analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Core Spoofer 4.0.exe

Full analysis: https://app.any.run/tasks/9a33c46e-cd59-4ac1-9a10-4e18dd58b95a
Verdict: Malicious activity
Analysis date: July 12, 2020, 10:54:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable
MD5:

4CBF802B651C90B4D4DA245A7D0DC2A3

SHA1:

BEFAB523AF7AEFF0BA3F59F80380AAAD82CC0B3D

SHA256:

D42AD0C64669BCD0D3849E4C8152F16C0E95142064E6B12F7CDE03E68D59DEFA

SSDEEP:

6144:CN7ldgF8QwkAuh3Cr9Gn9tlRBWNNvRWuO4afqYDei60hFRC95ec2B4Vfa:Cpg1Auh3S9GnTlRBWXSf76C/gQFaS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs app for hidden code execution

      • Core Spoofer 4.0.exe (PID: 2452)
    • Changes settings of System certificates

      • Core Spoofer 4.0.exe (PID: 2452)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Core Spoofer 4.0.exe (PID: 2452)
    • Creates files in the Windows directory

      • Core Spoofer 4.0.exe (PID: 2452)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 748)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 748)
    • Adds / modifies Windows certificates

      • Core Spoofer 4.0.exe (PID: 2452)
  • INFO

    • Reads settings of System Certificates

      • Core Spoofer 4.0.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:05:22 03:11:06+02:00
PEType: PE32
LinkerVersion: 48
CodeSize: 22528
InitializedDataSize: 58368
UninitializedDataSize: -
EntryPoint: 0x29000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Ayeee 2.0 is litty
CompanyName: -
FileDescription: FimxiSpoofa
FileVersion: 1.0.0.0
InternalName: Core Spoofer.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFileName: Core Spoofer.exe
ProductName: FimxiSpoofa
ProductVersion: 1.0.0.0
AssemblyVersion: 2.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 22-May-2020 01:11:06
Comments: Ayeee 2.0 is litty
CompanyName: -
FileDescription: FimxiSpoofa
FileVersion: 1.0.0.0
InternalName: Core Spoofer.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFilename: Core Spoofer.exe
ProductName: FimxiSpoofa
ProductVersion: 1.0.0.0
Assembly Version: 2.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x4E54
Pages in file: 0xF585
Relocations: 0xA65B
Size of header: 0xB7FF
Min extra paragraphs: 0x35CF
Max extra paragraphs: 0xC042
Initial SS value: 0x6341
Initial SP value: 0x306F
Checksum: 0x9CA3
Initial IP value: 0x0D9D
Initial CS value: 0xFDDF
Overlay number: 0x431D
OEM identifier: 0xC4D9
OEM information: 0xE2FE
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 22-May-2020 01:11:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x00029000
0x00018000
0x00017CA2
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99641
.rsrc
0x0001A000
0x0000E280
0x0000E280
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.34208

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00025
3361
UNKNOWN
UNKNOWN
RT_MANIFEST
32512
2.01924
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
55899
7.2508
288
UNKNOWN
UNKNOWN
RT_RCDATA

Imports

advapi32.dll
comctl32.dll
kernel32.dll
mscoree.dll
shell32.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
30
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start core spoofer 4.0.exe no specs core spoofer 4.0.exe cmd.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1704"C:\Users\admin\AppData\Local\Temp\Core Spoofer 4.0.exe" C:\Users\admin\AppData\Local\Temp\Core Spoofer 4.0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FimxiSpoofa
Exit code:
3221226540
Version:
1.0.0.0
2452"C:\Users\admin\AppData\Local\Temp\Core Spoofer 4.0.exe" C:\Users\admin\AppData\Local\Temp\Core Spoofer 4.0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
FimxiSpoofa
Version:
1.0.0.0
748"cmd.exe"C:\Windows\system32\cmd.exeCore Spoofer 4.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2016taskkill /f /im UnrealCEFSubProcess.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824taskkill /f /im CEFProcess.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3632taskkill /f /im EasyAntiCheat.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1944taskkill /f /im BEService.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4028taskkill /f /im BEServices.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3356taskkill /f /im BattleEye.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2360taskkill /f /im epicgameslauncher.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 276
Read events
80
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner1.battext
MD5:781C8C9D8911CE253CE99A18EDA95A19
SHA256:5F0DE2628B655B8E56940025EE91CD7918B98AE68F8B92D5C06E078637AED7DC
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner7.battext
MD5:554809A8C20A23915E136E652FE67161
SHA256:04548DA10E1CF28D9313CCC66D3B2246667F977BE3042020B7851F056604D2BF
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner9.battext
MD5:5ECE210F821F5758D07E4DF80D705371
SHA256:A84A3017627C6031CE914B2F56D07DF072A7BDC361B6F7239B6D1D5F36B48FD9
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner3.battext
MD5:B5D3A0A160CE927F3AA86AD5EE31AF0B
SHA256:FFE0AB3CA8BBE6128EA5A34E20AA254D547BA2D8D062B55F72CEE90B5AC664BB
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner8.battext
MD5:741E75C6BBE74B8C88DE30CE209F6F3D
SHA256:3FEC761C17FC0C32EFA6F34B1D36A0C29785DF794962F0474C1DAF8FDD6D12CD
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner5.battext
MD5:8EF27DECCF2184FACDBBC034916426A8
SHA256:38A16BD4225365FFCC2F60A6685F317A6341ACB57677A6980F8E392FF2A37FD5
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner6.battext
MD5:4A5F56628C636234D71308056427C174
SHA256:FEB5C3FE082309F32BF3A50AE262E337EB1856DB5F317C4EADD5E8631E881DF8
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner2.battext
MD5:D4309967513EE17FA9A1EC8654C0BF88
SHA256:55DFFBC897E2B03A22084E9A5D7802A58B314CDF1BC780B92806738C3FDDDBBD
2452Core Spoofer 4.0.exeC:\Windows\IME\cleaner4.battext
MD5:76805F01CC8B36688162F3FF615B3854
SHA256:44A9F3AE95338AE20C9215E69EBAD57E8EFACE197B2B3F522257246974EC0B2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2452
Core Spoofer 4.0.exe
162.159.129.233:443
cdn.discordapp.com
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.129.233
  • 162.159.130.233
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.133.233
shared
desktop.ini
unknown

Threats

No threats detected
No debug info