ea16e78f79e5ee7650844c083fd0fc5809c508d773c67f41d5c42f4d54b63e87

Analysis

max time kernel
9s
max time network
5s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Size

7.2MB
MD5

37c24b3e14a01af578a396a9718dc789
SHA1

b4ea01a5b581b7e5b210727b2f48dd20d88db129
SHA256

ea16e78f79e5ee7650844c083fd0fc5809c508d773c67f41d5c42f4d54b63e87
SHA512

64cb4322c1885ff576a1f4c7328a91977bab6b1100424375c36d8e702a5957276cf963cc2ff3de110467e6e27f73022db0838114f35b2fe6fc734c783504e726
SSDEEP

196608:TyPtgHu5SaAzOtlctLeQKTVMfyFk5FarEOq9OI+Gi:TyPtgOUzKlcxoFEE4ti

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
968	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Loads dropped DLL 1 IoCs

pid	Process
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\win32u.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\GDI32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\sechost.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\combase.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\shell32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\Dbghelp.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\bcrypt.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\shcore.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\psapi.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\ole32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\imm32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\user32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\advapi32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.4355_none_60b8b9eb71f62e16\comctl32.dll	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeTcbPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeTcbPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeLoadDriverPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeCreateGlobalPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeLockMemoryPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: 33	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeSecurityPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeTakeOwnershipPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeManageVolumePrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeBackupPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeCreatePagefilePrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeShutdownPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeRestorePrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: 33	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
Token: SeIncBasePriorityPrivilege	2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 968	4552	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe	82
PID 4552 wrote to memory of 968	4552	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe	82
PID 4552 wrote to memory of 968	4552	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe	82
PID 968 wrote to memory of 2580	968	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe	83
PID 968 wrote to memory of 2580	968	PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe	83

C:\Users\Admin\AppData\Local\Temp\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\CET_Archive.dat

Filesize
6.9MB

MD5
11225287b5ad071712663aef3707e511

SHA1
69d5141dce4f859171f1076263b2b25c1ed3da14

SHA256
da5019d1f31412e86db24642322f6433e8ee7d0fbe6442f41d8e7580ceb44daa

SHA512
4a54ba50bd74f96e5ef83719f9832270d5e01e2cdb3a12226e2082d77f449515888b7dde7d01c0efbe60d3db0f46a1cda801950b5c5291b6cf4ea2ef743f030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Filesize
225KB

MD5
971b37cedf686e0ac8ca0297a953aad9

SHA1
8ea777fa6c70a619d4e92cc6435c4eba2b16a23e

SHA256
1965546a19990b4523a1588eb0d7fdd42bd443e2bcc632dae04343d358394ae7

SHA512
2f0f3facf2587b751bb658eaab9ca1536d7326956b0eeca7bd0badc893c0878741f8bb56d8c1e360f2cb4bd9442866bd9faf7bdec7d02105f6c149640cf180d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
156KB

MD5
a8b35516d6cfded455cd370c67926cd1

SHA1
91096bdd199acc392ba19dd24bbd540ac4963914

SHA256
a77572be20a4f2f6372ef3a3a85c554d7b5bb8dc8badb4b44b61ebf22ce8e8a4

SHA512
e44a1ea3c6203b4c86c08b7dc25980e61bf30fb4e7f73c87531fc2d000d987f14c0837191aba3ba859aea9611f8c856e38ffbed0dce9049b8dd1330bbcbfd293

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\PhasmoMenu v0.5.4.8 By PappyG_[unknowncheats.me]_.exe

Filesize
15.9MB

MD5
edeef697cbf212b5ecfcd9c1d9a8803d

SHA1
e90585899ae4b4385a6d0bf43c516c122e7883e2

SHA256
ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6

SHA512
1aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\autorun\luasymbols.lua

Filesize
629B

MD5
df4d243ab0407a1f03ccf448232fcf62

SHA1
62453cfa7abf6fa83158be1ba86c854d9a6b7d4b

SHA256
c5a35380af8bebe96b85377f5f41f8c068cb857c74b9cb85b7467b35c1de10c4

SHA512
4b05b65909673e92f59ab64c1ff4e0b829f5c9085eafa1fff28cb0ccd7e6a7f6ef031633f443e0ba156a4b8f5009f526d0356f39ef77b22706f98f100b1909c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\autorun\monoscript.lua

Filesize
132KB

MD5
76168ca68f3ed8ade110b140244efbaf

SHA1
2af08403d17a64b10429c8fce68aa085a6b287b7

SHA256
5832b5ab00e84690ac1e780e8b1c4abd9649465234c9ffa2cecb410be66a6b8a

SHA512
80ad21d631934d2b8e368a5b2d3cb5f1889d4a65099c2d8cd8ba37eb721c1ebdc2c6549fc530514bf9f96976ffcbfd372150f1f16a6591da013fe4f1d1bb070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\defines.lua

Filesize
12KB

MD5
62e1fa241d417668f7c5da6e4009a5a6

SHA1
f887409e3c204a87731f317a999dc7e4cc8d3fcd

SHA256
82e8ef7df20a86791cef062f2dcacb1d91b4adc9f5dea2fd274886be8365b2f8

SHA512
2283cbb9e1d5d53ad1ed9bc9db6034fb3c53c633b11001f373523640bbbba95da9a3a0866c7d5fa0620facab7d18c8577dfd69496fc7319e0a4a74d0b9e10c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETA9BD.tmp\extracted\lua53-64.dll

Filesize
528KB

MD5
b7c9f1e7e640f1a034be84af86970d45

SHA1
f795dc3d781b9578a96c92658b9f95806fc9bdde

SHA256
6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff

SHA512
da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

Download Submit