Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
31/05/2024, 07:45
General
-
Target
Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe
-
Size
4.2MB
-
MD5
18cfa937a2f6fa08679d0ce7ee2de24b
-
SHA1
6f6c09cfc743fc8c3b88056c25d66d00c66b4cc5
-
SHA256
55f8a84c4b3c1b12e0b9bea35dd8369a164b04bb53aef89dcb416e132bcc4856
-
SHA512
dc0c99dcd382731bf26ebc1f325d8116d679c4eb7d66a785c2677b9041cf0e923f76dabc8245d70980941c77db822edf2a48e9e868d94425ce3d94f680ed1c28
-
SSDEEP
98304:90XXdEixHBYtqQWIZcolPlp/5G0d8mkgW0EL1AdZckzif:YXd4qQH6Ap/xU0wAdaf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 44 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe"C:\Users\Admin\AppData\Local\Temp\Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET42F4.tmp\Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET42F4.tmp\Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET42F4.tmp\extracted\Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET42F4.tmp\extracted\Dawn Of War 2 Chaos Rising V2.6.0.10243 Trainer +2 MrAntiFun.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET42F4.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start http://mrantifun.net/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mrantifun.net/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfba346f8,0x7ffbfba34708,0x7ffbfba347186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,9172558931859304438,2190582411018091079,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 /prefetch:26⤵
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
192B
MD59fc358326197ccde2f9944d1a492d26e
SHA176dd3a54513b2953177ae41b75128cb3ff29b60b
SHA25692442840be9d3eab66ad0593741915527caa03577bcc7aa1937f91e2a9c971be
SHA512a8bf0ad52681b4a64781c85bdc756f441153f55dd0869e15e2ea40671ebf475dad268f3e3a9f813adbad39e23d3b66b5826080ab4bd08e3acb62daf0c8f1a958
-
Filesize
664B
MD5bafd9f7b01f4b1f214a70f483853fd41
SHA11211b79f75e753d27b9c08e9b4f985efe6d38736
SHA25693af6d4f141d4971712c2d4f6108c7ea5363fa92ad4c582d01d4fefd12b09034
SHA512d80ce63fdccc18ce84f7cb86ce19c229fd1400b0e5839562112c8c05c36effbbe35e2cfaab7949af4a2a367c190e9355d1f390f5da90e14dfd1bf6fa2c997214
-
Filesize
6KB
MD5d94110859cf3e522384306211ddd0ad4
SHA1a1b65cc29ecdfa4b48902edf4e7b469a2643c86c
SHA2561e888fa2ab18c87f48c9f6acd5cfe4addc1bb999410857ba49adcc996dc495bb
SHA512a143eed400bda0b7334945fddbe154f3285b2a5e843f5844d7721af6345e9e8f8ba3826418a48ccfddfa90fb0ace311a5de4188825f3e3c43bfbbffe2605e475
-
Filesize
5KB
MD549524a35b58348e71adf67a2a3741ef6
SHA153709565ded1c1102b3236a3893bccba6c416486
SHA2568be0c7db099321bc41fc38181085417ed89c747f9da9a1b6d79829293b9ba5d9
SHA512956fb72edb29cad16f2d875263d43555a9489032ef1c7abb04a15283629d8bcee61f5e4ab2765fb2d52ce40033d9b65a21907f99c7e41b1221dd60595a5eca6a
-
Filesize
72B
MD557d58e580b6a242a08f7bd595eb54c48
SHA1db291ef851e69133a38c159583e6d6b4faa76c78
SHA2569975948420884ae6e4aa2d4b12f0db280c1a3716fa359b2b424927a4d31addd2
SHA5121b0d0923cc4875dc7cdddb3b6c87af69fb534956d9d9bb9b671dd0c72441bf6b738c302b5466821e7c0cab97d8d143b28c1e6c04cf154f6284994013f5127d37
-
Filesize
48B
MD5f86cb0a965797fa98642c3109fc46b6a
SHA140d4cbdeb3ffdb17dcbee79d35b11def036dae14
SHA2563f8580f0a8fc5e4972d15097f6b9f014465fa06ac4744d58857d0e10fc801849
SHA5124b1916e1aed76f31204cc66eb67d4e356bfcda5488a838d80f79204f679dbc98c4f8ff4fe68e6dc6382b428c73c112fc70e9db9fc2e03261f787d55da261e0b9
-
Filesize
