Analysis
-
max time kernel
188s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-fr -
resource tags
arch:x64arch:x86image:win10v2004-20240508-frlocale:fr-fros:windows10-2004-x64systemwindows -
submitted
08/06/2024, 09:14
Static task
static1
Behavioral task
behavioral1
Sample
Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe
Resource
win10v2004-20240508-fr
General
-
Target
Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe
-
Size
1.4MB
-
MD5
703ca81af310fdf04680883b03f4e42a
-
SHA1
c3aa4e6392eeecdcf4b11d9bde47f4bb63adfb64
-
SHA256
a9381acdda22cc627242244cebe8a4a68ed2c43d9da804271efd62ed8bb2a0f1
-
SHA512
3f759996fc1f5e1665a6af59153a0d85b30a5db5618cc2b8a2287ce46b2722a85f36e19cfa85d45d5dcb801de6558d02b8da6a9ae42506049f4013994a6da9e7
-
SSDEEP
24576:RQ9zseTy/mdQlq6JXF5u5S3raYQKr3XDMhzPX31J6g85wHQvzzwdasvOO:RQ9z2mdQlJXF5KyraTKrDM1P6g855AIm
Malware Config
Signatures
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2268-1-0x00000178F42F0000-0x00000178F443E000-memory.dmp net_reactor -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe 3252 taskmgr.exe 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3252 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe Token: 33 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe Token: SeIncBasePriorityPrivilege 2268 Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe Token: SeDebugPrivilege 3252 taskmgr.exe Token: SeSystemProfilePrivilege 3252 taskmgr.exe Token: SeCreateGlobalPrivilege 3252 taskmgr.exe Token: 33 3252 taskmgr.exe Token: SeIncBasePriorityPrivilege 3252 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe 3252 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe"C:\Users\Admin\AppData\Local\Temp\Euro Truck Simulator 2 v1.16.x.x - v1.50.x.x Plus +15 Trainer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3252
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4680
-
C:\Windows\System32\cwwwvr.exe"C:\Windows\System32\cwwwvr.exe"1⤵PID:3704