a45ab1b5ea9dc10286fcba7b397d9aa5320a68de991c8839bb829f5c7dcfce79

Analysis

max time kernel
151s
max time network
83s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
05-01-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HP1_Setup[1].exe
Size

255.6MB
MD5

0ebfe95e8c7fe061a51de599cc7519b8
SHA1

8eab8fc090e3a4711ab817b7a05b3b6ba2074619
SHA256

a45ab1b5ea9dc10286fcba7b397d9aa5320a68de991c8839bb829f5c7dcfce79
SHA512

f394357f397d2a041bcbcae7e7de4a36ab8537ff7ab25dbae9849df90676c275d4f1fbf258c198f94a1e6173f7a560fc25319c32dcf3369b863e6a96aea92737
SSDEEP

6291456:0daalosqwk7jrmPKY+kzcUCqeODA/F/OoQdSwHFiHj:3ays47FLkbOODAF2liHj

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
908	HP1_Setup[1].tmp

Loads dropped DLL 4 IoCs

pid	Process
1976	HP1_Setup[1].exe
908	HP1_Setup[1].tmp
908	HP1_Setup[1].tmp
908	HP1_Setup[1].tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Maps\is-UJKHQ.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-L8FU1.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Maps\is-RUDTR.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-4E6TU.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Save\is-URKIP.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-OF7M0.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-81FG2.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-IPF8T.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-FHJC8.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-7MEDV.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-KMG66.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-1M560.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Save\is-LDAJJ.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-ST2F1.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-MSOUO.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-3QGEG.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-LET5J.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-ABGE1.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Maps\is-7FOKI.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-ALCP9.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-T411V.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-4IJ02.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-EA8J8.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Maps\is-4NR9U.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Save\is-0F7FO.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-N815P.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-EG9V1.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-3USM2.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-55C3S.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-63UTI.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-HT4KF.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-9BP5A.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-P10QP.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Save\is-DLE8L.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-BJ3EC.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Support\is-TMTOE.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-CQV7O.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Maps\is-J49UO.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-SF8IG.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-P7A2T.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-RQJPD.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-3C2NI.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-R7NT2.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-PGQ5C.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-0G078.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-AS4FN.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-K67O7.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-PTGIL.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-SP9UF.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-APKJO.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-GIOCC.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Sounds\is-HJMC7.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-JBL7A.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\System\is-HM5BD.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-IIQRU.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-M2EP1.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Help\is-QQOU1.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Maps\is-OCFU0.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-9QBQO.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Save\is-TSR9T.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Save\is-5BGQU.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Textures\is-9ND69.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Help\is-A5K19.tmp	HP1_Setup[1].tmp
File created	C:\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\Music\is-GV83B.tmp	HP1_Setup[1].tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
676	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	624	AUDIODG.EXE
Token: 33	624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	624	AUDIODG.EXE
Token: SeDebugPrivilege	676	taskmgr.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
504	SndVol.exe
504	SndVol.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
504	SndVol.exe
504	SndVol.exe
504	SndVol.exe
504	SndVol.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe
676	taskmgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28
PID 1976 wrote to memory of 908	1976	HP1_Setup[1].exe	28

C:\Users\Admin\AppData\Local\Temp\HP1_Setup[1].exe
"C:\Users\Admin\AppData\Local\Temp\HP1_Setup[1].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\is-0CHKV.tmp\HP1_Setup[1].tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0CHKV.tmp\HP1_Setup[1].tmp" /SL5="$B0030,267604656,163328,C:\Users\Admin\AppData\Local\Temp\HP1_Setup[1].exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:908

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45876369 31701
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:384

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1996

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0CHKV.tmp\HP1_Setup[1].tmp

Filesize
773KB

MD5
cfa982aca74af097dea703eeeb89169f

SHA1
d9ec4f3494489a916cf52d49c401de3f977d7a32

SHA256
878ab0998b0ee0eae16a670e095e04439926a5ed5995dfd7d070c9d42bbbf951

SHA512
be3be5d6126c333fcdf47d25ad728c864a41f738e2913bf637bfc0e8d0d3f867321f2e022395254a09b50ff7f9dc0510d47b858ff5d5bbab0f1854550f87a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0CHKV.tmp\HP1_Setup[1].tmp

Filesize
773KB

MD5
cfa982aca74af097dea703eeeb89169f

SHA1
d9ec4f3494489a916cf52d49c401de3f977d7a32

SHA256
878ab0998b0ee0eae16a670e095e04439926a5ed5995dfd7d070c9d42bbbf951

SHA512
be3be5d6126c333fcdf47d25ad728c864a41f738e2913bf637bfc0e8d0d3f867321f2e022395254a09b50ff7f9dc0510d47b858ff5d5bbab0f1854550f87a811

Download Submit
\Program Files (x86)\EA Games\Harry Potter y la Piedra Filosofal\unins000.exe

Filesize
784KB

MD5
64f8d5e39422cabb277306f165a37ba1

SHA1
db97da8cf96375e0a2147566b5cadb170e49da0d

SHA256
12370e98a69278eadea5dee330c5d9d6c05caa5c8f39d8e44e43501e5a2e7fc1

SHA512
2e77c15bb57bbb520e28c851594cbb7dca42ab7fe3e2d68d886d8a1b893908655441cc3d5ce6608e76003bad9273d76f565a8aba794ef36ba9bef4f84161d9ca

Download Submit
\Users\Admin\AppData\Local\Temp\is-0CHKV.tmp\HP1_Setup[1].tmp

Filesize
773KB

MD5
cfa982aca74af097dea703eeeb89169f

SHA1
d9ec4f3494489a916cf52d49c401de3f977d7a32

SHA256
878ab0998b0ee0eae16a670e095e04439926a5ed5995dfd7d070c9d42bbbf951

SHA512
be3be5d6126c333fcdf47d25ad728c864a41f738e2913bf637bfc0e8d0d3f867321f2e022395254a09b50ff7f9dc0510d47b858ff5d5bbab0f1854550f87a811

Download Submit
\Users\Admin\AppData\Local\Temp\is-CKAO3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CKAO3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/384-69-0x0000000072591000-0x0000000072593000-memory.dmp

Filesize
8KB

Download
memory/504-65-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/676-71-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/676-72-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/908-58-0x0000000000000000-mapping.dmp

Download
memory/1976-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download