| File name: | LoL Hack & Cheat Map Hacks.zip |
| Full analysis: | https://app.any.run/tasks/a914dc2b-1af1-421e-8b29-a56e34adc128 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | May 30, 2020, 16:43:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | 905EE80F7DECE73CE41303AE28FA57C2 |
| SHA1: | 623135CBB9B84310FF71F858A23544BA410BAAF3 |
| SHA256: | F784624F9315DB399E168F5D30D26321381426CD794321AE513179C5E1A9B3E2 |
| SSDEEP: | 49152:C+SQRwTd5xSljq8ZcabNAo63/CVGC8dscUPu:C+SOEd3Sxq8Z5b83/gGrQu |
MALICIOUS
Application was dropped or rewritten from another process
- LoL Hack & Cheat Map Hacks.exe (PID: 3900)
REDLINE was detected
- AddInProcess.exe (PID: 788)
Changes settings of System certificates
- LoL Hack & Cheat Map Hacks.exe (PID: 3900)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 764)
Executed via COM
- DllHost.exe (PID: 1964)
Connects to server without host name
- AddInProcess.exe (PID: 788)
Adds / modifies Windows certificates
- LoL Hack & Cheat Map Hacks.exe (PID: 3900)
INFO
Manual execution by user
- LoL Hack & Cheat Map Hacks.exe (PID: 3900)
- NOTEPAD.EXE (PID: 884)
Reads settings of System Certificates
- LoL Hack & Cheat Map Hacks.exe (PID: 3900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2020:05:28 21:46:21 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | LoL Hack & Cheat Map Hacks/ |
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 764 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\LoL Hack & Cheat Map Hacks.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 788 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe | LoL Hack & Cheat Map Hacks.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: AddInProcess.exe Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 Modules
| |||||||||||||||
| 884 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LoL Hack & Cheat Map Hacks\READMY.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1964 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3900 | "C:\Users\admin\Desktop\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe" | C:\Users\admin\Desktop\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe | explorer.exe | ||||||||||||
User: admin Company: The ICU Project Integrity Level: MEDIUM Description: ICU Data DLL Exit code: 0 Version: 53, 1, 0, 0 Modules
| |||||||||||||||
Total events
4 124
Read events
543
Write events
2 396
Delete events
1 185
Modification events
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-1 |
Value: Network | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\LoL Hack & Cheat Map Hacks.zip | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (764) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3900) LoL Hack & Cheat Map Hacks.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LoL Hack & Cheat Map Hacks_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 764 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa764.37126\LoL Hack & Cheat Map Hacks\1.png | image | |
MD5:— | SHA256:— | |||
| 764 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa764.37126\LoL Hack & Cheat Map Hacks\READMY.txt | text | |
MD5:— | SHA256:— | |||
| 764 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa764.37126\LoL Hack & Cheat Map Hacks\HackLoader.dll | binary | |
MD5:— | SHA256:— | |||
| 764 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa764.37126\LoL Hack & Cheat Map Hacks\LoL Hack & Cheat Map Hacks.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
788 | AddInProcess.exe | POST | — | 81.177.136.230:80 | http://81.177.136.230/IRemotePanel | RU | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3900 | LoL Hack & Cheat Map Hacks.exe | 81.177.141.121:443 | wryx7t.uenothingrealy.ru | JSC RTComm.RU | RU | unknown |
788 | AddInProcess.exe | 81.177.136.230:80 | — | JSC RTComm.RU | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
wryx7t.uenothingrealy.ru |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
788 | AddInProcess.exe | A Network Trojan was detected | SPYWARE [PTsecurity] RedLine |