90f348d8a151340939be4de901b4bcfc3ea8b0924cf272ec828b796fa6ac57ec

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neverlose by pinkking.exe
Size

84KB
MD5

1e1f1d68311dd22314ae2577ed795849
SHA1

529049136b8cdd06ffd827b7d2415bd9d81bc7c3
SHA256

270ee31a32338f8d05257bcf77103662cb555129703312c76e607feef94f94c9
SHA512

2fc7df714f2b9b6847b19cd96ac7bde29d09321ce35018247a6e4274e4274df62e387828d8962e191e82f86fddaff41d4997a08d01fc26bb2dbfae0aa753eaab
SSDEEP

1536:92Y0VNblnigen1FQGpaika1PASjg/olRlx+:923rbZi/8GprF3jg/o3ls

Score

5^/10

defense_evasion discovery

Malware Config

Signatures

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1952	cmd.exe
1388	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neverlose by pinkking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neverlose by pinkking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	neverlose by pinkking.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 2740	4576	neverlose by pinkking.exe	79
PID 4576 wrote to memory of 2740	4576	neverlose by pinkking.exe	79
PID 4576 wrote to memory of 2740	4576	neverlose by pinkking.exe	79
PID 2740 wrote to memory of 5064	2740	cmd.exe	80
PID 2740 wrote to memory of 5064	2740	cmd.exe	80
PID 2740 wrote to memory of 5064	2740	cmd.exe	80
PID 4576 wrote to memory of 3708	4576	neverlose by pinkking.exe	81
PID 4576 wrote to memory of 3708	4576	neverlose by pinkking.exe	81
PID 4576 wrote to memory of 3708	4576	neverlose by pinkking.exe	81
PID 4576 wrote to memory of 4928	4576	neverlose by pinkking.exe	82
PID 4576 wrote to memory of 4928	4576	neverlose by pinkking.exe	82
PID 4576 wrote to memory of 4928	4576	neverlose by pinkking.exe	82
PID 4576 wrote to memory of 1268	4576	neverlose by pinkking.exe	83
PID 4576 wrote to memory of 1268	4576	neverlose by pinkking.exe	83
PID 4576 wrote to memory of 1268	4576	neverlose by pinkking.exe	83
PID 4576 wrote to memory of 1952	4576	neverlose by pinkking.exe	84
PID 4576 wrote to memory of 1952	4576	neverlose by pinkking.exe	84
PID 4576 wrote to memory of 1952	4576	neverlose by pinkking.exe	84
PID 1952 wrote to memory of 2220	1952	cmd.exe	85
PID 1952 wrote to memory of 2220	1952	cmd.exe	85
PID 1952 wrote to memory of 2220	1952	cmd.exe	85
PID 4576 wrote to memory of 4152	4576	neverlose by pinkking.exe	86
PID 4576 wrote to memory of 4152	4576	neverlose by pinkking.exe	86
PID 4576 wrote to memory of 4152	4576	neverlose by pinkking.exe	86
PID 4576 wrote to memory of 5092	4576	neverlose by pinkking.exe	87
PID 4576 wrote to memory of 5092	4576	neverlose by pinkking.exe	87
PID 4576 wrote to memory of 5092	4576	neverlose by pinkking.exe	87
PID 4576 wrote to memory of 2036	4576	neverlose by pinkking.exe	88
PID 4576 wrote to memory of 2036	4576	neverlose by pinkking.exe	88
PID 4576 wrote to memory of 2036	4576	neverlose by pinkking.exe	88
PID 4576 wrote to memory of 724	4576	neverlose by pinkking.exe	89
PID 4576 wrote to memory of 724	4576	neverlose by pinkking.exe	89
PID 4576 wrote to memory of 724	4576	neverlose by pinkking.exe	89
PID 4576 wrote to memory of 4428	4576	neverlose by pinkking.exe	90
PID 4576 wrote to memory of 4428	4576	neverlose by pinkking.exe	90
PID 4576 wrote to memory of 4428	4576	neverlose by pinkking.exe	90
PID 2336 wrote to memory of 2924	2336	neverlose by pinkking.exe	100
PID 2336 wrote to memory of 2924	2336	neverlose by pinkking.exe	100
PID 2336 wrote to memory of 2924	2336	neverlose by pinkking.exe	100
PID 2924 wrote to memory of 2796	2924	cmd.exe	101
PID 2924 wrote to memory of 2796	2924	cmd.exe	101
PID 2924 wrote to memory of 2796	2924	cmd.exe	101
PID 2336 wrote to memory of 4472	2336	neverlose by pinkking.exe	102
PID 2336 wrote to memory of 4472	2336	neverlose by pinkking.exe	102
PID 2336 wrote to memory of 4472	2336	neverlose by pinkking.exe	102
PID 2336 wrote to memory of 2368	2336	neverlose by pinkking.exe	103
PID 2336 wrote to memory of 2368	2336	neverlose by pinkking.exe	103
PID 2336 wrote to memory of 2368	2336	neverlose by pinkking.exe	103
PID 2336 wrote to memory of 388	2336	neverlose by pinkking.exe	104
PID 2336 wrote to memory of 388	2336	neverlose by pinkking.exe	104
PID 2336 wrote to memory of 388	2336	neverlose by pinkking.exe	104
PID 2336 wrote to memory of 1388	2336	neverlose by pinkking.exe	105
PID 2336 wrote to memory of 1388	2336	neverlose by pinkking.exe	105
PID 2336 wrote to memory of 1388	2336	neverlose by pinkking.exe	105
PID 1388 wrote to memory of 456	1388	cmd.exe	106
PID 1388 wrote to memory of 456	1388	cmd.exe	106
PID 1388 wrote to memory of 456	1388	cmd.exe	106
PID 2336 wrote to memory of 3520	2336	neverlose by pinkking.exe	107
PID 2336 wrote to memory of 3520	2336	neverlose by pinkking.exe	107
PID 2336 wrote to memory of 3520	2336	neverlose by pinkking.exe	107
PID 2336 wrote to memory of 3920	2336	neverlose by pinkking.exe	108
PID 2336 wrote to memory of 3920	2336	neverlose by pinkking.exe	108
PID 2336 wrote to memory of 3920	2336	neverlose by pinkking.exe	108
PID 2336 wrote to memory of 3372	2336	neverlose by pinkking.exe	109

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2220	attrib.exe
456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\neverlose by pinkking.exe
"C:\Users\Admin\AppData\Local\Temp\neverlose by pinkking.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\mode.com
    mode con:cols=0120 lines=0030
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title neverlose crack by pinkking
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  - System Location Discovery: System Language Discovery
  PID:724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3484

C:\Users\Admin\Desktop\neverlose by pinkking.exe
"C:\Users\Admin\Desktop\neverlose by pinkking.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\mode.com
    mode con:cols=0120 lines=0030
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title neverlose crack by pinkking
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i6.bat

Filesize
173B

MD5
0f8f70e88009593eefaa155a8e31b1d6

SHA1
eabcc3f2135e0919e9456da0a4b1084f3382d4b6

SHA256
941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

SHA512
94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.f

Filesize
32B

MD5
d406619e40f52369e12ae4671b16a11a

SHA1
9c5748148612b1eefaacf368fbf5dbcaa8dea6d0

SHA256
2e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be

SHA512
4d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.t

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.t

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads