21edd1d694dfcbdf730d6b64440110d5d029aab244a7f066ec8c919cb4083f22

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe
Size

1012KB
MD5

39b6e3adc1161b281a22d29c9e7b282e
SHA1

1b16d3d87f8b46b4f6651e677e89a4ee50f7c96d
SHA256

21edd1d694dfcbdf730d6b64440110d5d029aab244a7f066ec8c919cb4083f22
SHA512

164de7f8b4a35474405a22623f07ecb4191c750a2a70f319f5ec494107eb7ae2223b115d4fefafc31b2908b0e6c9d4b2e38d103106bdad596f99fec5fc3dee5c
SSDEEP

24576:Dy10YR1aFnFhlUTcQ8KY03dh1I66J6gGtTGFwH+LJVF:W10i8Tlif3dzIsVGye1VF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Loads dropped DLL 6 IoCs

pid	Process
2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\N:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\Z:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\A:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\J:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\K:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\M:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\Y:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\D:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\L:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\Q:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\T:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\E:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\O:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\P:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\U:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\R:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\V:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\X:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\G:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\H:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\I:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\F:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\S:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
File opened (read-only)	\??\W:	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28
PID 2392 wrote to memory of 2516	2392	[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe	28

C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe
"C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\is-MF1UI.tmp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MF1UI.tmp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp" /SL5="$400F4,664205,103936,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\CheckBox.png

Filesize
7KB

MD5
abd301b0263b0e0cebdd71e4855ac7d3

SHA1
1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

SHA256
aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

SHA512
b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\DirFolder.png

Filesize
9KB

MD5
80f54f431ea1dd2d7b90fa27f75142fe

SHA1
ef4e7c38c435392ba212df3b5b2c7a601589236a

SHA256
a41880120183128f5238b6cb8f8bc27f8e6bc022b4daaeb1722bf45e6b6f473c

SHA512
5e5c9aeac2e2f44a6a3f6dcbb8b18958bdc8ffbd490b72df44806ae872d00c09e59db95b24608d08bc1541d72e24d7c4e1ed0c8d4285d312d531e8b10500e36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\Edit.png

Filesize
2KB

MD5
f768e9aa3545815b6edf0fb4ce78424f

SHA1
b3a4ed0b197bcab071b2921974fa67f7aec040e6

SHA256
56983e8150bb1d01edb5b1a557dc5e462d7f5896bc0ff4a689468ccc22d95290

SHA512
c164d40b977202a683fefeb77769bf3b4ced6c3a6d658a31a8c04a62667096e73c383fb735833e56afc1afa72ec3c650eb2f54501cd995a8db995491500c01fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\GroupFolder.png

Filesize
9KB

MD5
d2018cfab20b6385a80ef24100267cac

SHA1
48a68364270eb8fc8cb15e9d20a32befce85a297

SHA256
90649334d9d905558e337c6fd329624201bb0be037ee67f7555e5ada8ce49c96

SHA512
91fd1457a2388696ee6072e9c5943d0ae4d69d211301046d9043587680c7f918ac0205e13e8820afad5129d51b7ba70fb323684d31aa1ea26568b54abd475106

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\HDD.png

Filesize
6KB

MD5
6055fd19d5e3b49eb5f0f55562ea06a4

SHA1
ff95363ef44675b4d5c3b0027729823f197cc75c

SHA256
0fd936944e6d3858d5e5aa5c1c9314db33d9ad8f02fead4bfa2e180651446c0b

SHA512
fe9df58e43b424511f85b3d559ec7cc5d3e8117774ac6418d60a599b58032af40b4b6ecaa0a292073dc4dbc2d68c853b02adb6752c843c99949d6e11ac0e19f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\HardDrivePanel.png

Filesize
3KB

MD5
58eb6eb8adac870b56618abcd9c692d4

SHA1
20b5b5dc01a5f032cbcd0591554bf2bbc9b0e8dc

SHA256
e7aba4c280e60c5a73cd26884b60e7fc80198937a387038e79138a843edae88e

SHA512
cbb304457511671a4c9de36b9d41da2524f2d0b812d3b358ff49f85a74f4ddb5d42a80f97e77d59e87c718e8ae03731312bab00eee9d4e15b543fe45ccfe7b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\RequirementsPanel.png

Filesize
3KB

MD5
cd08b361b65c2648bfb126f484cf5758

SHA1
c511e18c983ffeb124304e22d73d42570addfb6e

SHA256
e7d74579124827e5755db4fab05de00a2d13e423e5839975689a8ff139100f70

SHA512
4945937e0295e93095339ea688c5ad0c9441cae63d4ee4fc1b930a0b3aafea181f15703724dcf3bc398e1af801ad14f68f22e1a4c327513caf5a020c3ea2b1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\StatusPanel.png

