Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
Hack Minecraft/Hack Minecraft.exe
Resource
win7-20240903-en
General
-
Target
Hack Minecraft/Hack Minecraft.exe
-
Size
732KB
-
MD5
5bd3074838470101c492048cc0484c58
-
SHA1
594d7125c3264bcdcefc9ac011399d0eaf429a68
-
SHA256
3ed5050d3cd51449eeae1d78058ab7ac198eea6398880ff5c0b68924e082b2b7
-
SHA512
8c672a7de3ea649f3cbca00f4fe13488377915d35fd6b0437323f51028e92ddebd5a70effc2f0696c978e386b005663c0fe2e2f022493a2fa1f7f4334f28a0b4
-
SSDEEP
12288:23DZGuFygNAyyS7T9jKi/JKCXKSPXiIlO/TahWxssxHiwy8FwQJjpyu6W:m5FlFM8DXiIkahWxsstFxJjpu
Malware Config
Extracted
darkcomet
Cube
pablito89.no-ip.biz:1604
DC_MUTEX-RK3VMAE
-
gencode
ymm6fZFwUpBn
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\cFMHVZhG\\bWTL73v.exe,explorer.exe" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Hack Minecraft.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Hack Minecraft.exe -
Executes dropped EXE 1 IoCs
Processes:
MinecraftFactoryReset.exepid Process 3024 MinecraftFactoryReset.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hack Minecraft.exedescription pid Process procid_target PID 3628 set thread context of 5104 3628 Hack Minecraft.exe 94 -
Processes:
resource yara_rule behavioral2/memory/5104-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-20-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-24-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-27-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-25-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-30-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-31-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-32-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-33-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-34-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-35-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-37-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-38-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-39-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-42-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-43-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/5104-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hack Minecraft.execmd.exereg.exevbc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hack Minecraft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Hack Minecraft.exepid Process 3628 Hack Minecraft.exe 3628 Hack Minecraft.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Hack Minecraft.exevbc.exedescription pid Process Token: SeDebugPrivilege 3628 Hack Minecraft.exe Token: SeIncreaseQuotaPrivilege 5104 vbc.exe Token: SeSecurityPrivilege 5104 vbc.exe Token: SeTakeOwnershipPrivilege 5104 vbc.exe Token: SeLoadDriverPrivilege 5104 vbc.exe Token: SeSystemProfilePrivilege 5104 vbc.exe Token: SeSystemtimePrivilege 5104 vbc.exe Token: SeProfSingleProcessPrivilege 5104 vbc.exe Token: SeIncBasePriorityPrivilege 5104 vbc.exe Token: SeCreatePagefilePrivilege 5104 vbc.exe Token: SeBackupPrivilege 5104 vbc.exe Token: SeRestorePrivilege 5104 vbc.exe Token: SeShutdownPrivilege 5104 vbc.exe Token: SeDebugPrivilege 5104 vbc.exe Token: SeSystemEnvironmentPrivilege 5104 vbc.exe Token: SeChangeNotifyPrivilege 5104 vbc.exe Token: SeRemoteShutdownPrivilege 5104 vbc.exe Token: SeUndockPrivilege 5104 vbc.exe Token: SeManageVolumePrivilege 5104 vbc.exe Token: SeImpersonatePrivilege 5104 vbc.exe Token: SeCreateGlobalPrivilege 5104 vbc.exe Token: 33 5104 vbc.exe Token: 34 5104 vbc.exe Token: 35 5104 vbc.exe Token: 36 5104 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 5104 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Hack Minecraft.execmd.exedescription pid Process procid_target PID 3628 wrote to memory of 3176 3628 Hack Minecraft.exe 91 PID 3628 wrote to memory of 3176 3628 Hack Minecraft.exe 91 PID 3628 wrote to memory of 3176 3628 Hack Minecraft.exe 91 PID 3176 wrote to memory of 1560 3176 cmd.exe 93 PID 3176 wrote to memory of 1560 3176 cmd.exe 93 PID 3176 wrote to memory of 1560 3176 cmd.exe 93 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 5104 3628 Hack Minecraft.exe 94 PID 3628 wrote to memory of 3024 3628 Hack Minecraft.exe 95 PID 3628 wrote to memory of 3024 3628 Hack Minecraft.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hack Minecraft\Hack Minecraft.exe"C:\Users\Admin\AppData\Local\Temp\Hack Minecraft\Hack Minecraft.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cFMHVZhG\bWTL73v.exe,explorer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cFMHVZhG\bWTL73v.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1560
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\MinecraftFactoryReset.exe"C:\Users\Admin\AppData\Local\Temp\MinecraftFactoryReset.exe"2⤵
- Executes dropped EXE
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386KB
MD521915c92f2a71ad99bf86a9af127df46
SHA1de1ceb3a8cb4dc85b7ef8b71f97db3f80613e579
SHA2565484f7265a6157a2f417d65ee18a603c69b12fa7d17890bf313958fcf0882bf0
SHA5126b89f0068c09b5fb3206d89be721effd64df1bf95c2a9cc044f050527868d957dd40603e6328ab61a921ffeadd84665b16d66031eca3ee10a8b8bae45bf9b18c