0f2cdb5eacdfe8c93578e78b84cdc0d5069018f697190e5efffd26dce9acaa71

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 12:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Crysis2_v1.9.Tr8/cs2v1.9trn.exe
Size

3.3MB
MD5

491ffa8c202524df5f1f3f20e8812248
SHA1

f7c144fd051b565b21910293f80c3246b648b561
SHA256

2eb5bcc87e6d83f6254279d4342a5ba854305862c2da928e99ec14ab2fdc1d3d
SHA512

ec34e8bb21780e1c3a684a94f4142ee12b611c9b208fa0cb804b8b01ab8d42fee1b570d940114c6ebbe29bb59f7f6e4d0b9ef831527b5841ea1cec42ef2ded0a
SSDEEP

49152:TWYqyLGzowuKQsD95ftdSBKqGyYjFDjudpfnQszk0X7eZaz9UzabDXiDLTeL9H1c:a/t+s55HoEDCnnxX7Vz9pDXuHeFqHRC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1716	cs2v1.9trn.exe
2192	cs2v1.9trn.exe

Loads dropped DLL 4 IoCs

pid	Process
2200	cs2v1.9trn.exe
1716	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe
2192	cs2v1.9trn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	cs2v1.9trn.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	cs2v1.9trn.exe
Token: SeLoadDriverPrivilege	2192	cs2v1.9trn.exe
Token: SeCreateGlobalPrivilege	2192	cs2v1.9trn.exe
Token: 33	2192	cs2v1.9trn.exe
Token: SeSecurityPrivilege	2192	cs2v1.9trn.exe
Token: SeTakeOwnershipPrivilege	2192	cs2v1.9trn.exe
Token: SeManageVolumePrivilege	2192	cs2v1.9trn.exe
Token: SeBackupPrivilege	2192	cs2v1.9trn.exe
Token: SeCreatePagefilePrivilege	2192	cs2v1.9trn.exe
Token: SeShutdownPrivilege	2192	cs2v1.9trn.exe
Token: SeRestorePrivilege	2192	cs2v1.9trn.exe
Token: 33	2192	cs2v1.9trn.exe
Token: SeIncBasePriorityPrivilege	2192	cs2v1.9trn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	cs2v1.9trn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1716	2200	cs2v1.9trn.exe	28
PID 2200 wrote to memory of 1716	2200	cs2v1.9trn.exe	28
PID 2200 wrote to memory of 1716	2200	cs2v1.9trn.exe	28
PID 2200 wrote to memory of 1716	2200	cs2v1.9trn.exe	28
PID 1716 wrote to memory of 2192	1716	cs2v1.9trn.exe	29
PID 1716 wrote to memory of 2192	1716	cs2v1.9trn.exe	29
PID 1716 wrote to memory of 2192	1716	cs2v1.9trn.exe	29
PID 1716 wrote to memory of 2192	1716	cs2v1.9trn.exe	29

C:\Users\Admin\AppData\Local\Temp\Crysis2_v1.9.Tr8\cs2v1.9trn.exe
"C:\Users\Admin\AppData\Local\Temp\Crysis2_v1.9.Tr8\cs2v1.9trn.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\cs2v1.9trn.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\cs2v1.9trn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\cs2v1.9trn.exe
    C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\cs2v1.9trn.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\CET_TRAINER.CETRAINER"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\CET_Archive.dat

Filesize
3.1MB

MD5
795b93629205df600ec3212895e4d372

SHA1
68d39ba24bb5a9ad71ca93aea75374c5503fd2a7

SHA256
f054f1aa465f817a203079a35fc09ca2acff20f457fa5120cc5612bc4e458f26

SHA512
b6d04a3b515f4ab368dd63c8abf607db336369ee95f0c31b6f7f32fbe9c45c747f54d6c4bb4d3bb7c106b614612c0125ab129fc634337258507d798c9b3e9bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
200KB

MD5
4e2b82bebaa4d3df18bf174115c70aa0

SHA1
8e7dc54fff2dd20dbfb98c96d03e95a0cd068b55

SHA256
82c641a34b9db676253f971194ea6d420263f8689ae475e20487de3db65cb5bd

SHA512
f15f6956ea87e418c8ef808d49ffa04fbf59f5763d2e9b3c00fc74cad277501c2cb4d093b7ec071881484591408084b316f7ab1149b01fa1c7ad63ec0893380c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\defines.lua

Filesize
3KB

MD5
31065eca47aa65a75033dddd13e90755

SHA1
d4ee2db8aeb1b05060b0e9f130a27f6ccf16f18b

SHA256
317025f2cb7f93ffefb5c87fecf445e4fcaadfbd00ee9ac3e65b803c2b980534

SHA512
99045cb9f1475da98559b56d8bdae2414ead3544f419d4c3fe40c5e5b9679f48a870077fa0a54a3ea8e5d511842a868f088cbd35a44b72a2687897fdd683ec92

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\lua5.1-32.dll

Filesize
321KB

MD5
859be12ad1e4ace1418ff3a069b35115

SHA1
88ac1d322b610c8e57d7e0b275dfe525d7525e59

SHA256
9a99ea10acd1378ccc4f23a91b00b9969d640419779b17711b21f2100d2db48c

SHA512
2ec4615473843e5e723b09fdda510ce3d4cc64e46c92340561d4a09a975cc8d9d1162ca3d3f952c939b38557e5014fffd9976dfec3a7239472056d51136d7347

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\cs2v1.9trn.exe

Filesize
183KB

MD5
7037a98950fa4011691b8121da1a20e1

SHA1
8dbb0dc51efc5afb6839a647d9b38f56b9310528

SHA256
49f55634873319d06dd9a32f2c0b63ebd6cbdffdbcbad7162b7c31f50d3c7da1

SHA512
60a4ac59b8ce840dfa37dcac4785a18b76a55fd7dd55aa6bef4cd503a33959c74941da98211e27e082e533e47eeb176fc99bed91b4827bec904135a372d9128a

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET1AF0.tmp\extracted\cs2v1.9trn.exe

Filesize
6.0MB

MD5
ab9983b19ae94f47cc870e1914955370

SHA1
42641e6015220db5095b28606c82c003e2db097b

SHA256
ce481709c585d0efeebabce7da99ed338d0faa80556eac6fd150fd44ed1f0b48

SHA512
eb60a4249a765d3972d60ec237098a6cf81dc554bed9950728423b2c69a01c3ae1df36df7db8dede4b5d88dee02c5f9a9eac460bf5893f052418de5fff48e5fb

Download Submit
memory/1716-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-23-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download