ecb57da7cefd8294ab723dd807806ac777b815d776885a1609bc77fcea9b28e4

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 17:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bulletstorm_trainer_4.exe
Size

4.0MB
MD5

45bf056f88e68fe862c729ea13927455
SHA1

44efe0ea537b1d46138affe12c1b188ea01a56e8
SHA256

adbae287805a4b3e136b9a28ef6e39c7f9621192c6bfb7cea05a8430f54e943f
SHA512

6ba8a6cd86e8d0e97864b3e8cc8e87cbe77c055d642e9d93b141897b4f88fec151c48806873e111de0040369132e70c6d7d0a2cf7710db7c31d14f5e4213808f
SSDEEP

98304:F8WTt9Kb/slcUwrAzpq7JjrMytuNFVRfYYnpulU1I:ft9KbdUwUzpG9dtuNFvQD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3168	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe

Loads dropped DLL 2 IoCs

pid	Process
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\win32u.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\Wldp.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\psapi.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\SHLWAPI.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\SHELL32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\MSCTF.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\gdi32full.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\USER32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\GDI32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\PROPSYS.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\kernel.appcore.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\RPCRT4.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\bcryptPrimitives.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\KERNEL32.DLL	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\combase.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\ole32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\shcore.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\KERNELBASE.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	bulletstorm_trainer_4.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	bulletstorm_trainer_4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll	bulletstorm_trainer_4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe
4088	bulletstorm_trainer_4.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	bulletstorm_trainer_4.exe
Token: SeLoadDriverPrivilege	4088	bulletstorm_trainer_4.exe
Token: SeCreateGlobalPrivilege	4088	bulletstorm_trainer_4.exe
Token: 33	4088	bulletstorm_trainer_4.exe
Token: SeSecurityPrivilege	4088	bulletstorm_trainer_4.exe
Token: SeTakeOwnershipPrivilege	4088	bulletstorm_trainer_4.exe
Token: SeManageVolumePrivilege	4088	bulletstorm_trainer_4.exe
Token: SeBackupPrivilege	4088	bulletstorm_trainer_4.exe
Token: SeCreatePagefilePrivilege	4088	bulletstorm_trainer_4.exe
Token: SeShutdownPrivilege	4088	bulletstorm_trainer_4.exe
Token: SeRestorePrivilege	4088	bulletstorm_trainer_4.exe
Token: 33	4088	bulletstorm_trainer_4.exe
Token: SeIncBasePriorityPrivilege	4088	bulletstorm_trainer_4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4088	bulletstorm_trainer_4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3168	3368	bulletstorm_trainer_4.exe	88
PID 3368 wrote to memory of 3168	3368	bulletstorm_trainer_4.exe	88
PID 3368 wrote to memory of 3168	3368	bulletstorm_trainer_4.exe	88
PID 3168 wrote to memory of 4088	3168	bulletstorm_trainer_4.exe	89
PID 3168 wrote to memory of 4088	3168	bulletstorm_trainer_4.exe	89
PID 3168 wrote to memory of 4088	3168	bulletstorm_trainer_4.exe	89

C:\Users\Admin\AppData\Local\Temp\bulletstorm_trainer_4.exe
"C:\Users\Admin\AppData\Local\Temp\bulletstorm_trainer_4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\bulletstorm_trainer_4.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\bulletstorm_trainer_4.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\bulletstorm_trainer_4.exe
    C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\bulletstorm_trainer_4.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\CET_Archive.dat

Filesize
3.6MB

MD5
7167fee5bfc8dd84d44e2307ec43fb87

SHA1
c2667838db4480de09f216c59ff89e45be6946dc

SHA256
3b2c732255e09f08ae9e0d284d712609a09db60442436554ec0c64bb199744b3

SHA512
872f0b258889260ec0ffc2f6dfdc41cc3e89f4861205b5c6871723bd29eeed2454a4a3633e7115810a5da11e01a66735e07bd3621bd0f97aa23cf78b6ae841ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\bulletstorm_trainer_4.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
67KB

MD5
38d2dfb704b6a6d84568ea0a983cd278

SHA1
ec48377bea95f3297a50242516cba860b324fe83

SHA256
ea47e98a30c9d57b6b2b5cb01ecff541ae60f12bc80bd0006ac31623f40ae8f7

SHA512
2b25bece164eac9bdd8f0fa09a68f9665466c2f3320c11d6ca270b3e92cd5c5c053a54a5e8fad474820b2ad51a6f29b49f73c9d0bdff31b77242122ec318859d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\bulletstorm_trainer_4.exe

Filesize
7.4MB

MD5
052f561d15254e91bc505d5066f4f16c

SHA1
4166aebecfcf1f20922ae2b7dd45bebfd145d6d2

SHA256
98269f89557e11c629155a2e29235fce7d1b25baa78a2a475ad1a27e626e75a6

SHA512
63a5b30d3a6f817083ebfb49245502954679688552d531cdd65b21ed02e10edc38e59b5f01c0fc30340e5527a1f5918c20994eceac1a1d3bb86cc5c07aa16d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\defines.lua

Filesize
5KB

MD5
d8f9b4a10a48ebd8936255f6215c8a43

SHA1
7d8ff0012fa9d9dcf189c6df963f1c627f2ccb76

SHA256
d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2

SHA512
67db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
2730ff589ae86ef10d94952769f9404f

SHA1
8010834297a6aa488e6bf90eceaaf9e60bb60c6e

SHA256
faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b

SHA512
5fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETB546.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit