Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
PAYDAY3_Trainer_[unknowncheats.me]_.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PAYDAY3_Trainer_[unknowncheats.me]_.exe
Resource
win10v2004-20241007-en
General
-
Target
PAYDAY3_Trainer_[unknowncheats.me]_.exe
-
Size
7.0MB
-
MD5
1e15df4e8bd6c1f0b0b09a3796f389c9
-
SHA1
f504549f0c3497f2362cdf682e6604574a17afcc
-
SHA256
d48fa25aa43ffa59b29b8219de34a5421e620242d22bdcb831ca0c2210ec8e72
-
SHA512
0052eae352d27dc6b93f8fe7b3a224b6386f17e23dcb43b52109fe61e4cfe8279f2be23403eeffd63cd029a24492f24f84728bcd3c07ff23f1482ba456b6885c
-
SSDEEP
98304:j+uiK85v5TFh7KgHallQ8MxjDttS+2gA17bliqxIY/EC4hKDzhVVVVVV3sFWLG6q:j+uiKsvDhO5M5BtQXliqxIEpEWitmm1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2764 PAYDAY3_Trainer_[unknowncheats.me]_.exe 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Loads dropped DLL 3 IoCs
pid Process 2656 PAYDAY3_Trainer_[unknowncheats.me]_.exe 2764 PAYDAY3_Trainer_[unknowncheats.me]_.exe 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File opened for modification C:\Windows\system32\oleaut32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\msvcrt.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\winmm.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\normaliz.DLL PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\LPK.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\SHLWAPI.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\opengl32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\imm32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\DCIMAN32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\MSCTF.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\hhctrl.ocx PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\GDI32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\RPCRT4.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\GLU32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\wininet.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\iertutil.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\msimg32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\CLBCatQ.DLL PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\USP10.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\shell32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\DDRAW.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\dwmapi.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\DUser.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\propsys.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\Dbghelp.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\kernel32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\CFGMGR32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\wsock32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\DUI70.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\NSI.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\psapi.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\ole32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\USER32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\version.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\comdlg32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\CRYPTBASE.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\SETUPAPI.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\ws2_32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\uxtheme.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\explorerframe.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\KERNELBASE.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\advapi32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\sechost.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\DEVOBJ.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYDAY3_Trainer_[unknowncheats.me]_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeTcbPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeTcbPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeLoadDriverPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeCreateGlobalPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeLockMemoryPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: 33 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeSecurityPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeTakeOwnershipPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeManageVolumePrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeBackupPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeCreatePagefilePrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeShutdownPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeRestorePrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: 33 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeIncBasePriorityPrivilege 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2704 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2764 2656 PAYDAY3_Trainer_[unknowncheats.me]_.exe 30 PID 2656 wrote to memory of 2764 2656 PAYDAY3_Trainer_[unknowncheats.me]_.exe 30 PID 2656 wrote to memory of 2764 2656 PAYDAY3_Trainer_[unknowncheats.me]_.exe 30 PID 2656 wrote to memory of 2764 2656 PAYDAY3_Trainer_[unknowncheats.me]_.exe 30 PID 2764 wrote to memory of 2704 2764 PAYDAY3_Trainer_[unknowncheats.me]_.exe 31 PID 2764 wrote to memory of 2704 2764 PAYDAY3_Trainer_[unknowncheats.me]_.exe 31 PID 2764 wrote to memory of 2704 2764 PAYDAY3_Trainer_[unknowncheats.me]_.exe 31 PID 2764 wrote to memory of 2704 2764 PAYDAY3_Trainer_[unknowncheats.me]_.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1D7F.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1D7F.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1D7F.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exeC:\Users\Admin\AppData\Local\Temp\cetrainers\CET1D7F.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1D7F.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.7MB
MD5596b20865af108f27ec9e8107bdf240e
SHA1a839323bf74236e707e5ae6b1d7907599d5d38a0
SHA256f302cc69ca61b0c1d0f97d18b01ea9eaeb89a9586a35be92e0ac997b1b8ad270
SHA512f3ec4c57e6a82b478f60f5df2a8ba002e426316084ac8122f48dba6b2438bf4f32822430dca69a81e8d8a6627d6ac07ed86b07371dd4dff754a2411905941a18
-
Filesize
458KB
MD564cefcb99b2b731cd8762d33c14ac102
SHA169548d28c32599b99e8949e68e70074e795a7d8b
SHA25634994d2729e94c0e47f0301377bd82d43ef45faaed1f5f07db2e152978fbedd8
SHA512e5b2eb2dfb199b588d790ece5a17bc52380eb37079008c61aefd4674f98f0617b8116e3549eae7dd4537548a5ffc10d67effd1bd1a1e1998d6188eebfdeb226f
-
Filesize
12KB
MD562e1fa241d417668f7c5da6e4009a5a6
SHA1f887409e3c204a87731f317a999dc7e4cc8d3fcd
SHA25682e8ef7df20a86791cef062f2dcacb1d91b4adc9f5dea2fd274886be8365b2f8
SHA5122283cbb9e1d5d53ad1ed9bc9db6034fb3c53c633b11001f373523640bbbba95da9a3a0866c7d5fa0620facab7d18c8577dfd69496fc7319e0a4a74d0b9e10c45
-
Filesize
225KB
MD5971b37cedf686e0ac8ca0297a953aad9
SHA18ea777fa6c70a619d4e92cc6435c4eba2b16a23e
SHA2561965546a19990b4523a1588eb0d7fdd42bd443e2bcc632dae04343d358394ae7
SHA5122f0f3facf2587b751bb658eaab9ca1536d7326956b0eeca7bd0badc893c0878741f8bb56d8c1e360f2cb4bd9442866bd9faf7bdec7d02105f6c149640cf180d8
-
\Users\Admin\AppData\Local\Temp\cetrainers\CET1D7F.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe
Filesize15.9MB
MD5edeef697cbf212b5ecfcd9c1d9a8803d
SHA1e90585899ae4b4385a6d0bf43c516c122e7883e2
SHA256ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6
SHA5121aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1
-
Filesize
528KB
MD5b7c9f1e7e640f1a034be84af86970d45
SHA1f795dc3d781b9578a96c92658b9f95806fc9bdde
SHA2566d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff
SHA512da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3