74d605f499761efb73eb2e3b38b54383bf3c80511984a9908ff8eee23dc66f78

Analysis

max time kernel
48s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06/01/2025, 12:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Survivalcraft_Multiplayer_x23.06.02b3_2.3_VD.zip
Size

19.4MB
MD5

b560f7ee9caf53a04d656fbc38c6daaa
SHA1

5b759b54a0833b544bfaed4af9203ba48ede2d5a
SHA256

74d605f499761efb73eb2e3b38b54383bf3c80511984a9908ff8eee23dc66f78
SHA512

6cf06b40332051f8b54c9888dff5d62ae74aab897d5caf607f6f7293c6641fdebdaf7a2df865b5b2d53860912d8049f8d9265a0a314a7ed0cdeb7007f985b35c
SSDEEP

393216:JTkoono2UadEifu1fyaw77EqIel7Pab0OuqzQ/LfmmXbdua1YoDR6:Ono2pffmfg7n7xaluqzSLfmqs+zDw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
4784	Survivalcraft.exe
1472	Survivalcraft.exe
1860	Survivalcraft.exe
1664	Survivalcraft.exe
1616	Survivalcraft.exe
1104	Survivalcraft.exe
3448	Survivalcraft.exe
3316	Survivalcraft.exe
5048	Survivalcraft.exe
2460	Survivalcraft.exe
4812	Survivalcraft.exe
2916	Survivalcraft.exe
4140	Survivalcraft.exe
3152	Survivalcraft.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	7zFM.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2652	7zFM.exe
Token: 35	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe
Token: SeSecurityPrivilege	2652	7zFM.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe
2652	7zFM.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4784	2652	7zFM.exe	90
PID 2652 wrote to memory of 4784	2652	7zFM.exe	90
PID 2652 wrote to memory of 1472	2652	7zFM.exe	93
PID 2652 wrote to memory of 1472	2652	7zFM.exe	93
PID 2652 wrote to memory of 1860	2652	7zFM.exe	98
PID 2652 wrote to memory of 1860	2652	7zFM.exe	98
PID 2652 wrote to memory of 1664	2652	7zFM.exe	101
PID 2652 wrote to memory of 1664	2652	7zFM.exe	101
PID 2652 wrote to memory of 1616	2652	7zFM.exe	104
PID 2652 wrote to memory of 1616	2652	7zFM.exe	104
PID 2652 wrote to memory of 1104	2652	7zFM.exe	106
PID 2652 wrote to memory of 1104	2652	7zFM.exe	106
PID 2652 wrote to memory of 3448	2652	7zFM.exe	108
PID 2652 wrote to memory of 3448	2652	7zFM.exe	108
PID 2652 wrote to memory of 3316	2652	7zFM.exe	110
PID 2652 wrote to memory of 3316	2652	7zFM.exe	110
PID 2652 wrote to memory of 5048	2652	7zFM.exe	113
PID 2652 wrote to memory of 5048	2652	7zFM.exe	113
PID 2652 wrote to memory of 2460	2652	7zFM.exe	115
PID 2652 wrote to memory of 2460	2652	7zFM.exe	115
PID 2652 wrote to memory of 4812	2652	7zFM.exe	121
PID 2652 wrote to memory of 4812	2652	7zFM.exe	121
PID 2652 wrote to memory of 2916	2652	7zFM.exe	124
PID 2652 wrote to memory of 2916	2652	7zFM.exe	124
PID 2652 wrote to memory of 4140	2652	7zFM.exe	127
PID 2652 wrote to memory of 4140	2652	7zFM.exe	127
PID 2652 wrote to memory of 3152	2652	7zFM.exe	130
PID 2652 wrote to memory of 3152	2652	7zFM.exe	130

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Survivalcraft_Multiplayer_x23.06.02b3_2.3_VD.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\7zOC5ADB8D7\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5ADB8D7\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\7zOC5A35FD7\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A35FD7\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\7zOC5AF01E7\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5AF01E7\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\7zOC5A2E208\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A2E208\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\7zOC5ACB908\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5ACB908\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\7zOC5A87908\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A87908\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\7zOC5A40808\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A40808\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\7zOC5AEEF08\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5AEEF08\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Users\Admin\AppData\Local\Temp\7zOC5AB6F08\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5AB6F08\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\7zOC5A70E08\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A70E08\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\7zOC5A1A218\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A1A218\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\7zOC5A5EB18\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A5EB18\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\7zOC5A36E18\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5A36E18\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Users\Admin\AppData\Local\Temp\7zOC5AACC18\Survivalcraft.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC5AACC18\Survivalcraft.exe"
  2⤵
  - Executes dropped EXE
  PID:3152

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

60.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.153.16.2.in-addr.arpa

IN PTR

Response

60.153.16.2.in-addr.arpa

IN PTR

a2-16-153-60deploystaticakamaitechnologiescom
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

60.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

60.153.16.2.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC5ADB8D7\Survivalcraft.exe

Filesize
2.1MB

MD5
6d08234db22fc3c62b23e08f28a71ffd

SHA1
d2eb49802a4247739763e106413e06b3e8c8a43e

SHA256
857a6fc48daa936120537557458f6417b433dd18f11d4e749943c45732b86cbc

SHA512
9ce6cb8145191000797b2894ab1f1a7a1a595e45c32dbfc0e5e1a803cfb194aadf661cc9b5dd116f47f82a8d18d20a6be8764e9c2a275b4b4290d8446bd13ff3

Download Submit
memory/4784-15-0x00007FFC3F163000-0x00007FFC3F165000-memory.dmp

Filesize
8KB

Download
memory/4784-16-0x000001E91BB50000-0x000001E91BD70000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.