4e9606f44445f47859d2e87d4b7e946ddb5f8195d88d2afa0293993c0645cb99

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
Size

1.2MB
MD5

c0731e55885568b345e58026b4c8dd9e
SHA1

44a99995c3a17a5beafb180f87157141d9fde407
SHA256

2062d26d16e0134a6891aa6dd0541c3fa29ffaa41dfc85d6e6790a88bb345eeb
SHA512

48a2e92ca30140c3d17b0bc326137f12d3cdf274e3c2319fbce022958c0b520812385c9fd448007e22b17bb2abaad4cf31cc4fb0ede20add952bc8a3261cb04d
SSDEEP

24576:riLje3LpR4mIe8x+Kt8wCLYmzI0Cd5StX11TtF9p/D3ogprRARttg:4jebjD8x+KFCLY6wd5oRtF9pb3o6AL

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll	acprotect

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5044-132-0x0000000000400000-0x00000000005D3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll	upx
behavioral2/memory/5044-134-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5044-135-0x0000000000400000-0x00000000005D3000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe

pid	process
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe

Drops file in System32 directory 2 IoCs

Processes:

CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ESPI11.dll	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe

pid	process
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
5044	CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe

C:\Users\Admin\AppData\Local\Temp\CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe
"C:\Users\Admin\AppData\Local\Temp\CF最新刷枪自慰(新增英雄手枪修罗封包) 免费发布！.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
C:\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
memory/5044-132-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5044-134-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5044-135-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5044-138-0x0000000002780000-0x00000000027A1000-memory.dmp

Filesize
132KB

Download