89B
MD555bee0a02af2d03685e2e9389a6982e8
SHA1f9fcc19569cf0257ec69785ea13416149fe79155
SHA25689e760f689b9bef55de4f769b77def42d5c70f805dab27d46bcc992dd0174460
SHA51288e0b2c25311750cfef27948e296e08ba01ec940bb762372e6c74245506bc8cfdfdfaa01763924436fcf2f53440768b96d57efaa6b6cde263644b25aa0d56f03
-
Filesize
83B
MD56498b57035fa35974367b015a7ebf95d
SHA1d0682ffa7ca9df845bf60c2134882878323244ff
SHA256e372a0ec02c58b9c4fe8e1ce38707571a1663be299910858adc78124abbf5078
SHA512ebde58c31fe480642082f9f0a253d66fa8e89254a26601dd6abc872d176defd20321288d8635390c345492ced47a6b573bc858de89d8b1aea56472a406e6fc36
-
Filesize
72B
MD5b37a82075ca953dae832b3a92625d2e0
SHA13f5ecb2949955a6663c5dc1e2f6d33c6899e91ab
SHA25681a8d64799c3a66cf24b51bee0ed6c45d9a0785a314bc2b235fe6a1b2ab2e412
SHA512db176e69122397ebcf34fb08b52abe201c24ce75d56035481373fde5995e470f0f9653bc24f2392c1e546802c997c7cb65cdffb6fb2975324b5096bbee7723e6
-
Filesize
48B
MD531e72379a5683a25be337a5fa2c1e9b5
SHA12b6a9bde9dff6ad3133ebb6bbeca11313d81815c
SHA2561b114890e3a1f4322e0ad21296b9158f420160866f95b052211654bb2cec541a
SHA5120ca7eb0712c399529fa4dd21e60fb9b51440932b85aa84c019b89888d5bb7d2c4a746ffd699150379a3c1030d55cf63f36d7a4b49ef27400cb5982602883fae7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5464f5a4f5893f2c5302b1435a650fbba
SHA1224a22644346bab4cd86a8dd5dc5372b222df096
SHA2567de2a76610f4e4f0d5099e31662c3361459b132bdaf8df3d8b39dc58bb6cd457
SHA512db0558c6eba5f853f3de35aace579e21ac24ae4d82d75f19ad3c56f7ab0b903387c1ccf68910e6561564bc7436b9da9793d2440a936465f91a60b0400838bfe5
-
Filesize
3.9MB
MD57acd06a607f10d2ebf84be706550b0f9
SHA1cbacda8aa86f4eaf5b75aee631056754ae6a96b9
SHA25617b166ab6f08e090ce52e3aeab4192b4a25549f4410dafd5fed15e02249eb745
SHA51266c4170b3341471761d3dbba6d06c80a115727319d0d2489aafd56e249960edad8c0fd5e9fd82810f456c67123d6966d9cde6d9fd41f7b909efbfaee23f17528
-
Filesize
196KB
MD5808de473370ef6b5d98ab752f245a3ca
SHA1800bd4ad10c17471829693fac3cee4502b14f029
SHA25665cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39
SHA512fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c
-
Filesize
298KB
MD5c1dc8d7d6ccac85af8cec016fb88e433
SHA1be60bf7a939597e0295fea9670db62a7355d6438
SHA25639c6d81bd2b959cb36b564eff4fd27ee102d3acc1a15cd98ff1f56e4dec32f57
SHA512db83d038deb1e2e4e1f97d5fe62c97ad0d5520cad05076935cc82984d9484d8fa712396bbb1200b0e438167e99d1322bc1ebbbd99b3d91ea5c51cbce37b0ab36
-
Filesize
7.3MB
MD536907aa4585e7b06a4c471d3bb9ed719
SHA16414c458ab2123f186938ecbb21cda359a15505d
SHA25603b71aca53dd5562683694b754e01652336b40fb9c38efb14f5d09e891df90b6
SHA512cfaf333cbbb0ddc63cd10237e436c1dead130e2ebc97590c96171d83a2b783a59e025e45809737b9c4f95b66a3a74b75b91fcf6fc1c09a7624177a029d902e07
-
Filesize
5KB
MD5d8f9b4a10a48ebd8936255f6215c8a43
SHA17d8ff0012fa9d9dcf189c6df963f1c627f2ccb76
SHA256d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2
SHA51267db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a
-
Filesize
329KB
MD52730ff589ae86ef10d94952769f9404f
SHA18010834297a6aa488e6bf90eceaaf9e60bb60c6e
SHA256faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b
SHA5125fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0
-
Filesize
1.2MB
MD59139604740814e53298a5e8428ba29d7
SHA1c7bf8947e9276a311c4807ea4a57b504f95703c9
SHA256150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f
SHA5120b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB