Overview
overview
3Static
static
3tma-latest...ex.zip
windows7-x64
1tma-latest...ex.zip
windows10-2004-x64
1.doorstop_version
windows7-x64
3.doorstop_version
windows10-2004-x64
3BepInEx/ca...er.dat
windows7-x64
3BepInEx/ca...er.dat
windows10-2004-x64
3BepInEx/ca...he.dat
windows7-x64
3BepInEx/ca...he.dat
windows10-2004-x64
3BepInEx/co...Ex.cfg
windows7-x64
3BepInEx/co...Ex.cfg
windows10-2004-x64
3BepInEx/co...ny.dll
windows7-x64
1BepInEx/co...ny.dll
windows10-2004-x64
1BepInEx/co...ony.js
windows7-x64
3BepInEx/co...ony.js
windows10-2004-x64
3BepInEx/co...20.dll
windows7-x64
1BepInEx/co...20.dll
windows10-2004-x64
1BepInEx/co...ny.dll
windows7-x64
1BepInEx/co...ny.dll
windows10-2004-x64
1BepInEx/co...ny.xml
windows7-x64
3BepInEx/co...ny.xml
windows10-2004-x64
1BepInEx/co...er.dll
windows7-x64
1BepInEx/co...er.dll
windows10-2004-x64
1BepInEx/co...er.xml
windows7-x64
3BepInEx/co...er.xml
windows10-2004-x64
1BepInEx/co...Ex.dll
windows7-x64
1BepInEx/co...Ex.dll
windows10-2004-x64
1BepInEx/co...Ex.xml
windows7-x64
3BepInEx/co...Ex.xml
windows10-2004-x64
1BepInEx/co...op.dll
windows7-x64
1BepInEx/co...op.dll
windows10-2004-x64
1BepInEx/co...db.dll
windows7-x64
1BepInEx/co...db.dll
windows10-2004-x64
1Analysis
-
max time kernel
47s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
tma-latest-bepinex.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
tma-latest-bepinex.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
.doorstop_version
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
.doorstop_version
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
BepInEx/cache/chainloader_typeloader.dat
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
BepInEx/cache/chainloader_typeloader.dat
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
BepInEx/cache/harmony_interop_cache.dat
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
BepInEx/cache/harmony_interop_cache.dat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
BepInEx/config/BepInEx.cfg
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
BepInEx/config/BepInEx.cfg
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
BepInEx/core/0Harmony.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
BepInEx/core/0Harmony.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
BepInEx/core/0Harmony.js
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
BepInEx/core/0Harmony.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
BepInEx/core/0Harmony20.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
BepInEx/core/0Harmony20.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
BepInEx/core/BepInEx.Harmony.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
BepInEx/core/BepInEx.Harmony.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
BepInEx/core/BepInEx.Harmony.xml
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
BepInEx/core/BepInEx.Harmony.xml
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
BepInEx/core/BepInEx.Preloader.dll
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
BepInEx/core/BepInEx.Preloader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
BepInEx/core/BepInEx.Preloader.xml
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
BepInEx/core/BepInEx.Preloader.xml
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
BepInEx/core/BepInEx.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
BepInEx/core/BepInEx.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
BepInEx/core/BepInEx.xml
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
BepInEx/core/BepInEx.xml
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
BepInEx/core/HarmonyXInterop.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
BepInEx/core/HarmonyXInterop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
BepInEx/core/Mono.Cecil.Mdb.dll
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
BepInEx/core/Mono.Cecil.Mdb.dll
Resource
win10v2004-20241007-en
General
-
Target
BepInEx/cache/chainloader_typeloader.dat
-
Size
181B
-
MD5
e426fe83c42d7f37a51a7c4cfd55fe9b
-
SHA1
df4255b2f5782cbb9b19d8ee14f7dc92a3ab4910
-
SHA256
d4246a2732122c8f574b668056cfaa2a4806bcfe5fa161c141ee1a9bffd588ff
-
SHA512
c4bc69349c9c7991d77245d12fcd5ca110bc698adf08020b695f27eb191dd4cf4d415692eba06d53929e9ceb3fe7350d6389e5ba1ebc83827e999d811a35b6e9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2888 AcroRd32.exe 2888 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2824 2520 cmd.exe 31 PID 2520 wrote to memory of 2824 2520 cmd.exe 31 PID 2520 wrote to memory of 2824 2520 cmd.exe 31 PID 2824 wrote to memory of 2888 2824 rundll32.exe 32 PID 2824 wrote to memory of 2888 2824 rundll32.exe 32 PID 2824 wrote to memory of 2888 2824 rundll32.exe 32 PID 2824 wrote to memory of 2888 2824 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\BepInEx\cache\chainloader_typeloader.dat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50969e7ca09b1d56b2790231d51a7347c
SHA152c718e6dc70711805bc00a0fe5dc5f74fd512f4
SHA2560a9c065b7e63306bfcf5e2f68c4843b2de5367fc77fcec8d6906f37db01bb361
SHA51205d824775c2995f8950163ddf8d39bb868b9c5b633e6efaa5e0410b150f2d0b2ae249163b19b42bbc07b6eeddfb0b3e02262dda0c7a6ebca936634b0c3234a13