f7192526dbe47540e5b2d3b58a511bc65b8a08f76a31c95adc40921f25f8acf3

Analysis

max time kernel
40s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12/02/2023, 02:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Papers.Please.v1.2.76/setup_papers_please_1.2.76_(54232).exe
Size

40.8MB
MD5

354d10586bd68448685e925e48810bed
SHA1

ddfbe39b92b2277f989e7597af91379d7ec2ef7e
SHA256

412de5f617c9115d8199d78ef93e34a9b46e021b81902feb9eef14a4b2c035f0
SHA512

6f4f17b5dc51b8448184ba21af9b7dda7f7c91f5c4eef609ae6699b8bead4019fdb6280bf83853cd1db98b1a621c8dfaad4bf2fb13305ba726b66aa046bdb469
SSDEEP

786432:pBaa+1a5dqYwSYjm9x+hvRprsSLQWvVyPf/Wj8LT3y53RZYvv/w/go1PIGvUaQvL:ma+1QqYHYSerDHuf/c8LTuT+iNu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	setup_papers_please_1.2.76_(54232).tmp

Loads dropped DLL 5 IoCs

pid	Process
1108	setup_papers_please_1.2.76_(54232).exe
2008	setup_papers_please_1.2.76_(54232).tmp
2008	setup_papers_please_1.2.76_(54232).tmp
2008	setup_papers_please_1.2.76_(54232).tmp
2008	setup_papers_please_1.2.76_(54232).tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27
PID 1108 wrote to memory of 2008	1108	setup_papers_please_1.2.76_(54232).exe	27

C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe
"C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\is-S8BOQ.tmp\setup_papers_please_1.2.76_(54232).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S8BOQ.tmp\setup_papers_please_1.2.76_(54232).tmp" /SL5="$90124,42151039,192512,C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-S8BOQ.tmp\setup_papers_please_1.2.76_(54232).tmp

Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
\Users\Admin\AppData\Local\Temp\is-GR3IU.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-GR3IU.tmp\crcdll.dll

Filesize
69KB

MD5
1d51fac9e2384eeb674199cfd5281d7d

SHA1
861dfdc121357d605d0cc3793266713788109eb2

SHA256
23e90ce5a1f2d634a7bf5d5d0522fafeea6df9e536e16f5ce91035d5197128ec

SHA512
921b00adfe43b883200960e8d0958d4e6b97f6d5cfc096ee277766a3e44cc7805a20877a4edf8bd4d9102bb71a20ac218a9a512f4f76bd751d3ef14f4e0a6eda

Download Submit
\Users\Admin\AppData\Local\Temp\is-GR3IU.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-GR3IU.tmp\uninstall.dll

Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
\Users\Admin\AppData\Local\Temp\is-S8BOQ.tmp\setup_papers_please_1.2.76_(54232).tmp

Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
memory/1108-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000000F50000-0x0000000000F89000-memory.dmp

Filesize
228KB

Download
memory/1108-61-0x0000000000F50000-0x0000000000F89000-memory.dmp

Filesize
228KB

Download
memory/2008-63-0x00000000020C0000-0x00000000020D5000-memory.dmp

Filesize
84KB

Download
memory/2008-68-0x00000000020F0000-0x00000000020FE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads