Analysis

  • max time kernel
    13s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 19:45

General

  • Target

    Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe

  • Size

    11.1MB

  • MD5

    e15049206aee7b9d8742743290680f55

  • SHA1

    d33895ec697909ddcfe779750024b7b22001322e

  • SHA256

    5e4ad99f47e21b581accafb89835a19e905b78924fcabf347cd643772f1a17ba

  • SHA512

    0f013733280b14382676b12d9779ac76e7791b8d20b1482e7beea8917b077f720974023eee7eb535a80d36467a8bef4bd38bbc12966b17db7884cce14c69be2d

  • SSDEEP

    196608:c5mlDQxYNXVM3SnSTsrUoQIxbD/WdD92A25KGNNpHCh1fRoh/OkHRVEXI+62:ZlkxYNlM3SnSTK/WdD92A251Nt4Roh/C

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 52 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe
    "C:\Users\Admin\AppData\Local\Temp\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe
      "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe
        "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\CET_Archive.dat

    Filesize

    10.8MB

    MD5

    0f44b0b58a256744336e9fa164db348f

    SHA1

    3cdfbde28e8556537e74d50e05f19ae441e6bbda

    SHA256

    049e33944ae998791d8507ca2ca941ea3378697efec0d93ec50b3babb24054eb

    SHA512

    dfa6cda714eff62d6043b91f86757ca6722e9c5eb1768e895bf7ea3e04b95775a5a63711142005f38fbb081af4a6e19e34531789e6914ed9c244bea914d0b616

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\CET_TRAINER.CETRAINER

    Filesize

    721KB

    MD5

    53d372ffd8b77d1f2d3c367208f29f07

    SHA1

    ce05c99f43353e8eb2f7016fdf55e947e2da8b37

    SHA256

    f4fde1d08dd6212ab2fcd71be96ce07cd60e18059aef4c2c94fd6cec2b746edf

    SHA512

    2d0f5da710f266a72e01bda9e4def9629ea63ba0f5ba4149f93b9bd0db1149ba9b66337f531180f51608a922ca521f1ddad5a72f9971c07d8ffb4f890be3399f

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe

    Filesize

    8.2MB

    MD5

    caa9d29f5b5751a94a179328aaf7cc6f

    SHA1

    698714c6cf34f5bc0b4372b6c88100c2ec9b5ff5

    SHA256

    76892d1a377bf7a010d77e3c7b26e42369ba12ad066c3db71f05e361343e9aed

    SHA512

    0a0360b737ea02d11bef8e8d65048b28730164c6db5567651e81586e4822faee72a0d3eee7146570fa2687627e524c54c1ade37d019a465112f428c0d6130e56

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\defines.lua

    Filesize

    6KB

    MD5

    af18263191d6f3fe55af8bd455a947bd

    SHA1

    8cc06df49983bc95e71c678de9742eb5b0debbf2

    SHA256

    a71d5867a2c1a25dfe7649549449024128dd5540a492da76856e150fdbe07feb

    SHA512

    c55989158819d4bd7d17985508ffd7731c366ca1c79506c03a78d7e580f32aaa4d8cf4cf5e68bdf706df70780d25c0ab0a935be9d0c8d5bbeed9563dfb12f254

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\libmikmod32.dll

    Filesize

    289KB

    MD5

    dacd337030c240f324a3d655ecd876e2

    SHA1

    d108dcbd13ca07265085278c61d8a9f751a4905e

    SHA256

    041427d5ae979b938fc2771bf3ae6e2b0cf6a669fc881b44be1586e46225532b

    SHA512

    83f0343479ea0f92fa48264b70efbdafa5d54f3bce5e0b8be523cdf528eb7891754208e48e7f14df554c2832cf9758377542f9df0eba8c441ccb8cacbfbab08f

  • C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\lua53-32.dll

    Filesize

    480KB

    MD5

    9b8d650ffc6fff2cfe67a7e5c020ccfb

    SHA1

    eaadc93c8e1af00cf01bf5fd8fb8d2792649d8b8

    SHA256

    59b9f3fa57c1b7fdd3312f864c20eaee76ba9fcb7bb8d2542060d3533ced12c2

    SHA512

    606818e23f7d214240e8724b55af72147b4ebb3ad1d1f036d33c4690e7f279ea1768a1db595ac06f3c4b348348fc61f546fda673359cdd4b762bce2de2b85e61

  • \Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\Prince of Persia Warrior Within V GOG Plus 4 Trainer.exe

    Filesize

    189KB

    MD5

    a65c29111a4cf5a7fdd5a9d79f77bcab

    SHA1

    c0c59b1f792c975558c33a3b7cf0d94adc636660

    SHA256

    dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

    SHA512

    b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

  • \Users\Admin\AppData\Local\Temp\cetrainers\CET9A4C.tmp\extracted\win32\dbghelp.dll

    Filesize

    1.2MB

    MD5

    9139604740814e53298a5e8428ba29d7

    SHA1

    c7bf8947e9276a311c4807ea4a57b504f95703c9

    SHA256

    150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

    SHA512

    0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d