53678904ba0714438ce3a99a0ade77ef7f4196550ed331aa7befdd2d1978f65e

Analysis

max time kernel
144s
max time network
212s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF审判者免费刷枪软件[CF2.0新年免费专版].exe
Size

2.1MB
MD5

e6d5e5b09d9d3f7732f392f6970a32ee
SHA1

93ea5d9676d7a87dee9b1a301d9c13283886de0d
SHA256

cbf1a5ad0daba1ccb520db9698ecab1ccd52efe3ecc51b9f60fe46d794468c9c
SHA512

a7d1513c3ddc088ae13492b1a20effcd15f06b53736baf3f0f7dc07ab6d1d7b445dd8bed21cc766ef6faca21dd7836d71b9f96b9f119a5333b7bb0c8a26c09e7
SSDEEP

24576:q89Hojus/FBTaDo+AM3yo3JOCkz7bn0j7I7R+2uXuUS1k+i70MBbVPimhlbgXrmj:qCojusT2Aq5q7zVA2/bBL8pA7I+y

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1252-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1252-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40574AE1-6D4F-11ED-95AE-5A5CFA1077B6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000023d3a69406124ea673bec3225bfc905a8235df99bbd60ff9a73977b08ac0aeed000000000e8000000002000020000000ad3c298f9a3f489440ae79b737f94083c5f893bf27cda2ec7d67331f7102f09b200000006befb8c90d77a1fd97521e951fa67c623bc3c43352c87488c3d76bc0d892a7b540000000beb5970d9f4bebbea2114368fca339cfc2db762f6e365ac327c724aaa1aadb9225169b895d17e074260e1fda8e487ae827eae6a1ee91f9b2c6195049503b6685	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000d3d2bcd1be130089ae055e8cbfc833d8dabe9c98e3ac57988e16a45e62dd2840000000000e80000000020000200000001d6e1ecfde2f4b16ea304a8c5f2a30ecf9191600d68c364a39b980164fe5336e900000004ccf9c4948680e4c4bc44603fc6a45e11a80251a77489a4c04ac753398458687f2125f72d0bd9ba58ad15814a02398ceaf3421f5b4627b4f127a8404e9fa60e27bf3f90e3e87df314992ee7be84f66544ebb074c8c58f9878fa65439d577f7c5419fd9afd6fa671423c6135bb50547045a837c34dbb4a6c1af8d17f68d7366f1a26239eb3596224234eb787f205a9022400000007b94a2b372f3fd335d0dcaa5b5925d862b58f5b415674f4e7caf74b5c39711c15de2357ef813fc60a865dfc362639361b03aa2dbc74d827a84558c1330aac332	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376207249"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60667f275c01d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1636	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe
1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe
1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe
1636	iexplore.exe
1636	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1636	1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe	30
PID 1252 wrote to memory of 1636	1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe	30
PID 1252 wrote to memory of 1636	1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe	30
PID 1252 wrote to memory of 1636	1252	CF审判者免费刷枪软件[CF2.0新年免费专版].exe	30
PID 1636 wrote to memory of 1944	1636	iexplore.exe	31
PID 1636 wrote to memory of 1944	1636	iexplore.exe	31
PID 1636 wrote to memory of 1944	1636	iexplore.exe	31
PID 1636 wrote to memory of 1944	1636	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\CF审判者免费刷枪软件[CF2.0新年免费专版].exe
"C:\Users\Admin\AppData\Local\Temp\CF审判者免费刷枪软件[CF2.0新年免费专版].exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cftgp.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
551f72d1897377d6be37f383cd03a189

SHA1
fe3f07b5bab65dd1235e8d7185224f90d28923f5

SHA256
ebfab6ea3ed9882eb4bd70b7320d9f989188f98870adb3451a52cc4ae9d9946f

SHA512
6993d68816f9b9dc2df0ffb8f0cdc8132e84710d506a989c63b1b5cf958d7e0bf405e09964424ed1d8022c2359cb11187c345407653e2908029402ad9d15657d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2LL2VGYI.txt

Filesize
601B

MD5
c9073f01c23e924e4bbd5a7f72ba8cce

SHA1
07a56e60e72ee48806829f1ca6959cacb7f8ef7a

SHA256
bcedb0332f885b5b928fa34433389ae3fc649db007c77f8c795006d8a2eade51

SHA512
5093484185058c15c70b62b4fd599aa40593c7ee7fe6d30ca51c6a35db3350177515d810fc79c7b6317fe61d8994eea03edee9846b25384d58d29563e74a0218

Download Submit
memory/1252-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1252-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1252-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download