbbe7c48a95dd22c321231c2f46597d9b

SHA512
76f171411d028e72613859332f381f8f26e85d1844c143a8888e4937ca72d7b38ffe66ce617eee5e8155ba034dcc559a9417b5def056bb74227b9bae392d1440

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\lua53-32.dll

Filesize
491KB

MD5
c8f47a0e750e07d86a47b3296fb59a97

SHA1
1f894c9aa88dd2448e50ab5e7277cd4b4c629c6d

SHA256
dcfd91f21dee9e70179337a85d21b3ca925f1a6c21de9576aa5219732b7c7a86

SHA512
e154a097e8e174a47fea76c96d1c27d93cf9bfbdc47eeef56486cc3d2e661649a1d7da5cfe0ce220ea172f4646ab4eecbd2e1594011d0a8ca1eb416cd84b8b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET6959.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
memory/3496-20-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/3496-22-0x0000000006770000-0x00000000067B0000-memory.dmp

Filesize
256KB

Download
memory/3496-23-0x0000000006770000-0x00000000067B0000-memory.dmp

Filesize
256KB

Download