Overview

overview

10

Static

static

10

Train.Simu...ls.dll

windows10-2004-x64

3

Train.Simu...rs.dll

windows10-2004-x64

3

Train.Simu...SL.exe

windows10-2004-x64

3

Train.Simu...u/.ps1

windows10-2004-x64

6

Train.Simu...r2.exe

windows10-2004-x64

3

Scenarios/...e.html

windows10-2004-x64

3

Scenarios/...1.html

windows10-2004-x64

3

Train.Simu...TG.bat

windows10-2004-x64

1

Train.Simu...av.exe

windows10-2004-x64

3

Train.Simu...EO.exe

windows10-2004-x64

3

Train.Simu...TG.exe

windows10-2004-x64

3

Train.Simu...ib.dll

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...n.html

windows10-2004-x64

3

Train.Simu...er.exe

windows10-2004-x64

3

Train.Simu...er.exe

windows10-2004-x64

3

Train.Simu...ib.dll

windows10-2004-x64

3

Train.Simu...UP.dll

windows10-2004-x64

4

Train.Simu...UP.exe

windows10-2004-x64

4

Train.Simu...32.dll

windows10-2004-x64

4

Train.Simu...32.dll

windows10-2004-x64

3

Train.Simu...32.dll

windows10-2004-x64

10

Train.Simu...ys.exe

windows10-2004-x64

7

Train.Simu...64.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 19:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Train.Simulator.Classic.v73.9a.Incl.ALL.DLC/Train.Simulator.Classic.v73.9a.Incl.ALL.DLC/Dialogs/Credits/de/main.html

  • Size

    4KB

  • MD5

    697560f2327dfb5274f1c474f300a4e7

  • SHA1

    a4d3b7b84f80a033445fc322684fb1d866dce424

  • SHA256

    44de79c931d2f32159aa09bc58a5d95d5defd8da84c58ad8835a69917ef8b677

  • SHA512

    b90ca2231d7b434df68c491ce31fc7c694512037393966363f1ec764c92895a53b84e339409176a1e9ee2aadbcfa7779fe4caa756dce3fa331026062539480cc

  • SSDEEP

    96:GDLJF/4NxJFqNud3BDtMEmoMitNxLWKnVtsxb7cHjNvNUpBfNUYZwlACK0ps:MFCxLqNGBOEmoTtNxLM9SNSylA7is

Score
3/10
discovery

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Dialogs\Credits\de\main.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x44,0x108,0x7ffb396946f8,0x7ffb39694708,0x7ffb39694718
      2⤵
        PID:2468
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
        2⤵
          PID:1472
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
          2⤵
            PID:1904
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
            2⤵
              PID:2120
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
              2⤵
                PID:2912
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
                2⤵
                  PID:4964
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
                  2⤵
                    PID:1512
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
                    2⤵
                      PID:2800
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                      2⤵
                        PID:548
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
                        2⤵
                          PID:720
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1360,12706202144577675077,10121058220580650063,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1236
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4472
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3716

                          Network

                          • flag-us
                            DNS
                            8.8.8.8.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            8.8.8.8.in-addr.arpa
                            IN PTR
                            Response
                            8.8.8.8.in-addr.arpa
                            IN PTR
                            dnsgoogle
                          • flag-us
                            DNS
                            97.17.167.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            97.17.167.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            13.153.16.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            13.153.16.2.in-addr.arpa
                            IN PTR
                            Response
                            13.153.16.2.in-addr.arpa
                            IN PTR
                            a2-16-153-13deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            73.159.190.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            73.159.190.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            167.173.78.104.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            167.173.78.104.in-addr.arpa
                            IN PTR
                            Response
                            167.173.78.104.in-addr.arpa
                            IN PTR
                            a104-78-173-167deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            28.118.140.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            28.118.140.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            196.249.167.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            196.249.167.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            56.163.245.4.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            56.163.245.4.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            171.39.242.20.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            171.39.242.20.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            98.252.19.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            98.252.19.2.in-addr.arpa
                            IN PTR
                            Response
                            98.252.19.2.in-addr.arpa
                            IN PTR
                            a2-19-252-98deploystaticakamaitechnologiescom
                          • flag-us
                            DNS
                            172.214.232.199.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            172.214.232.199.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            30.243.111.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            30.243.111.52.in-addr.arpa
                            IN PTR
                            Response
                          • flag-us
                            DNS
                            11.153.16.2.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            11.153.16.2.in-addr.arpa
                            IN PTR
                            Response
                            11.153.16.2.in-addr.arpa
                            IN PTR
                            a2-16-153-11deploystaticakamaitechnologiescom
                          No results found
                          • 8.8.8.8:53
                            8.8.8.8.in-addr.arpa
                            dns
                            66 B
                             90 B
                             1
                            1