Filesize
2KB

MD5
f2aee70ab599118ee287f67e22870308

SHA1
98b2d97e7f4c48dd515f39fac620662d1f694d9d

SHA256
920ad3ca8f47257d4e93f240e3056c86e93f0f8c03d93ff44b9beafc0114d059

SHA512
5fabb309df438e99a4f3fd2057077c2ee2d4c4a8f642ea4ec35b42b986e368c92d2819b39cbc6c39083e8230748cc7d86f6a47a85f9f9d74bba6c04ed53d9082

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\StatusPanel2.png

Filesize
2KB

MD5
567fe80ce090119956df8cc152930cf2

SHA1
9f7af3c9f910b9ce55aba54f2b67038d4cbfc7b9

SHA256
6b4b64cfa24b8b040b8f6ceb3553007609b0c3d46b7202acc7fb6d0cb8603986

SHA512
bf07c1f8bd359d7fa46625e4b6234c4b120c64525e64cc598e5bd475c4301dccf9f94155aed0c83e573cd11fb0410e528f63bfeeb068c80b2fc2f43783f78bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\WizardImage.jpg

Filesize
62KB

MD5
b91658597f15d7f689c86f5a2e7824bd

SHA1
00da609aa0b39140b767a3bc2644433d64edbd71

SHA256
b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

SHA512
00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\Workspace.png

Filesize
4KB

MD5
ad51d489414a6aa5fd0ac0da685e1ed9

SHA1
4dd60c089f5672584c928062e501ef426ac60710

SHA256
8223cf843e17737a250b81694a0be381046ed3c7f78095d27a888636f089ec49

SHA512
9043b170e2097e8cd78cfe02d9c9a46a2c72136b9582bfc0dc3518af69bf76eb4015cb95c22d122df804e1f116e4448c5524c2d5c8dfd4f7b7c269b6f6a975e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\button.png

Filesize
12KB

MD5
51af4120d6d22b1126cc87a5143740ef

SHA1
1cb4e91e765537a72c9628056d29fbd6a7ce515c

SHA256
c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

SHA512
2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MF1UI.tmp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Filesize
53KB

MD5
f098bd91d349042d34dcded1ae89c859

SHA1
ebb417ba2095cc29b2ff8cfd30c00048d8abb361

SHA256
8f8cc7990f61478edd8429fdf71d323a277a9ee90a52a613deb5ae6959943af0

SHA512
bcacf9b289dfd325dfc5b1742734ead6036b0e194ef57f49208354d9a2887d2eef777f73e0e8eaf1fcc21cb8c8f1fe6ca2bfecca4f77c972d2e3abf56a2a25c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MF1UI.tmp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Filesize
434KB

MD5
131773cba3aeef4bb0a90b9e1494a5aa

SHA1
e3402001e5463ff633dfc66ec52f4ccf0aa67322

SHA256
9764fa57bfae209b9df57c4a0726fc982986788f05e5ac2c445bfe43ab0a842b

SHA512
84f0ed13a41a62dcde89fd138f62ff936195fcb7d3409b39f922d14738ab86810d7a09890d2e1d6fc5cb1e78a21e7c230cabbcc1360dfcb4fc633fc2ed8216aa

Download Submit
\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\get_hw_caps.dll

Filesize
76KB

MD5
2e35d2894df3b691dbd8e0d4f4c84efc

SHA1
d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

SHA256
869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

SHA512
29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

Download Submit
\Users\Admin\AppData\Local\Temp\is-KVQE7.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-MF1UI.tmp\[FreeTP.Org]Cuphead-Multiplayer-Fix-Online.tmp

Filesize
467KB

MD5
967cae7bcc9534b702330207ffbe75ef

SHA1
6fd7ef37c0438478a272f0d070dc454b4fb83c1b

SHA256
53ae9696cf6cc8fe0aa01a5a648a8ce3307b28a79a019c6a609db5c56fd70f18

SHA512
e00500cbfceaef32cf376182175c644c532991fca556c689d16dd8403e9c580863ee94eee00726b1c3e332da681d5062467ebf82a7a40e95b4701b00fbb32ec2

Download Submit
memory/2392-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-161-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2516-115-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/2516-122-0x0000000007990000-0x0000000007A90000-memory.dmp

Filesize
1024KB

Download
memory/2516-123-0x0000000007990000-0x0000000007A90000-memory.dmp

Filesize
1024KB

Download
memory/2516-126-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2516-128-0x0000000007940000-0x0000000007955000-memory.dmp

Filesize
84KB

Download
memory/2516-121-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2516-120-0x0000000007940000-0x0000000007955000-memory.dmp

Filesize
84KB

Download
memory/2516-119-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/2516-118-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2516-116-0x0000000007940000-0x0000000007955000-memory.dmp

Filesize
84KB

Download
memory/2516-114-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2516-111-0x0000000007990000-0x0000000007A90000-memory.dmp

Filesize
1024KB

Download
memory/2516-77-0x0000000007940000-0x0000000007955000-memory.dmp

Filesize
84KB

Download
memory/2516-37-0x00000000005B0000-0x00000000005BD000-memory.dmp

Filesize
52KB

Download
memory/2516-160-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2516-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads