88917ec382489537aebf61b161974e11cb6db887b3890fa537f099b9d7817dba

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 00:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

小刘CF最新自蔚刷枪软件.exe
Size

1004KB
MD5

4b5b0c130a18ed2de236d5bf28f54a35
SHA1

b4df6a5eef56d5e1b46e60af1b4367b0e258589d
SHA256

6d7278ca62699a346eb51a7673e9caa258cd52f8c6505b1c6af7cee6f4fe47a7
SHA512

9e9a7540db6c17d92f2dd200b1dc99d4e636d13e9a7c54fb0895ebd25dfd53f77fb2d2f5d74be9199fe1599cb18e2af3aa5610818d4c959510d2203a1ee8c0b0
SSDEEP

12288:Tra/Egk3mJKigWuk1N32CEWl2R5nWFpPoShkynMTjXI62:T/gemcigWu2NGCEWltbXkzzI62

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000141e6-4.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
836	小刘CF最新自蔚刷枪软件.exe
836	小刘CF最新自蔚刷枪软件.exe
836	小刘CF最新自蔚刷枪软件.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000141e6-4.dat	upx
behavioral1/memory/836-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/836-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ESPI11.dll	小刘CF最新自蔚刷枪软件.exe
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	小刘CF最新自蔚刷枪软件.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
836	小刘CF最新自蔚刷枪软件.exe
836	小刘CF最新自蔚刷枪软件.exe
836	小刘CF最新自蔚刷枪软件.exe

C:\Users\Admin\AppData\Local\Temp\小刘CF最新自蔚刷枪软件.exe
"C:\Users\Admin\AppData\Local\Temp\小刘CF最新自蔚刷枪软件.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:836

Network

DNS

iframe.ip138.com

小刘CF最新自蔚刷枪软件.exe

Remote address:

8.8.8.8:53

Request

iframe.ip138.com

IN A

Response

iframe.ip138.com

IN CNAME

waf.ip138.com

waf.ip138.com

IN A

59.57.13.133

waf.ip138.com

IN A

59.57.13.182

waf.ip138.com

IN A

59.57.14.11

waf.ip138.com

IN A

110.81.155.137

waf.ip138.com

IN A

110.81.155.138

59.57.13.133:80

iframe.ip138.com

小刘CF最新自蔚刷枪软件.exe

152 B
3
59.57.13.182:80

iframe.ip138.com

小刘CF最新自蔚刷枪软件.exe

152 B
3
59.57.14.11:80

iframe.ip138.com

小刘CF最新自蔚刷枪软件.exe

152 B
3

8.8.8.8:53

iframe.ip138.com

dns

小刘CF最新自蔚刷枪软件.exe

62 B
160 B
1
1

DNS Request

iframe.ip138.com

DNS Response

59.57.13.133

59.57.13.182

59.57.14.11

110.81.155.137

110.81.155.138

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
\Users\Admin\AppData\Local\Temp\jedata.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
memory/836-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/836-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/836-9-0x0000000010009000-0x000000001000A000-memory.dmp

Filesize
4KB

Download
memory/836-14-0x00000000023F0000-0x0000000002411000-memory.dmp

Filesize
132KB

Download