83bb53e349637193490e6ec307517cb283663286d9727a0d7245e814cddc96ef

Resubmissions

11/02/2023, 17:52

230211-wft3jaea37 7

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.2MB
MD5

cf69f597119942da6a258c31b5f7a983
SHA1

2ab3e818da8d189c58df0240ee2dc9e29d77fc13
SHA256

83bb53e349637193490e6ec307517cb283663286d9727a0d7245e814cddc96ef
SHA512

26f7408db882572dc5ebd99831be5ed2ef7f11c98a3b6e5bd50e9010ac1a4fd1a33fdc1c793debe002ffa9a8380200ec62aa00bc8b1ee9cea3f7884efa6b0f0c
SSDEEP

49152:Ks3oKxeBZHq9M5FJnNBZzUt6GEkmD1OvwvM1Udurc8g+m5:3lcq2JnpzUVrEMSf+m5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2728	setup.tmp
2816	unins000.exe
3628	_iu14D2N.tmp

Loads dropped DLL 6 IoCs

pid	Process
2728	setup.tmp
2728	setup.tmp
2728	setup.tmp
2728	setup.tmp
2728	setup.tmp
2728	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	setup.tmp
2728	setup.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2728	setup.tmp
2728	setup.tmp
3628	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2728	1224	setup.exe	82
PID 1224 wrote to memory of 2728	1224	setup.exe	82
PID 1224 wrote to memory of 2728	1224	setup.exe	82
PID 2728 wrote to memory of 2816	2728	setup.tmp	85
PID 2728 wrote to memory of 2816	2728	setup.tmp	85
PID 2728 wrote to memory of 2816	2728	setup.tmp	85
PID 2816 wrote to memory of 3628	2816	unins000.exe	86
PID 2816 wrote to memory of 3628	2816	unins000.exe	86
PID 2816 wrote to memory of 3628	2816	unins000.exe	86

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\is-7P6P8.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7P6P8.tmp\setup.tmp" /SL5="$10210,1769881,529920,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Games\Dead Cells\unins000.exe
    "C:\Games\Dead Cells\unins000.exe" /VERYSILENT /NODELSAVE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\Dead Cells\unins000.exe" /FIRSTPHASEWND=$B0278 /VERYSILENT /NODELSAVE
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\Dead Cells\unins000.dat

Filesize
26KB

MD5
502efe0ebd8a7f9b6586ca6b145d7c06

SHA1
d5f6fddc4d39bb3dbf62f0eaa70887820e0c5e87

SHA256
6a073f390ee1a4d7ec9851cdbd6ea4b6e2fd332ab34055a8c82a0e0d3325a8e0

SHA512
d124ae20125bd7d2a95ade81487a0664219d86032ed0efdf287f6ce98d68e8a9894bd15ffb1091ac4f3156c95ed7390f32f2186fabd385ff9d2ca577a207eaac

Download Submit
C:\Games\Dead Cells\unins000.exe

Filesize
1.5MB

MD5
b13e2e2bc16000a3e5af9fa83db36609

SHA1
7710cedf529fa7158ebfcdbacb6e606f3f1ccbc6

SHA256
025b1f0615ef77d088afd72b72161afb701c8866eb6e62f6c54bba832f0c2441

SHA512
f76617c37bab9e072cd7e044e3357e809fd2aa94ea5eb913b441463f6d16953ce6d20c38022757645e6109eadbae1ec2695f0b3a45c29d7ead376e2d6dd83eaa

Download Submit
C:\Games\Dead Cells\unins000.exe

Filesize
1.5MB

MD5
b13e2e2bc16000a3e5af9fa83db36609

SHA1
7710cedf529fa7158ebfcdbacb6e606f3f1ccbc6

SHA256
025b1f0615ef77d088afd72b72161afb701c8866eb6e62f6c54bba832f0c2441

SHA512
f76617c37bab9e072cd7e044e3357e809fd2aa94ea5eb913b441463f6d16953ce6d20c38022757645e6109eadbae1ec2695f0b3a45c29d7ead376e2d6dd83eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
1.5MB

MD5
b13e2e2bc16000a3e5af9fa83db36609

SHA1
7710cedf529fa7158ebfcdbacb6e606f3f1ccbc6

SHA256
025b1f0615ef77d088afd72b72161afb701c8866eb6e62f6c54bba832f0c2441

SHA512
f76617c37bab9e072cd7e044e3357e809fd2aa94ea5eb913b441463f6d16953ce6d20c38022757645e6109eadbae1ec2695f0b3a45c29d7ead376e2d6dd83eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
1.5MB

MD5
b13e2e2bc16000a3e5af9fa83db36609

SHA1
7710cedf529fa7158ebfcdbacb6e606f3f1ccbc6

SHA256
025b1f0615ef77d088afd72b72161afb701c8866eb6e62f6c54bba832f0c2441

SHA512
f76617c37bab9e072cd7e044e3357e809fd2aa94ea5eb913b441463f6d16953ce6d20c38022757645e6109eadbae1ec2695f0b3a45c29d7ead376e2d6dd83eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7P6P8.tmp\setup.tmp

Filesize
1.5MB

MD5
1b49325a47ff45907b8d77911f367cb7

SHA1
a6f151259279ba11ac5055886a69689e3b0d2745

SHA256
310a4efeff875a5b547ef8f9297b778e540fa0488f5e8f7424750845625a5aa9

SHA512
227585f750265b0a7d23491cc1828c156b2b4cd6934af8ed23bc1340e409364adc1a43ccbeb1f2943ed85234f24a8adf638c8a7c0897cefc24df97eb08ecafdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7P6P8.tmp\setup.tmp

Filesize
1.5MB

MD5
1b49325a47ff45907b8d77911f367cb7

SHA1
a6f151259279ba11ac5055886a69689e3b0d2745

SHA256
310a4efeff875a5b547ef8f9297b778e540fa0488f5e8f7424750845625a5aa9

SHA512
227585f750265b0a7d23491cc1828c156b2b4cd6934af8ed23bc1340e409364adc1a43ccbeb1f2943ed85234f24a8adf638c8a7c0897cefc24df97eb08ecafdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THDV.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THDV.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THDV.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THDV.tmp\callbackctrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THDV.tmp\callbackctrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7THDV.tmp\wintb.dll

Filesize
16KB

MD5
9436df49e08c83bad8ddc906478c2041

SHA1
a4fa6bdd2fe146fda2e78fdbab355797f53b7dce

SHA256
1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435

SHA512
f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

Download Submit
memory/1224-132-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1224-138-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1224-137-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1224-153-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2728-142-0x0000000003360000-0x00000000033D7000-memory.dmp

Filesize
476KB

Download