bafa6f7eb2530b544908fc67fb6f0acd91f2be1457925fb1398db890554092ea

Analysis

max time kernel
121s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RetroArch-Win64-setup.exe
Size

202.4MB
MD5

dc68a2de80a241d21218ad2f6b07144c
SHA1

40f5afddb53653965f7701f6113177b7ecef951f
SHA256

bafa6f7eb2530b544908fc67fb6f0acd91f2be1457925fb1398db890554092ea
SHA512

5ff9a322addfa45603881e60b014605d81972f95382a312b1b19019aa115e6c11ec386f92f69d824766f66f4722f1effcf3c3fd329e3e56ef0b6e2223d39104d
SSDEEP

6291456:gt7W33EBSdsCQt481FqRnhfHq7kzgXBNvklD:g8nGlRRUhfHqwCMZ

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
268	RetroArch-Win64-setup.exe
268	RetroArch-Win64-setup.exe
268	RetroArch-Win64-setup.exe
268	RetroArch-Win64-setup.exe
268	RetroArch-Win64-setup.exe
268	RetroArch-Win64-setup.exe
268	RetroArch-Win64-setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0001000000027b96-61.dat	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1988	AUDIODG.EXE
Token: 33	1988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1988	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\RetroArch-Win64-setup.exe
"C:\Users\Admin\AppData\Local\Temp\RetroArch-Win64-setup.exe"
1⤵
- Loads dropped DLL
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\RetroArch-Win64\retroarch.exe

Filesize
15.6MB

MD5
49bf10664dd40609d625e58e16e43e04

SHA1
f9c44ed334ac556b1826960fe516bf474c49b57e

SHA256
09712da987f0172ed45768201c79e8b27df80705797f4affe543fad92e26995a

SHA512
cc2431615f267c114d7f37ab150a755139f0233e114e743694e3aa391f063827907fee5b86a37a297e1330415df052bc4402f7e63adc1c6434b93be19fae7c02

Download Submit
\RetroArch-Win64\retroarch.exe

Filesize
14.9MB

MD5
2e3e385d4c4c1bd2d705d04cdfa4b385

SHA1
e951efcf514a359adcbf6889f7106956ba94ed2b

SHA256
188b63af5b4150a43e44b8d491a3c6d8181d4f268b7498b9b6e94a635ad5128b

SHA512
6ad47c7ced735ded6b8b4dac21c5b32041b9b1ca969bbf5052354b6b4842bbfd7b95944380e0622ca9e9906fbbe4617e2e397577b3dbc5d493e97ccb937b59e4

Download Submit
\RetroArch-Win64\retroarch.exe

Filesize
2.6MB

MD5
eb859dc93f27a7b3c7d3f53d338f9270

SHA1
3d7860ac99373439efe6c4c9db6426d500983d06

SHA256
3cae95d24f351e4292799ca4d28f2250f989ebb9c78b3a67500f0e683a5b33f9

SHA512
dfaee452fa81a23d2502b868e3923673f7b3c75a5bb500d1af87c0a6df433d2f789abc0873944482d463e453608a797b53a40ac0630a2f6d439b1fb12d899309

Download Submit
\RetroArch-Win64\retroarch.exe

Filesize
2.3MB

MD5
0f173d2e78a24ec3ea712b66b0d5a4ee

SHA1
616429ab12845ad709d8d4694419f94cbdb98f5f

SHA256
4fe45ca56189c00b18860f749e5c480da9cbf19cebe41659b59d114f7044fc09

SHA512
67c175ffcfdfa5ed0a575d42f64c01658203da9dde425e35793718954e55404aa115f7672a8d83c8ead3f51792632dae9afea4cb7017910664a72238addf02ca

Download Submit
\RetroArch-Win64\retroarch.exe

Filesize
2.3MB

MD5
0f173d2e78a24ec3ea712b66b0d5a4ee

SHA1
616429ab12845ad709d8d4694419f94cbdb98f5f

SHA256
4fe45ca56189c00b18860f749e5c480da9cbf19cebe41659b59d114f7044fc09

SHA512
67c175ffcfdfa5ed0a575d42f64c01658203da9dde425e35793718954e55404aa115f7672a8d83c8ead3f51792632dae9afea4cb7017910664a72238addf02ca

Download Submit
\RetroArch-Win64\retroarch.exe

Filesize
2.3MB

MD5
18504c74d15b68846cb1c424198bf4ac

SHA1
506b64d0e7e8765b89de467da29a883aa45469c3

SHA256
78457796e16e77d4d5a298e78f10a7e4088929af19ad42a008898c5b8db40bc1

SHA512
25758b657cad96d2617073e954ed95cd2aa6d6210f157a028caffe7dada5459ba22209b5eb56268b110931eb42b3b7578b55a20dab4623ea119e63c0feaa1bf1

Download Submit
\RetroArch-Win64\uninstall.exe

Filesize
512KB

MD5
f3c92a701b9a5db70e519e0f85836ca5

SHA1
8eba17559f14defd895689a7256b5e75bf7cf472

SHA256
d68b3e416f5691f8049d1a6d82c5b9747fa454581e5f4663a9af4108b815fc67

SHA512
74a26abe2d0f7797da3f09d6e2effdd4e5a09ed421e7cebd90bd6035d3e62aeb82271157dca914d28108c61c94344629313b2efd2c793d90df13e0cb9fe12ca2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4E42.tmp\StartMenu.dll

Filesize
9KB

MD5
c01df0ef605f284813f15da8779d79ff

SHA1
d44d9ad01584053d857e033dc14f4e5886bb412e

SHA256
c6388b3742bc1591415dc789959c0ed7141cb3a5826e2de0c9f4c964b21ce64a

SHA512
b7db647c307fb507e453cbca252d67a9f9e9c3fd42b1684d6e9f5f7826ae7c677c0a81f2301a9187d07084c5980ba4ea7491bf6c2b1ae3b161af3e197fa42b70

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4E42.tmp\System.dll

Filesize
23KB

MD5
8643641707ff1e4a3e1dfda207b2db72

SHA1
f6d766caa9cafa533a04dd00e34741d276325e13

SHA256
d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25

SHA512
cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4E42.tmp\System.dll

Filesize
23KB

MD5
8643641707ff1e4a3e1dfda207b2db72

SHA1
f6d766caa9cafa533a04dd00e34741d276325e13

SHA256
d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25

SHA512
cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4E42.tmp\nsDialogs.dll

Filesize
11KB

MD5
79a0bde19e949a8d90df271ca6e79cd2

SHA1
946ad18a59c57a11356dd9841bec29903247bb98

SHA256
8353f495064aaf30b32b02f5d935c21f86758f5a99d8ee5e8bf8077b907fad90

SHA512
2a65a48f5dd453723146babca8d047e112ab023a589c57fcf5441962f2846a262c2ad25a2985dba4f2246cdc21d973cbf5e426d4b75dd49a083635400f908a3e

Download Submit
memory/268-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download