8a2aa039efe073d1ec1bd83879caeadb1f0a67d730aa974cea46c1f947341db3

Analysis

max time kernel
17s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hitman 3 FOV Changer V3.40.exe
Size

6.0MB
MD5

82f379e97d7499f5dcc35984aef0d7b3
SHA1

f656819e5539b122a13f5a1d1aa631ed4824b833
SHA256

8a2aa039efe073d1ec1bd83879caeadb1f0a67d730aa974cea46c1f947341db3
SHA512

11ee3336584135a75ff59f9fd192270e3df46a6e733e1051f5b5a1338f8fe9a565ae0173cb67630c6d6866d5991465403fc9ae7ae0f5049f7111c5cd2207203b
SSDEEP

98304:Eui3mEOMOytH4T7qP7zyq27v8sVCRUas70J8HwKTx1sjPWFTj6D3LMfY7/RZWXKI:EukJtH4TmjzMHCRUas70JiVqEyDww7p6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2756	Hitman 3 FOV Changer V3.40.exe
2564	Hitman 3 FOV Changer V3.40.exe

Loads dropped DLL 3 IoCs

pid	Process
3012	Hitman 3 FOV Changer V3.40.exe
2756	Hitman 3 FOV Changer V3.40.exe
2564	Hitman 3 FOV Changer V3.40.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\RPCRT4.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\hhctrl.ocx	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\msvcrt.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\MSCTF.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\CRYPTBASE.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\shfolder.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\SETUPAPI.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\shell32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\dwmapi.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\NSI.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\USER32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\wsock32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\imagehlp.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\psapi.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\KERNELBASE.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\CLBCatQ.DLL	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\oleaut32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\opengl32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\DUI70.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\ws2_32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\LPK.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\SHLWAPI.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\DEVOBJ.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\iertutil.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\version.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\GLU32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\uxtheme.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\normaliz.DLL	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\CFGMGR32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\DCIMAN32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\sechost.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\propsys.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\msimg32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\imm32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\wininet.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\DUser.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\profapi.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\kernel32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\comdlg32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\USP10.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\GDI32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\advapi32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\DDRAW.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\ole32.dll	Hitman 3 FOV Changer V3.40.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll	Hitman 3 FOV Changer V3.40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2564	Hitman 3 FOV Changer V3.40.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeTcbPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeTcbPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeLoadDriverPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeCreateGlobalPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeLockMemoryPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: 33	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeSecurityPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeTakeOwnershipPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeManageVolumePrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeBackupPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeCreatePagefilePrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeShutdownPrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeRestorePrivilege	2564	Hitman 3 FOV Changer V3.40.exe
Token: 33	2564	Hitman 3 FOV Changer V3.40.exe
Token: SeIncBasePriorityPrivilege	2564	Hitman 3 FOV Changer V3.40.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	Hitman 3 FOV Changer V3.40.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2756	3012	Hitman 3 FOV Changer V3.40.exe	30
PID 3012 wrote to memory of 2756	3012	Hitman 3 FOV Changer V3.40.exe	30
PID 3012 wrote to memory of 2756	3012	Hitman 3 FOV Changer V3.40.exe	30
PID 3012 wrote to memory of 2756	3012	Hitman 3 FOV Changer V3.40.exe	30
PID 2756 wrote to memory of 2564	2756	Hitman 3 FOV Changer V3.40.exe	31
PID 2756 wrote to memory of 2564	2756	Hitman 3 FOV Changer V3.40.exe	31
PID 2756 wrote to memory of 2564	2756	Hitman 3 FOV Changer V3.40.exe	31
PID 2756 wrote to memory of 2564	2756	Hitman 3 FOV Changer V3.40.exe	31

C:\Users\Admin\AppData\Local\Temp\Hitman 3 FOV Changer V3.40.exe
"C:\Users\Admin\AppData\Local\Temp\Hitman 3 FOV Changer V3.40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\Hitman 3 FOV Changer V3.40.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\Hitman 3 FOV Changer V3.40.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\Hitman 3 FOV Changer V3.40.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\Hitman 3 FOV Changer V3.40.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\CET_Archive.dat

Filesize
5.7MB

MD5
de031880f45bc6aed9c85f799ea8ad84

SHA1
715a76a007c826cf193226f679ecaf198db13d83

SHA256
177a42f4504789ea8df9e5247e48ce48fe73f7412b921a4873e3b3bff1ac7b6b

SHA512
da24f663318bae15ec3ab5def9e523cbb37a9742e92c50ae5c222083073b67e3d94d7991decd5cf8b5b1e7eaa66a011949666189019ae9f7f9a93b65f1778637

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
217KB

MD5
9fe243ecbad2d5c95a3c8ca7c61f0db0

SHA1
34728aa46c981127b16fdd7f061445e38598c019

SHA256
a6ba0522c86b2a5086ada9f2b766a4977abb8f845addc503888a8361dbaf3d65

SHA512
3fdceb87ed1bc1ac99a3cd90502ffdd0ff10f82444108dca375d1b46e29b0aa24200d750181b60d7911c2a9ba99770fae66798133dc15687f42731991316a65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\Hitman 3 FOV Changer V3.40.exe

Filesize
14.2MB

MD5
f8c759f9a0b69169b84422cb2da1b984

SHA1
49794299a7a03c6139777552b73064653aa92800

SHA256
45c371ddc8aa5d89bbe5ac7219db10cecfd0036450cc90512777eb561fa48ace

SHA512
953215a6f7726d68b2310cde8f0130eecab82e0a2a5dfecee5adbd2a4d5cf0f4e83aa77c13ff2f3365ec8b48147a57e7be69ba627a2d2ba8e79d4bd6b62b366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\defines.lua

Filesize
11KB

MD5
33077a49abdbfff3eb149d5c27929444

SHA1
ed3ffc77432b5b55851b9e7a1c2bb47b74b12e90

SHA256
9cae73a9cb1146308669974d685f1f8dff5d0ab1aa650fbce862da67775516f4

SHA512
bfe6c4a759fde521f0e792233abee011c877f3e9a91422bf2dfc6b96f3df9c6b612a7fed5d22b1fa96a7488633d82841425e63e0f48e43ff3a532a83204282ff

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\Hitman 3 FOV Changer V3.40.exe

Filesize
189KB

MD5
a65c29111a4cf5a7fdd5a9d79f77bcab

SHA1
c0c59b1f792c975558c33a3b7cf0d94adc636660

SHA256
dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

SHA512
b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET20E9.tmp\extracted\lua53-64.dll

Filesize
515KB

MD5
13100b2466570bf52c48725199c4e3c6

SHA1
166cc1d388de4d292d4cd9331ef65ee3a158a31e

SHA256
002dcb8ae68f51d54927b05e4726601640c6ddd6a063cc306640a7245b655f57

SHA512
5e916722673d431417400836e9555148b433a4f9a15e06076ec3eb1c0ba986915c4f4d6940e7f88dcbb2f9599458e14d692bcaaa56dc1e2253005ab295d8589d

Download Submit
memory/2564-19-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download