Resubmissions
25-06-2021 19:31
210625-le3m9gbz26 817-01-2021 18:24
210117-hr1s5cx89j 830-12-2020 13:20
201230-r65f11zada 8Analysis
-
max time kernel
598s -
max time network
371s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-06-2021 19:31
Static task
static1
Behavioral task
behavioral1
Sample
Fall Guys Cheat.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Fall Guys Cheat.exe
Resource
win10v20210408
General
-
Target
Fall Guys Cheat.exe
-
Size
4.8MB
-
MD5
fde53eb92140afb22152cfa283ef26cc
-
SHA1
b975f240e69307f809e54fabf6ea547183edf130
-
SHA256
56c6b80e9f525e9010b47112f8085751e8e3fb744e111df3330b481df6a7e954
-
SHA512
df5eaa0e429e618d7c94eab0dd6021d774abe50ad2d200d3608d1d1c50b70e65eccff564baa2fd2b86a5dad999ff7edb04152ac5cbff209fae7d93c329dff771
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\flasher.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\flasher.exe aspack_v212_v242 -
Executes dropped EXE 2 IoCs
Processes:
CLWCP.exeflasher.exepid process 2104 CLWCP.exe 200 flasher.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CLWCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" CLWCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WScript.exepid process 1376 WScript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Fall Guys Cheat.execmd.exedescription pid process target process PID 656 wrote to memory of 2384 656 Fall Guys Cheat.exe cmd.exe PID 656 wrote to memory of 2384 656 Fall Guys Cheat.exe cmd.exe PID 656 wrote to memory of 2384 656 Fall Guys Cheat.exe cmd.exe PID 2384 wrote to memory of 2104 2384 cmd.exe CLWCP.exe PID 2384 wrote to memory of 2104 2384 cmd.exe CLWCP.exe PID 2384 wrote to memory of 2104 2384 cmd.exe CLWCP.exe PID 2384 wrote to memory of 200 2384 cmd.exe flasher.exe PID 2384 wrote to memory of 200 2384 cmd.exe flasher.exe PID 2384 wrote to memory of 200 2384 cmd.exe flasher.exe PID 2384 wrote to memory of 1376 2384 cmd.exe WScript.exe PID 2384 wrote to memory of 1376 2384 cmd.exe WScript.exe PID 2384 wrote to memory of 1376 2384 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fall Guys Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Fall Guys Cheat.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\covid.bat" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\CLWCP.execlwcp c:\covid20\bg.bmp3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\flasher.exeflasher 5 c:\covid20\covid.bmp3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\corona.vbs"3⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\bg.bmpMD5
cb065726febf9c1a581f3008e678f524
SHA1f9a0058a57213cf7ce72eddf0616a938c8f4f4b1
SHA256d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f
SHA512b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\corona.vbsMD5
e61624dced063c4ba5352bf487f12410
SHA140bd08928900cd97f444ffaa78d93dcaf913b274
SHA25682ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3
SHA5122a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\covid.batMD5
b08e02e536917f897acb2d21f42f0a97
SHA1a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45
SHA2562c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c
SHA5121d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\covid.bmpMD5
738bbd119d8877f8342e1ff00fe60dff
SHA1fc11d85e3c5b46bd877e06985fec1a601ce396ed
SHA256548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb
SHA512f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\flasher.exeMD5
9254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
C:\Users\Admin\AppData\Local\Temp\9AFD.tmp\flasher.exeMD5
9254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
\??\c:\covid20\covid.bmpMD5
738bbd119d8877f8342e1ff00fe60dff
SHA1fc11d85e3c5b46bd877e06985fec1a601ce396ed
SHA256548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb
SHA512f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad
-
memory/200-121-0x0000000000000000-mapping.dmp
-
memory/200-128-0x00000000005C0000-0x000000000070A000-memory.dmpFilesize
1.3MB
-
memory/1376-125-0x0000000000000000-mapping.dmp
-
memory/2104-118-0x0000000000000000-mapping.dmp
-
memory/2104-127-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/2384-114-0x0000000000000000-mapping.dmp