Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
PAYDAY3_Trainer_[unknowncheats.me]_.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PAYDAY3_Trainer_[unknowncheats.me]_.exe
Resource
win10v2004-20241007-en
General
-
Target
PAYDAY3_Trainer_[unknowncheats.me]_.exe
-
Size
7.0MB
-
MD5
1e15df4e8bd6c1f0b0b09a3796f389c9
-
SHA1
f504549f0c3497f2362cdf682e6604574a17afcc
-
SHA256
d48fa25aa43ffa59b29b8219de34a5421e620242d22bdcb831ca0c2210ec8e72
-
SHA512
0052eae352d27dc6b93f8fe7b3a224b6386f17e23dcb43b52109fe61e4cfe8279f2be23403eeffd63cd029a24492f24f84728bcd3c07ff23f1482ba456b6885c
-
SSDEEP
98304:j+uiK85v5TFh7KgHallQ8MxjDttS+2gA17bliqxIY/EC4hKDzhVVVVVV3sFWLG6q:j+uiKsvDhO5M5BtQXliqxIEpEWitmm1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2756 PAYDAY3_Trainer_[unknowncheats.me]_.exe 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Loads dropped DLL 1 IoCs
pid Process 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Drops file in System32 directory 41 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM32\wininet.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\combase.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\RPCRT4.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\GDI32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\advapi32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\sechost.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\ole32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\imm32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\system32\explorerframe.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\Wldp.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\KERNELBASE.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\win32u.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\version.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\msvcp_win.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\shcore.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\SHLWAPI.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\ws2_32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\ucrtbase.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\uxtheme.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\winmm.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\KERNEL32.DLL PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\gdi32full.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\msvcrt.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\clbcatq.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\shell32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\comdlg32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\MSCTF.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\Dbghelp.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\oleaut32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\user32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe File opened for modification C:\Windows\System32\psapi.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll PAYDAY3_Trainer_[unknowncheats.me]_.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYDAY3_Trainer_[unknowncheats.me]_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeTcbPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeTcbPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeLoadDriverPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeCreateGlobalPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeLockMemoryPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: 33 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeSecurityPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeTakeOwnershipPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeManageVolumePrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeBackupPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeCreatePagefilePrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeShutdownPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeRestorePrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: 33 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe Token: SeIncBasePriorityPrivilege 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1352 PAYDAY3_Trainer_[unknowncheats.me]_.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4976 wrote to memory of 2756 4976 PAYDAY3_Trainer_[unknowncheats.me]_.exe 83 PID 4976 wrote to memory of 2756 4976 PAYDAY3_Trainer_[unknowncheats.me]_.exe 83 PID 4976 wrote to memory of 2756 4976 PAYDAY3_Trainer_[unknowncheats.me]_.exe 83 PID 2756 wrote to memory of 1352 2756 PAYDAY3_Trainer_[unknowncheats.me]_.exe 84 PID 2756 wrote to memory of 1352 2756 PAYDAY3_Trainer_[unknowncheats.me]_.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"C:\Users\Admin\AppData\Local\Temp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA131.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA131.tmp\PAYDAY3_Trainer_[unknowncheats.me]_.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA131.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exeC:\Users\Admin\AppData\Local\Temp\cetrainers\CETA131.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA131.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.7MB
MD5596b20865af108f27ec9e8107bdf240e
SHA1a839323bf74236e707e5ae6b1d7907599d5d38a0
SHA256f302cc69ca61b0c1d0f97d18b01ea9eaeb89a9586a35be92e0ac997b1b8ad270
SHA512f3ec4c57e6a82b478f60f5df2a8ba002e426316084ac8122f48dba6b2438bf4f32822430dca69a81e8d8a6627d6ac07ed86b07371dd4dff754a2411905941a18
-
Filesize
225KB
MD5971b37cedf686e0ac8ca0297a953aad9
SHA18ea777fa6c70a619d4e92cc6435c4eba2b16a23e
SHA2561965546a19990b4523a1588eb0d7fdd42bd443e2bcc632dae04343d358394ae7
SHA5122f0f3facf2587b751bb658eaab9ca1536d7326956b0eeca7bd0badc893c0878741f8bb56d8c1e360f2cb4bd9442866bd9faf7bdec7d02105f6c149640cf180d8
-
Filesize
458KB
MD564cefcb99b2b731cd8762d33c14ac102
SHA169548d28c32599b99e8949e68e70074e795a7d8b
SHA25634994d2729e94c0e47f0301377bd82d43ef45faaed1f5f07db2e152978fbedd8
SHA512e5b2eb2dfb199b588d790ece5a17bc52380eb37079008c61aefd4674f98f0617b8116e3549eae7dd4537548a5ffc10d67effd1bd1a1e1998d6188eebfdeb226f
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA131.tmp\extracted\PAYDAY3_Trainer_[unknowncheats.me]_.exe
Filesize15.9MB
MD5edeef697cbf212b5ecfcd9c1d9a8803d
SHA1e90585899ae4b4385a6d0bf43c516c122e7883e2
SHA256ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6
SHA5121aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1
-
Filesize
12KB
MD562e1fa241d417668f7c5da6e4009a5a6
SHA1f887409e3c204a87731f317a999dc7e4cc8d3fcd
SHA25682e8ef7df20a86791cef062f2dcacb1d91b4adc9f5dea2fd274886be8365b2f8
SHA5122283cbb9e1d5d53ad1ed9bc9db6034fb3c53c633b11001f373523640bbbba95da9a3a0866c7d5fa0620facab7d18c8577dfd69496fc7319e0a4a74d0b9e10c45
-
Filesize
528KB
MD5b7c9f1e7e640f1a034be84af86970d45
SHA1f795dc3d781b9578a96c92658b9f95806fc9bdde
SHA2566d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff
SHA512da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3