                            DNS Request

                            8.8.8.8.in-addr.arpa

                          • 8.8.8.8:53
                            97.17.167.52.in-addr.arpa
                            dns
                            71 B
                             145 B
                             1
                            1

                            DNS Request

                            97.17.167.52.in-addr.arpa

                          • 8.8.8.8:53
                            13.153.16.2.in-addr.arpa
                            dns
                            70 B
                             133 B
                             1
                            1

                            DNS Request

                            13.153.16.2.in-addr.arpa

                          • 8.8.8.8:53
                            73.159.190.20.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            73.159.190.20.in-addr.arpa

                          • 8.8.8.8:53
                            167.173.78.104.in-addr.arpa
                            dns
                            73 B
                             139 B
                             1
                            1

                            DNS Request

                            167.173.78.104.in-addr.arpa

                          • 8.8.8.8:53
                            28.118.140.52.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            28.118.140.52.in-addr.arpa

                          • 224.0.0.251:5353
                            450 B
                             7
                          • 8.8.8.8:53
                            196.249.167.52.in-addr.arpa
                            dns
                            73 B
                             147 B
                             1
                            1

                            DNS Request

                            196.249.167.52.in-addr.arpa

                          • 8.8.8.8:53
                            56.163.245.4.in-addr.arpa
                            dns
                            71 B
                             157 B
                             1
                            1

                            DNS Request

                            56.163.245.4.in-addr.arpa

                          • 8.8.8.8:53
                            171.39.242.20.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            171.39.242.20.in-addr.arpa

                          • 8.8.8.8:53
                            98.252.19.2.in-addr.arpa
                            dns
                            70 B
                             133 B
                             1
                            1

                            DNS Request

                            98.252.19.2.in-addr.arpa

                          • 8.8.8.8:53
                            172.214.232.199.in-addr.arpa
                            dns
                            74 B
                             128 B
                             1
                            1

                            DNS Request

                            172.214.232.199.in-addr.arpa

                          • 8.8.8.8:53
                            30.243.111.52.in-addr.arpa
                            dns
                            72 B
                             158 B
                             1
                            1

                            DNS Request

                            30.243.111.52.in-addr.arpa

                          • 8.8.8.8:53
                            11.153.16.2.in-addr.arpa
                            dns
                            70 B
                             133 B
                             1
                            1

                            DNS Request

                            11.153.16.2.in-addr.arpa

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            56a4f78e21616a6e19da57228569489b

                            SHA1

                            21bfabbfc294d5f2aa1da825c5590d760483bc76

                            SHA256

                            d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                            SHA512

                            c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            e443ee4336fcf13c698b8ab5f3c173d0

                            SHA1

                            9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                            SHA256

                            79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                            SHA512

                            cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            d75a27041b6ef9fa013e7658a6af9de9

                            SHA1

                            6c5a63afb30bbf10a7dc5d4ede57d6bbc472b1af

                            SHA256

                            49a597c56e5f335dea60e76b6ca26394eea144d5f30e7fc9bf666a7822616df0

                            SHA512

                            1087fe5251810f6f62489f270d845a17c0a42423998c22fd6976f96d7f0712e3363f4ba9593f58abdb7291966ed69cca4089dd776353074e52a264fbab0b9192

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            6f703150e41071c4791297f4c84c3786

                            SHA1

                            5cbf6172641ae23b6c2f02bda109885ef53eebb5

                            SHA256

                            5118f9af69aece2b1f59ccc3432ec9e5d8c9ed2fd9e6ec29b40348207fb387b1

                            SHA512

                            92f659a0c810ccd791cefc790e92bbd49dc6fd60c471497fe1ffdc8b6b3317f2ba2022ad856131472ffb9e1459dabac5d79605f9faff01e873077de8059b6c28

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            f942f9054f2bd6bdea48c10b60c2aa24

                            SHA1

                            c96958de423af0b189da65c818c1aaecc727f279

                            SHA256

                            f0f3ed5e77f1a980ce21a7c957682c90c7f6ad3a988e01845abb5ff19d1a0e0a

                            SHA512

                            7814cb9fbda13de27f6260aa90e6c221dfabc4eef7c0b2b1ff21a267020a05722a03e50a7d52d637e089ade224df1a8287b33d2531d357f16a89994d25072073

                            Download Submit

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.