4355ff63b7d79c659fa159a25f8f1d5d77ae0c2816f1e6e12241ef3e1d3a2443

Analysis

max time kernel
236s
max time network
242s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LovelyCraftPistonTrap_Win64_v.0.1.zip
Size

96.7MB
MD5

9c0382e7ffb95e1368cbb001d7e2f2ea
SHA1

3772667c6e327504b30b5abb2d129d60577ade43
SHA256

4355ff63b7d79c659fa159a25f8f1d5d77ae0c2816f1e6e12241ef3e1d3a2443
SHA512

6adb174c37ba9910d53074ec0136c180e8b86e62a76d35df65188ab2068641d9ab60458d8c8be24d6ba407b339909bae0ab4bb8fba90ba2f30acd1a4c28a0bbc
SSDEEP

3145728:uIS8wrHUXPME/MhBoxnQA8H9JflfJGBwpg1Hx9U+dmQ:w8UUfME/MboxwdJflheHsdQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	LovelyCraftPistonTrap.exe
1048	UnityCrashHandler64.exe

Loads dropped DLL 22 IoCs

pid	Process
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
2028	LovelyCraftPistonTrap.exe
2028	LovelyCraftPistonTrap.exe
2028	LovelyCraftPistonTrap.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LovelyCraftPistonTrap.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LovelyCraftPistonTrap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LovelyCraftPistonTrap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LovelyCraftPistonTrap.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2072	7zFM.exe
Token: 35	2072	7zFM.exe
Token: SeSecurityPrivilege	2072	7zFM.exe
Token: 33	1028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1028	AUDIODG.EXE
Token: 33	1028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1028	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2072	7zFM.exe
2072	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	LovelyCraftPistonTrap.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1048	2028	LovelyCraftPistonTrap.exe	35
PID 2028 wrote to memory of 1048	2028	LovelyCraftPistonTrap.exe	35
PID 2028 wrote to memory of 1048	2028	LovelyCraftPistonTrap.exe	35

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LovelyCraftPistonTrap_Win64_v.0.1.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072

C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap.exe
"C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\UnityCrashHandler64.exe
  "C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\UnityCrashHandler64.exe" --attach 2028 32509952
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Hello Crime\Lovely Craft Piston Trap\Unity\affd112e-be83-498e-abfd-5935479af661\Analytics\ArchivedEvents\173307910700002.ffc6bfc9\c

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\GameAssembly.dll

Filesize
34.1MB

MD5
ac4e3699718eeef7d816b68f1d38a7cf

SHA1
7adfb85d25af47b5664061aa3a5a75a02309fccc

SHA256
68eb99dd14dc69b5b701af27edfd95219ee214a5b10351cce339adb79e262f54

SHA512
04e1210b3f85346a0b2aa597e83779ee923192262e11389bc3aac9558eee3a30a70dfa61fe1d721755ec7f8e8077fedda5ab9a5ebd536ece2414fdf3cfb15187

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\Resources\unity default resources

Filesize
1.5MB

MD5
143dc232c9457e1bb787ca819754dd9b

SHA1
86c8eefd06d786c341d8f563c1b56899f09e7d93

SHA256
447caf3737cc58e2cf965f9829ae1c00c2c88505c055df2e8be0d8ede76b4da9

SHA512
de3d8771a43b0a0f584cd6d769dc0fe73c7279e3d0f19fb6975ce5f75430ce7312bc9057f8f2aaf2647dd6b07440f3b97f789e0ee0a6a51f8f8b56f0f764b3bc

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\RuntimeInitializeOnLoads.json

Filesize
2KB

MD5
859078fed0db39d36215495e653fe4a8

SHA1
bac43c655f9d91caca25598c2fd9aa8e2739a9e1

SHA256
1b06bffb1524d403c515c55337d760f227234d95024edbb12d24eae3ce7831e1

SHA512
115c5bb91f6f6590d97c1d4120c06b5bf8313935ce84321d9796a5bae1bf7c4e973ae325bbd774e43b05cd04452f25637950e86984f66b5d4507c77bc00934f0

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\ScriptingAssemblies.json

Filesize
4KB

MD5
197b8d2cd994f478f38672be181dddda

SHA1
871699cfb1d1ae56c7a7f07077408921dc44d28b

SHA256
b224ac0452b9aa6145019da297c7a56938e45271858f5190d17aa5dd566e1bea

SHA512
5cd0ec22113aaabfda5bfd34ae8154a368a355f8b1abf3446b67d4e488976a0be48caf572cffc8d5787cc231dddbdd4dfe1ec413d068340efbec489574373c0f

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\StandaloneWindows64\_unitybuiltinshaders_79da802d0512b6bad292d399878c0ece.bundle

