8a2aa039efe073d1ec1bd83879caeadb1f0a67d730aa974cea46c1f947341db3

Analysis

max time kernel
26s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hitman 3 FOV Changer V3.40.exe
Size

6.0MB
MD5

82f379e97d7499f5dcc35984aef0d7b3
SHA1

f656819e5539b122a13f5a1d1aa631ed4824b833
SHA256

8a2aa039efe073d1ec1bd83879caeadb1f0a67d730aa974cea46c1f947341db3
SHA512

11ee3336584135a75ff59f9fd192270e3df46a6e733e1051f5b5a1338f8fe9a565ae0173cb67630c6d6866d5991465403fc9ae7ae0f5049f7111c5cd2207203b
SSDEEP

98304:Eui3mEOMOytH4T7qP7zyq27v8sVCRUas70J8HwKTx1sjPWFTj6D3LMfY7/RZWXKI:EukJtH4TmjzMHCRUas70JiVqEyDww7p6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4752	Hitman 3 FOV Changer V3.40.exe
4520	Hitman 3 FOV Changer V3.40.exe

Loads dropped DLL 1 IoCs

pid	Process
4520	Hitman 3 FOV Changer V3.40.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\KERNEL32.DLL	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\win32u.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\combase.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\advapi32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\ole32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\imm32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\sechost.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\shell32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\profapi.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\uxtheme.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\shcore.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\psapi.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\imagehlp.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\user32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\GDI32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\shfolder.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	Hitman 3 FOV Changer V3.40.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	Hitman 3 FOV Changer V3.40.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	Hitman 3 FOV Changer V3.40.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4520	Hitman 3 FOV Changer V3.40.exe
4520	Hitman 3 FOV Changer V3.40.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeTcbPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeTcbPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeLoadDriverPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeCreateGlobalPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeLockMemoryPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: 33	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeSecurityPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeTakeOwnershipPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeManageVolumePrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeBackupPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeCreatePagefilePrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeShutdownPrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeRestorePrivilege	4520	Hitman 3 FOV Changer V3.40.exe
Token: 33	4520	Hitman 3 FOV Changer V3.40.exe
Token: SeIncBasePriorityPrivilege	4520	Hitman 3 FOV Changer V3.40.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4520	Hitman 3 FOV Changer V3.40.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 4752	1044	Hitman 3 FOV Changer V3.40.exe	85
PID 1044 wrote to memory of 4752	1044	Hitman 3 FOV Changer V3.40.exe	85
PID 1044 wrote to memory of 4752	1044	Hitman 3 FOV Changer V3.40.exe	85
PID 4752 wrote to memory of 4520	4752	Hitman 3 FOV Changer V3.40.exe	86
PID 4752 wrote to memory of 4520	4752	Hitman 3 FOV Changer V3.40.exe	86

C:\Users\Admin\AppData\Local\Temp\Hitman 3 FOV Changer V3.40.exe
"C:\Users\Admin\AppData\Local\Temp\Hitman 3 FOV Changer V3.40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\Hitman 3 FOV Changer V3.40.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\Hitman 3 FOV Changer V3.40.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\Hitman 3 FOV Changer V3.40.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\Hitman 3 FOV Changer V3.40.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\CET_Archive.dat

Filesize
5.7MB

MD5
de031880f45bc6aed9c85f799ea8ad84

SHA1
715a76a007c826cf193226f679ecaf198db13d83

SHA256
177a42f4504789ea8df9e5247e48ce48fe73f7412b921a4873e3b3bff1ac7b6b

SHA512
da24f663318bae15ec3ab5def9e523cbb37a9742e92c50ae5c222083073b67e3d94d7991decd5cf8b5b1e7eaa66a011949666189019ae9f7f9a93b65f1778637

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\Hitman 3 FOV Changer V3.40.exe

Filesize
189KB

MD5
a65c29111a4cf5a7fdd5a9d79f77bcab

SHA1
c0c59b1f792c975558c33a3b7cf0d94adc636660

SHA256
dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

SHA512
b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
217KB

MD5
9fe243ecbad2d5c95a3c8ca7c61f0db0

SHA1
34728aa46c981127b16fdd7f061445e38598c019

SHA256
a6ba0522c86b2a5086ada9f2b766a4977abb8f845addc503888a8361dbaf3d65

SHA512
3fdceb87ed1bc1ac99a3cd90502ffdd0ff10f82444108dca375d1b46e29b0aa24200d750181b60d7911c2a9ba99770fae66798133dc15687f42731991316a65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\Hitman 3 FOV Changer V3.40.exe

Filesize
14.2MB

MD5
f8c759f9a0b69169b84422cb2da1b984

SHA1
49794299a7a03c6139777552b73064653aa92800

SHA256
45c371ddc8aa5d89bbe5ac7219db10cecfd0036450cc90512777eb561fa48ace

SHA512
953215a6f7726d68b2310cde8f0130eecab82e0a2a5dfecee5adbd2a4d5cf0f4e83aa77c13ff2f3365ec8b48147a57e7be69ba627a2d2ba8e79d4bd6b62b366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\defines.lua

Filesize
11KB

MD5
33077a49abdbfff3eb149d5c27929444

SHA1
ed3ffc77432b5b55851b9e7a1c2bb47b74b12e90

SHA256
9cae73a9cb1146308669974d685f1f8dff5d0ab1aa650fbce862da67775516f4

SHA512
bfe6c4a759fde521f0e792233abee011c877f3e9a91422bf2dfc6b96f3df9c6b612a7fed5d22b1fa96a7488633d82841425e63e0f48e43ff3a532a83204282ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET9589.tmp\extracted\lua53-64.dll

Filesize
515KB

MD5
13100b2466570bf52c48725199c4e3c6

SHA1
166cc1d388de4d292d4cd9331ef65ee3a158a31e

SHA256
002dcb8ae68f51d54927b05e4726601640c6ddd6a063cc306640a7245b655f57

SHA512
5e916722673d431417400836e9555148b433a4f9a15e06076ec3eb1c0ba986915c4f4d6940e7f88dcbb2f9599458e14d692bcaaa56dc1e2253005ab295d8589d

Download Submit