Resubmissions

19-06-2024 15:50

240619-s9zckaxfnk 7

19-06-2024 15:46

240619-s7ns2sxfjp 7

Analysis

  • max time kernel
    36s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-06-2024 15:50

General

  • Target

    Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe

  • Size

    12.6MB

  • MD5

    9fdd2ae2d7858ec35b6b74bc48f9e742

  • SHA1

    50fa99dbcb48bdcd6937b02666a8201a731c98cf

  • SHA256

    fabab3d61bf022a4b30822a4056acf823bf3af730d73bb8fd08bd1dfe1ba8b34

  • SHA512

    6494175c7e86e722b402eb0b037b9f352034ca9f6d7c9d1a92dbf34ba88d90543d6262efd982c6a839bb51babfc2eec0e588870369587e0ebb9954ac916a8fb5

  • SSDEEP

    98304:0UAAcj1OI43ma+JIAbSh8d3U2eky1FuKoZ+LCpPFh1eZHcICAtb4eEnoSE5Edh8t:IA7V3x+JIAbSh8d3U2ekyqf5p8Z8N/6

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 43 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe
    "C:\Users\Admin\AppData\Local\Temp\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe
      "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe
        "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4652
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\CET_Archive.dat

    Filesize

    12.3MB

    MD5

    124ea9f4853265f20101e3533eca909a

    SHA1

    0526e6be3e64d3747de0137d5210199b6c3461b9

    SHA256

    47c4a5815677b9672634b227e3e963ed8047d8f182273e4707d4b7c8fff6be67

    SHA512

    d0e970e5fa85c7545bd1dcb32e11e9e58e4d974c4341a5d197dd95a059813a55b1189da4d83c5c83ca287301ee09e8ff37e4c8927504020cfad8644021b2d237

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe

    Filesize

    189KB

    MD5

    a65c29111a4cf5a7fdd5a9d79f77bcab

    SHA1

    c0c59b1f792c975558c33a3b7cf0d94adc636660

    SHA256

    dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

    SHA512

    b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\CET_TRAINER.CETRAINER

    Filesize

    282KB

    MD5

    07f0c82cf16376e82b1adea2e7715c2d

    SHA1

    b6fda94d491c5400441a07509f6ae97d1bbcd0ac

    SHA256

    e93c418b27e099d6204ad6e4c18baaef1b37699121580f9bd5f10f9d065c3ee7

    SHA512

    efd66daf3670cf34b581393fa19bbfec829cfa5d4ad796bbb27d79dbcb9886a770d4fd1c0e67499d1e6500dfc36f279ee2a9812604fe9c23b31602d6adb969e5

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\Roboquest V 1.0.0.7420 TENOKE Plus 4 Trainer 64.exe

    Filesize

    11.2MB

    MD5

    be514f55b67ea5e0955c34fe599b3c84

    SHA1

    cb4e3692ba73dc5557e55f49399e029179d4ac44

    SHA256

    4b3a0bb743eee45f7175ebca1c0a1fecd816382bb79e6cd8f523d43e77ade948

    SHA512

    c00d9d958b3ffe7a53335b005c43539540283bb91e23d6b3f7956673ab8b707afa0d521b7b2ef734e35de36a1fde9b741e20724055b147a34150b0595babd75c

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\defines.lua

    Filesize

    6KB

    MD5

    af18263191d6f3fe55af8bd455a947bd

    SHA1

    8cc06df49983bc95e71c678de9742eb5b0debbf2

    SHA256

    a71d5867a2c1a25dfe7649549449024128dd5540a492da76856e150fdbe07feb

    SHA512

    c55989158819d4bd7d17985508ffd7731c366ca1c79506c03a78d7e580f32aaa4d8cf4cf5e68bdf706df70780d25c0ab0a935be9d0c8d5bbeed9563dfb12f254

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\libmikmod64.dll

    Filesize

    320KB

    MD5

    cff044ee3143c7b48ab90e8d1ce52aaa

    SHA1

    f95706074717f1ed482806b5e9195b4565d8f9aa

    SHA256

    777c84aeea61d35c4e8d714658a105e03eb46c23259022bdef63411f0c6fa6e5

    SHA512

    8e1896a4d418ca18e484da0330d2d38d5c60056f3bca95d0194ebcf655f0284499cac6eb6960b7abd77ebf6341e21cce41c5d17db2908d421492f8cd40736f58

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET446B.tmp\extracted\lua53-64.dll

    Filesize

    522KB

    MD5

    b19ca65cd5c6f20c77dbc60bce20e826

    SHA1

    06ef80fc54bc5098b2c8d7c7530f2dd63bd4917d

    SHA256

    522fd7cac73f55f249b82fbaee587db6e527c76eac9837cf54622ee476be8fab

    SHA512

    4f0c9573e433efdcd7cc8b82286a2c5eb9ecc1666d535f4f4e4525fc0e58656b41a14f0c1cf3fa6958917632e69b9317a2553ec90a05e1ca3209b0b78dd69c33