Filesize
36KB

MD5
5672cf1ebe78d11159937934f7576fc4

SHA1
6a884273fd11cd2acc14e5592605c3ad9543bd43

SHA256
e9c5a2d9ad9cbc9f37d8bb8bac8df6e14d584f41f27b2ce41d3e40092bb84d98

SHA512
88e2adbd0fd2d9978bfe00f5f25d1fc1ec97605da8d9f08fe9557b3457beb69b2c51a32f5ba911041832452cbe425c6e9159374cac951a5c4e360d204e725cca

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\StandaloneWindows64\fonts_assets_all.bundle

Filesize
1.4MB

MD5
39c8becd86ea19acf8e902f5f2540ef6

SHA1
8500de0056db12380ca0b6b06662788a89ddc856

SHA256
a8695523177f9613e04085df60ac0f3421143a1e1597cf7817ec79a83e095f83

SHA512
b98fae45c31980c6601631ab5d72b3c84d4e4f4f15c40866436e93fb4ad9b904394a296293a3e9278976fdf0e90acbb5ec4f9bd4d28e0356c3dcdd1f3d983f01

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\StandaloneWindows64\frameworkinitial_assets_all.bundle

Filesize
1.7MB

MD5
cc173f6678c9ca4612088a830f53717a

SHA1
39453ea6920d700dc48a4b795db7683f9fe588a0

SHA256
5f361236cb836ca6582481854354ee9854ebf339524043c02c846e52f964e7e1

SHA512
a5382fe788dbc433aa52541191e0b0f4208ba2e70738f4994f276f451ff22bfecf990e477243492de28c05543fd08b618b111dec3d4de7ef36db5477494c0b11

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\StandaloneWindows64\shaders_assets_all.bundle

Filesize
101KB

MD5
75aa4a541f7afa5e5fd77ba5194775a7

SHA1
bffff3369cd21a1a77ae8be72edadeae29ed2f92

SHA256
9dc863bfe0673e6d8b68804a77ac9838c7f51081be5a9e34044984121b278f43

SHA512
37f067d378d31f8eb54eaea08ca1fd8eeb4b5082eaef47ca6063eca3704b50dbee5627423727f86b1164f9dad0d98ff4fcf0f577ffb48a4ecacb6c1cf5d22421

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\StandaloneWindows64\tmp_assets_all.bundle

Filesize
9.1MB

MD5
094f64fd0f1ae170211871882f63eaaf

SHA1
e6adb5393b496d06fad5d2772c275cd6e12fba75

SHA256
37526a6d7789ff0ba59e15c7e1f7bb9debf68c6fcefbcf3f5bb48ce746ecf8a4

SHA512
96ff98a15b87eb796841191ef5c2fd2ebb179ef729d9d89e947e260e67624e71dfdd04821826b6d0778d606f6ff3cb2cc9fcd6f398edfd9f91b9c06e9ee97436

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\catalog.json

Filesize
44KB

MD5
bb966abd049035acb729336a7fd37ee9

SHA1
a0bb7ef6888c21cb0dd8a26ccf825d551c41c76d

SHA256
6630ee248f06b5afe7ad90d18c29f53a0e6024e9b5f19db6b7ceb4c33f7b3c28

SHA512
2f0de2170e838a3d64997d2a1eadbd3d8db435ab31beee82d792bc25f986d60bd994f34c3784f29e9066fcdf9b5e6ce4691228442bd54e2187d90c5ec931d4ac

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\StreamingAssets\aa\settings.json

Filesize
1KB

MD5
6e141661bb36bc91af2de6f8280e3fbb

SHA1
297b2b69afa3cf2586877cab008c60f310aaa6e4

SHA256
411240c4d87720114902938b3bee347c73b4bdfd36b7ef80bf2e900b06cd936e

SHA512
3e4c832656c9f7cb5a75f100f26b96e624db34d7dbf250211b8065a0a9703284024305df607ea826a7edffadb69c74cd969f6760a0c06b83c746d7105aa72ec2

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\app.info

Filesize
36B

MD5
fe802d65b9e1e112b51ac3861be70168

SHA1
64319f4f09df71072fb4a5f94e091395e7a2a8b7

SHA256
fe3b52417de8c8b84a81f57d60f15a61674cb1ccbe5ac72a370f0b569095caac

SHA512
cb41f5c9fe63884081850c0ed465b6aa20e68aeee748b600d70d7d2632ca7ab8f9bbe1d0919fb3b5168c5f329a5299b95188cb87dd3f6db53761c5ad1dc9bd45

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\boot.config

Filesize
144B

MD5
da361083c10a9d6f56fc878a23adce68

SHA1
c8cf2be8495346d0ab552a98027901c1145e9bfd

SHA256
bb057f3014a7f838af1647bf2b7c41b3c964f816c540568bcd7ef62b09d34aa5

SHA512
93e4431226df3d852ba663988ae36f9537035360803edd637161e5ccfd498215f038a462f195c1df96749617818c7ddafaaad619fc1775168f5d8257bfca3a16

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\data.unity3d

Filesize
359KB

MD5
ad6fd190fb4d2ef8bf905a15659ae66c

SHA1
e62adbbb4b504ed5ff68ab03979723a6d8968caf

SHA256
6f041f77dcd6d0fb514d52819a66ce516f0d68264ffc689ee9c7bf55212ae54d

SHA512
82698472aecbe17da3b73fa5e3114c4364b1333939dd31f857df595a21e78e760e74f13a3d8901fa359022be1adebc896e8d949f20d3e8205e9928fe8d602550

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\il2cpp_data\Metadata\global-metadata.dat

Filesize
7.4MB

MD5
81276921e8f1b0f2292ed9e88fd3ad16

SHA1
807b980c0d628f3d29e81ad7288f18531ae3e0a7

SHA256
cd379b73609f78170807903969386704cd343ec7ba4aacf11b8c8132c1b360e6

SHA512
21183d615c9d4014ef2e966ebb3487839fb04de0d8f935ead0d86032a36702090b4846de6dc770cf0af6b2181fd862be7bd9a63c4d9259c6b5b1246b9d6e26ad

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap_Data\il2cpp_data\Resources\mscorlib.dll-resources.dat

Filesize
329KB

MD5
21d06dbc8af6432b2b49536ed30609af

SHA1
11a1c0e2ab2f8c06fe4507535ed47e0dd279a60d

SHA256
c5baa176a5b72cd545266340e42102d393a5e43d38c95796bc828918bb95277f

SHA512
2971f54eaa14c3ce6e2352e5a1aea5b044f0894bf4eac92de8cd92515b6473b5ca56ebfcad4369a9d4935cbefea2540a83f332fd4d832c37768310e8776ceb5e

Download Submit
C:\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\UnityPlayer.dll

Filesize
29.5MB

MD5
4452b0cad08cdfdfd1793af00731fedd

SHA1
9e6cf9a533cc2cee7033e9e6cf830f57f5f5715c

SHA256
56138336fd3c7e52e99b99b5f74fe4c10df72bed34e57fc7715da50282da45f2

SHA512
a3d322ff484eb2c54aa87088d9dc7911a0aee36c354d0e4e52b5c226bfb63d383d384d2dfeaef563ced65991665f4a44069fc712f6ecbde359f4650b266d5291

Download Submit
\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\LovelyCraftPistonTrap.exe

Filesize
651KB

MD5
904e8e2171d7ad133dff57a9ff4ab264

SHA1
90d9b7dd2fe73e5bc88fecd4c4b7059dacc3efd1

SHA256
871d6b599a13b1ddc45ae0ed7bad20e024200ad01701b53aa208263ffb76d925

SHA512
cd4ead406b4f0dc0c04b214e0b6d5a709e471c0fe2747eb42b9ce159bd8fd57bbb4f8fcde1d50516504dc898c6b7b8c86540ec3f4f552bc0a0f2ebaef8a2e4eb

Download Submit
\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\UnityCrashHandler64.exe

Filesize
1.1MB

MD5
dbb3a4351818395b78ec3e3d7ad4f0f6

SHA1
689e2861b8291006085f7eae32c253756eeb6629

SHA256
568f62a32cc660cb488a6def162c03e7915a5209dd61da3899feccbec5ab4dff

SHA512
f218b06fac6138eea018cf012eea348c4f6d4940e17c52d2014c16f39778e7318600068475c2ee6d2c91636a4fcb878eef22870f5a5e6a608a616ef1d3d3299d

Download Submit
\Users\Admin\Desktop\LovelyCraftPistonTrap Win64 v.0.1-175\baselib.dll

Filesize
408KB

MD5
5e1efe6f9d0f17002ef36d0c4481c096

SHA1
cd71603d2eb942d0ae7454fc17fa44737f144cd0

SHA256
3288f2771a350745e66f6567718313585c5d37eb26e30ae25ab1a6c07bd924bd

SHA512
a7c24660405b399e5a362b0f93edd89f94f3f1b3346748010f2408b8994dcba019c6c1c089359acc9c5a5fa8c463cd6fd9a6415bfb8967a05611d94963fc79bf

Download Submit
memory/2028-148-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/2028-161-0x000007FFFFEB0000-0x000007FFFFEC0000-memory.dmp

Filesize
64KB

Download