Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-10-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
Hack Minecraft/Hack Minecraft.exe
Resource
win7-20240903-en
General
-
Target
Hack Minecraft/Hack Minecraft.exe
-
Size
732KB
-
MD5
5bd3074838470101c492048cc0484c58
-
SHA1
594d7125c3264bcdcefc9ac011399d0eaf429a68
-
SHA256
3ed5050d3cd51449eeae1d78058ab7ac198eea6398880ff5c0b68924e082b2b7
-
SHA512
8c672a7de3ea649f3cbca00f4fe13488377915d35fd6b0437323f51028e92ddebd5a70effc2f0696c978e386b005663c0fe2e2f022493a2fa1f7f4334f28a0b4
-
SSDEEP
12288:23DZGuFygNAyyS7T9jKi/JKCXKSPXiIlO/TahWxssxHiwy8FwQJjpyu6W:m5FlFM8DXiIkahWxsstFxJjpu
Malware Config
Extracted
darkcomet
Cube
pablito89.no-ip.biz:1604
DC_MUTEX-RK3VMAE
-
gencode
ymm6fZFwUpBn
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\cFMHVZhG\\bWTL73v.exe,explorer.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
MinecraftFactoryReset.exepid Process 2752 MinecraftFactoryReset.exe -
Loads dropped DLL 2 IoCs
Processes:
Hack Minecraft.exepid Process 1304 Hack Minecraft.exe 1304 Hack Minecraft.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hack Minecraft.exedescription pid Process procid_target PID 1304 set thread context of 2724 1304 Hack Minecraft.exe 33 -
Processes:
resource yara_rule behavioral1/memory/2724-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-18-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-17-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-14-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-22-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-25-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-30-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-26-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-32-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-31-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-34-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-35-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-37-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-42-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-43-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-48-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2724-49-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hack Minecraft.execmd.exereg.exevbc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hack Minecraft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Hack Minecraft.exepid Process 1304 Hack Minecraft.exe 1304 Hack Minecraft.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MinecraftFactoryReset.exepid Process 2752 MinecraftFactoryReset.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Hack Minecraft.exevbc.exedescription pid Process Token: SeDebugPrivilege 1304 Hack Minecraft.exe Token: SeIncreaseQuotaPrivilege 2724 vbc.exe Token: SeSecurityPrivilege 2724 vbc.exe Token: SeTakeOwnershipPrivilege 2724 vbc.exe Token: SeLoadDriverPrivilege 2724 vbc.exe Token: SeSystemProfilePrivilege 2724 vbc.exe Token: SeSystemtimePrivilege 2724 vbc.exe Token: SeProfSingleProcessPrivilege 2724 vbc.exe Token: SeIncBasePriorityPrivilege 2724 vbc.exe Token: SeCreatePagefilePrivilege 2724 vbc.exe Token: SeBackupPrivilege 2724 vbc.exe Token: SeRestorePrivilege 2724 vbc.exe Token: SeShutdownPrivilege 2724 vbc.exe Token: SeDebugPrivilege 2724 vbc.exe Token: SeSystemEnvironmentPrivilege 2724 vbc.exe Token: SeChangeNotifyPrivilege 2724 vbc.exe Token: SeRemoteShutdownPrivilege 2724 vbc.exe Token: SeUndockPrivilege 2724 vbc.exe Token: SeManageVolumePrivilege 2724 vbc.exe Token: SeImpersonatePrivilege 2724 vbc.exe Token: SeCreateGlobalPrivilege 2724 vbc.exe Token: 33 2724 vbc.exe Token: 34 2724 vbc.exe Token: 35 2724 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 2724 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Hack Minecraft.execmd.exedescription pid Process procid_target PID 1304 wrote to memory of 1708 1304 Hack Minecraft.exe 30 PID 1304 wrote to memory of 1708 1304 Hack Minecraft.exe 30 PID 1304 wrote to memory of 1708 1304 Hack Minecraft.exe 30 PID 1304 wrote to memory of 1708 1304 Hack Minecraft.exe 30 PID 1708 wrote to memory of 2688 1708 cmd.exe 32 PID 1708 wrote to memory of 2688 1708 cmd.exe 32 PID 1708 wrote to memory of 2688 1708 cmd.exe 32 PID 1708 wrote to memory of 2688 1708 cmd.exe 32 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2724 1304 Hack Minecraft.exe 33 PID 1304 wrote to memory of 2752 1304 Hack Minecraft.exe 34 PID 1304 wrote to memory of 2752 1304 Hack Minecraft.exe 34 PID 1304 wrote to memory of 2752 1304 Hack Minecraft.exe 34 PID 1304 wrote to memory of 2752 1304 Hack Minecraft.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hack Minecraft\Hack Minecraft.exe"C:\Users\Admin\AppData\Local\Temp\Hack Minecraft\Hack Minecraft.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cFMHVZhG\bWTL73v.exe,explorer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cFMHVZhG\bWTL73v.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\MinecraftFactoryReset.exe"C:\Users\Admin\AppData\Local\Temp\MinecraftFactoryReset.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386KB
MD521915c92f2a71ad99bf86a9af127df46
SHA1de1ceb3a8cb4dc85b7ef8b71f97db3f80613e579
SHA2565484f7265a6157a2f417d65ee18a603c69b12fa7d17890bf313958fcf0882bf0
SHA5126b89f0068c09b5fb3206d89be721effd64df1bf95c2a9cc044f050527868d957dd40603e6328ab61a921ffeadd84665b16d66031eca3ee10a8b8bae45bf9b18c
-
Filesize
732KB
MD55bd3074838470101c492048cc0484c58
SHA1594d7125c3264bcdcefc9ac011399d0eaf429a68
SHA2563ed5050d3cd51449eeae1d78058ab7ac198eea6398880ff5c0b68924e082b2b7
SHA5128c672a7de3ea649f3cbca00f4fe13488377915d35fd6b0437323f51028e92ddebd5a70effc2f0696c978e386b005663c0fe2e2f022493a2fa1f7f4334f28a0b4