Overview

overview

10

Static

static

10

HITMAN 3 v...er.exe

windows11-21h2-x64

4

Analysis

  • max time kernel
    76s
  • max time network
    51s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-07-2024 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HITMAN 3 v3.10 Plus 11 Trainer.exe

  • Size

    1.2MB

  • MD5

    f257a0e7008656f9e2fa44a8a14f8d0d

  • SHA1

    3469c35ce974b4c7f0531af5116266393779d903

  • SHA256

    0e99e5e385e731404a25342a226633594e160f2081bbe4c84a756186ea08a9e8

  • SHA512

    e9d9dbadd01ebfcf4ea40d49cbacaab4ac43faaa21c7c0a173032e1382eab52bcf18bc2d26c5618cdd4d7d3642581d5d08a48330551f51617e388ac88e5622ee

  • SSDEEP

    24576:vqbohPJKzB1hZXTAZqAovlj6U7wbJ7yDStJQ:bJAXZXcZYvXwV7XJ

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HITMAN 3 v3.10 Plus 11 Trainer.exe
    "C:\Users\Admin\AppData\Local\Temp\HITMAN 3 v3.10 Plus 11 Trainer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1700
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:2112
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:4276
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
        PID:2464
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4964
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
        1⤵
          PID:4860
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:1060
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:4560
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:3984
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1160

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-7-2.2036.2464.1.odl
            Filesize

            706B

            MD5

            88188263159a4d9251367df1a0d96e18

            SHA1

            394ec68c50bbeb248e9c00070a8832c4c896ba46

            SHA256

            cf8f97909f87a1a47427746bcba4a38405ed66f1397a8f6ad219a7e4d42155d0

            SHA512

            b998464c3e932ae99f7a43ab47e9b44134fc2d455677a922ffe2f787b5859944b61366dcb9fd0af1c5d3c9ef6c01cced1c290baeda8bdf3b021de8541f07becb

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
            Filesize

            10KB

            MD5

            e9aa12ff0be6d995ed86f8cf88678158

            SHA1

            e5ee38fc2ebef0fcbc3059dee29b39f7daf21931

            SHA256

            f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561

            SHA512

            95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc

            Download Submit

          • memory/1700-0-0x00007FF8E5AD3000-0x00007FF8E5AD5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1700-1-0x000001E195860000-0x000001E195892000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1700-2-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1700-3-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1700-4-0x00007FF8E5AD0000-0x00007FF8E6592000-memory.dmp

            Filesize

            10.8MB

            Download