f6136577076a86a427e5738152af5bc62ce6b32d1b43092a9259b45971ee1281

Analysis

max time kernel
15s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/08/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Size

7.2MB
MD5

547707b98636f7f46477517c148b348e
SHA1

f77289e3a8d7193e70aff99678e3fd5aac5b2d59
SHA256

f6136577076a86a427e5738152af5bc62ce6b32d1b43092a9259b45971ee1281
SHA512

67f8cc59815e69fa420c85169bf4aaed2337ba1877aac3ae7d606b8ad78a59bbc901a86917ec4ce015f4511edf0bf4ef1618ca3ccc4f5ef970b4a6a673a0d732
SSDEEP

196608:phOajefl9HwWgRfVvxwGfpJBIqgESfVkUcL/r3rftb6:phjeflpwVRflxwGfpHyfqL/r3bA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1888	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Loads dropped DLL 1 IoCs

pid	Process
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\RPCRT4.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\kernel.appcore.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\ole32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\advapi32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\win32u.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\shcore.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\combase.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\windows.storage.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\imm32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\psapi.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\user32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\shell32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\Dbghelp.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\GDI32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\cfgmgr32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\profapi.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\WINMMBASE.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\sechost.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\powrprof.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\comctl32.dll	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeTcbPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeTcbPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeLoadDriverPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeCreateGlobalPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeLockMemoryPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: 33	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeSecurityPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeTakeOwnershipPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeManageVolumePrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeBackupPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeCreatePagefilePrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeShutdownPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeRestorePrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: 33	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
Token: SeIncBasePriorityPrivilege	204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
204	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 1888	4208	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe	73
PID 4208 wrote to memory of 1888	4208	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe	73
PID 4208 wrote to memory of 1888	4208	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe	73
PID 1888 wrote to memory of 204	1888	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe	74
PID 1888 wrote to memory of 204	1888	PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe	74

C:\Users\Admin\AppData\Local\Temp\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\CET_Archive.dat

Filesize
6.9MB

MD5
a305a1f8b0e087101d172e395ff9c9de

SHA1
b6e2b610ac465ed46940f1c41280459b3fbd3a68

SHA256
de1d738ef20e9da62addc3b72dfff3cddf36c1d45a4066660d9a734b308b636d

SHA512
215a302bd3c5f96cbed1cce5df5f6cfc9426a47f99878c4598b812741dde07a17576d848aa71758a95ca7383e0e0d831d06c489d2f00ea583016bdc9485cf502

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Filesize
225KB

MD5
971b37cedf686e0ac8ca0297a953aad9

SHA1
8ea777fa6c70a619d4e92cc6435c4eba2b16a23e

SHA256
1965546a19990b4523a1588eb0d7fdd42bd443e2bcc632dae04343d358394ae7

SHA512
2f0f3facf2587b751bb658eaab9ca1536d7326956b0eeca7bd0badc893c0878741f8bb56d8c1e360f2cb4bd9442866bd9faf7bdec7d02105f6c149640cf180d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
158KB

MD5
4fc9002e0df427f662e55533598bf6fc

SHA1
3d91cff9a4e5f9bf3c3ed615d9a6bf71450fd826

SHA256
9edca8cecc59a23993a4561932cd851936682f4894f81737fac74c951d850461

SHA512
c1495ffce4d5592adcc52fd62850ef3a5e4f52506bff4e28a4dc676a0093a4c4e8b71e982721ca2ddabe8ff0e32b8633770151a4f6e2e90adaff7cc4dee762c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\PhasmoMenu v0.5.3.4 By PappyG_[unknowncheats.me]_.exe

Filesize
15.9MB

MD5
edeef697cbf212b5ecfcd9c1d9a8803d

SHA1
e90585899ae4b4385a6d0bf43c516c122e7883e2

SHA256
ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6

SHA512
1aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\autorun\luasymbols.lua

Filesize
629B

MD5
df4d243ab0407a1f03ccf448232fcf62

SHA1
62453cfa7abf6fa83158be1ba86c854d9a6b7d4b

SHA256
c5a35380af8bebe96b85377f5f41f8c068cb857c74b9cb85b7467b35c1de10c4

SHA512
4b05b65909673e92f59ab64c1ff4e0b829f5c9085eafa1fff28cb0ccd7e6a7f6ef031633f443e0ba156a4b8f5009f526d0356f39ef77b22706f98f100b1909c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\autorun\monoscript.lua

Filesize
132KB

MD5
76168ca68f3ed8ade110b140244efbaf

SHA1
2af08403d17a64b10429c8fce68aa085a6b287b7

SHA256
5832b5ab00e84690ac1e780e8b1c4abd9649465234c9ffa2cecb410be66a6b8a

SHA512
80ad21d631934d2b8e368a5b2d3cb5f1889d4a65099c2d8cd8ba37eb721c1ebdc2c6549fc530514bf9f96976ffcbfd372150f1f16a6591da013fe4f1d1bb070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\defines.lua

Filesize
12KB

MD5
62e1fa241d417668f7c5da6e4009a5a6

SHA1
f887409e3c204a87731f317a999dc7e4cc8d3fcd

SHA256
82e8ef7df20a86791cef062f2dcacb1d91b4adc9f5dea2fd274886be8365b2f8

SHA512
2283cbb9e1d5d53ad1ed9bc9db6034fb3c53c633b11001f373523640bbbba95da9a3a0866c7d5fa0620facab7d18c8577dfd69496fc7319e0a4a74d0b9e10c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET636D.tmp\extracted\lua53-64.dll

Filesize
528KB

MD5
b7c9f1e7e640f1a034be84af86970d45

SHA1
f795dc3d781b9578a96c92658b9f95806fc9bdde

SHA256
6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff

SHA512
da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

Download Submit