e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
Size

4.8MB
MD5

c095f20c5a6e3bd7b15d554576ffaf10
SHA1

d8f5f5760f55fa10e02604bf41b50b1d77f48755
SHA256

e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867
SHA512

c6387dab7de2fc95a9da0f9b19282aadf49e69430a447df611b7a4a458d3ccd7a0769ea73d8949c41b1c736de1d2f4fff2131bfd0561aa9cf57b9b0d021e5ebd
SSDEEP

98304:TZ7KG1v6e/LHYFR3ZueuJObD3ErwmzDFULPMlbVmr5k3XfDSlNjBI/yYniA2LgIq:TsG1vL/LH83ZueuMDE8m3yPs6OHulNNE

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Grand Theft Auto V Trainer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Grand Theft Auto V Trainer.exe

Deletes itself 1 IoCs

pid	Process
2264	Grand Theft Auto V Trainer.exe

Executes dropped EXE 2 IoCs

pid	Process
2264	Grand Theft Auto V Trainer.exe
1232	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
File opened for modification	\??\PhysicalDrive0	Grand Theft Auto V Trainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	Grand Theft Auto V Trainer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
2264	Grand Theft Auto V Trainer.exe
2264	Grand Theft Auto V Trainer.exe
2264	Grand Theft Auto V Trainer.exe
2264	Grand Theft Auto V Trainer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2264	Grand Theft Auto V Trainer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
Token: SeDebugPrivilege	2264	Grand Theft Auto V Trainer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	Grand Theft Auto V Trainer.exe
2264	Grand Theft Auto V Trainer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2264	1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe	30
PID 1928 wrote to memory of 2264	1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe	30
PID 1928 wrote to memory of 2264	1928	e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe	30

C:\Users\Admin\AppData\Local\Temp\e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe
"C:\Users\Admin\AppData\Local\Temp\e33fbfc8e36f58d4b31f2fb0fc334f0ee3b6fd05a6149a1d3e3f3a279e9ec867N.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
  "C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe"
  2⤵
  - Checks BIOS information in registry
  - Deletes itself
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\FutureXGame\settings.txt

Filesize
185B

MD5
edb77653eb671b6121ff5985dff8c7c0

SHA1
64518443927211f90e9917b173039f6897892b5b

SHA256
806d70b8dfd59fa15b47e7d82c75a0538c340edc78bef963da20a13bf9e168aa

SHA512
3ab2aec7a21dce0e12cd8eb7e14700a5f29f99b71fa12553f1d50423273ed4013b92686022cf7accf5069d8ded2826747f2b8c30b8855324478d2e918043ad34

Download Submit
\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe

Filesize
3.3MB

MD5
508a010138f2f34b7ce88e49ca63cfc3

SHA1
7a922683dc2fad141b19fe62ac0cae550bb411f6

SHA256
b8f2ab2d9a6e88c7cc77164107d8136a37dddcd017a25c30c3cc12eb3ac993c7

SHA512
9d75c0795a1c60cbd73f1a69265fea83ad098d3c46e11ea75d6d198c8b10b85bcb28ca64e90405fba3993388406fb576ce74a7e926d4608ad282f317af593dee

Download Submit
memory/1928-1-0x00000000011F0000-0x00000000018E0000-memory.dmp

Filesize
6.9MB

Download
memory/1928-2-0x00000000011F0000-0x00000000018E0000-memory.dmp

Filesize
6.9MB

Download
memory/1928-3-0x00000000251A0000-0x00000000254EA000-memory.dmp

Filesize
3.3MB

Download
memory/1928-13-0x0000000029110000-0x00000000296E4000-memory.dmp

Filesize
5.8MB

Download
memory/1928-0-0x00000000011F0000-0x00000000018E0000-memory.dmp

Filesize
6.9MB

Download
memory/1928-21-0x00000000011F0000-0x00000000018E0000-memory.dmp

Filesize
6.9MB

Download
memory/2264-15-0x00000000000D0000-0x00000000006A4000-memory.dmp

Filesize
5.8MB

Download
memory/2264-18-0x0000000025190000-0x0000000025496000-memory.dmp

Filesize
3.0MB

Download
memory/2264-17-0x00000000000D0000-0x00000000006A4000-memory.dmp

Filesize
5.8MB

Download
memory/2264-16-0x00000000000D0000-0x00000000006A4000-memory.dmp

Filesize
5.8MB

Download
memory/2264-23-0x000000002BC20000-0x000000002C3C6000-memory.dmp

Filesize
7.6MB

Download
memory/2264-25-0x00000000000D0000-0x00000000006A4000-memory.dmp

Filesize
5.8MB

Download