Overview

overview

8

Static

static

8

Fall Guys Cheat.exe

windows7_x64

8

Fall Guys Cheat.exe

windows10_x64

8

Resubmissions

25-06-2021 19:31

210625-le3m9gbz26 8

17-01-2021 18:24

210117-hr1s5cx89j 8

30-12-2020 13:20

201230-r65f11zada 8

Analysis

  • max time kernel
    151s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-01-2021 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fall Guys Cheat.exe

  • Size

    4.8MB

  • MD5

    fde53eb92140afb22152cfa283ef26cc

  • SHA1

    b975f240e69307f809e54fabf6ea547183edf130

  • SHA256

    56c6b80e9f525e9010b47112f8085751e8e3fb744e111df3330b481df6a7e954

  • SHA512

    df5eaa0e429e618d7c94eab0dd6021d774abe50ad2d200d3608d1d1c50b70e65eccff564baa2fd2b86a5dad999ff7edb04152ac5cbff209fae7d93c329dff771

Score
8/10
aspackv2ransomware

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 101 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 108 IoCs
  • Suspicious use of SendNotifyMessage 108 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fall Guys Cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\Fall Guys Cheat.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\6D44.tmp\covid.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\CLWCP.exe
        clwcp c:\covid20\bg.bmp
        3⤵
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        PID:1984
      • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\flasher.exe
        flasher 5 c:\covid20\covid.bmp
        3⤵
        • Executes dropped EXE
        PID:524
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6D44.tmp\corona.vbs"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1780
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\CLWCP.exe
    MD5

    e62ee6f1efc85cb36d62ab779db6e4ec

    SHA1

    da07ec94cf2cb2b430e15bd0c5084996a47ee649

    SHA256

    13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

    SHA512

    8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\CLWCP.exe
    MD5

    e62ee6f1efc85cb36d62ab779db6e4ec

    SHA1

    da07ec94cf2cb2b430e15bd0c5084996a47ee649

    SHA256

    13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

    SHA512

    8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\bg.bmp
    MD5

    cb065726febf9c1a581f3008e678f524

    SHA1

    f9a0058a57213cf7ce72eddf0616a938c8f4f4b1

    SHA256

    d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f

    SHA512

    b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\corona.vbs
    MD5

    e61624dced063c4ba5352bf487f12410

    SHA1

    40bd08928900cd97f444ffaa78d93dcaf913b274

    SHA256

    82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3

    SHA512

    2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\covid.bat
    MD5

    b08e02e536917f897acb2d21f42f0a97

    SHA1

    a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45

    SHA256

    2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c

    SHA512

    1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\covid.bmp
    MD5

    738bbd119d8877f8342e1ff00fe60dff

    SHA1

    fc11d85e3c5b46bd877e06985fec1a601ce396ed

    SHA256

    548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb

    SHA512

    f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\flasher.exe
    MD5

    9254ca1da9ff8ad492ca5fa06ca181c6

    SHA1

    70fa62e6232eae52467d29cf1c1dacb8a7aeab90

    SHA256

    30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

    SHA512

    a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D44.tmp\flasher.exe
    MD5

    9254ca1da9ff8ad492ca5fa06ca181c6

    SHA1

    70fa62e6232eae52467d29cf1c1dacb8a7aeab90

    SHA256

    30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

    SHA512

    a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

    Download Submit
  • \??\c:\covid20\bg.bmp
    MD5

    cb065726febf9c1a581f3008e678f524

    SHA1

    f9a0058a57213cf7ce72eddf0616a938c8f4f4b1

    SHA256

    d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f

    SHA512

    b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880

    Download Submit
  • \??\c:\covid20\covid.bmp
    MD5

    738bbd119d8877f8342e1ff00fe60dff

    SHA1

    fc11d85e3c5b46bd877e06985fec1a601ce396ed

    SHA256

    548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb

    SHA512

    f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6D44.tmp\CLWCP.exe
    MD5

    e62ee6f1efc85cb36d62ab779db6e4ec

    SHA1

    da07ec94cf2cb2b430e15bd0c5084996a47ee649

    SHA256

    13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

    SHA512

    8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6D44.tmp\CLWCP.exe
    MD5

    e62ee6f1efc85cb36d62ab779db6e4ec

    SHA1

    da07ec94cf2cb2b430e15bd0c5084996a47ee649

    SHA256

    13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

    SHA512

    8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6D44.tmp\flasher.exe
    MD5

    9254ca1da9ff8ad492ca5fa06ca181c6

    SHA1

    70fa62e6232eae52467d29cf1c1dacb8a7aeab90

    SHA256

    30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

    SHA512

    a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\6D44.tmp\flasher.exe
    MD5

    9254ca1da9ff8ad492ca5fa06ca181c6

    SHA1

    70fa62e6232eae52467d29cf1c1dacb8a7aeab90

    SHA256

    30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

    SHA512

    a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

    Download Submit
  • memory/524-15-0x0000000000000000-mapping.dmp
    Download
  • memory/524-22-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/856-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1156-26-0x000007FEFB671000-0x000007FEFB673000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1156-27-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1780-23-0x0000000000000000-mapping.dmp
    Download
  • memory/1940-2-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1984-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-21-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download