92c2987eb7f67ab9085cd3675d5e7324d2e51d3d6a4f69d6c1cf9d6fe9c6f669

Resubmissions

19-02-2023 00:19

230219-al7d6aea56 10

19-02-2023 00:13

230219-ah77aadd5x 7

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[NEW] Hogwarts Legacy by Empress.zip
Size

33.3MB
MD5

97063fcaee93d46a4d0feb60483fbc38
SHA1

e12275f8f8f8050b22724c651e6ca9d1f7fc411c
SHA256

92c2987eb7f67ab9085cd3675d5e7324d2e51d3d6a4f69d6c1cf9d6fe9c6f669
SHA512

6ff3d4ff6ab3f2213ba6f962dbc1916bc100a9000336e24602026989fda96c7c472b2af8c33100f6c63b2433789d6b105e47595ce868f0a49ce8dc16006e1ca0
SSDEEP

786432:JE8Cti21i5bvj510RE5Fu4syo3TF7dnNZ/0sjJMuMwa4liCbuXzhVgrD:JE8CtioovV10RErtPq7qs9DMX4l9buj0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
820	Hogwarts Legacy by Empress.exe
2436	setupov16.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Hogwarts Legacy by Empress.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Hogwarts Legacy by Empress.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3488	7zG.exe
Token: 35	3488	7zG.exe
Token: SeSecurityPrivilege	3488	7zG.exe
Token: SeSecurityPrivilege	3488	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3488	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
820	Hogwarts Legacy by Empress.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2436	820	Hogwarts Legacy by Empress.exe	94
PID 820 wrote to memory of 2436	820	Hogwarts Legacy by Empress.exe	94
PID 820 wrote to memory of 2436	820	Hogwarts Legacy by Empress.exe	94

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress.zip"
1⤵
PID:4024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2528

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\" -spe -an -ai#7zMap16775:144:7zEvent15476
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488

C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  2⤵
  - Executes dropped EXE
  PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
271.7MB

MD5
afc107122f9018050f0a1201e6d096a2

SHA1
97a56e7492d86791e8d880fb3c530f0812c04244

SHA256
3cc08755e17790f6152c50cf98ae474e49011e2407fd3f327ac3919d1b503f14

SHA512
417cc8614bd4f4d9d450d6a497b0e69cb98b21c3b4a95bb46b8fa08983be6842c9ac1c7af48b23734d42fc5cdaa21c4e0fe335dcb5918b7905ebe51eae8f6f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
269.4MB

MD5
c359e5992933c1dc5f1db0b6d184943f

SHA1
9d7df943d7fd78a084964aee286c34a161969716

SHA256
5dfc76016f7fdba467510831bd1cfe636f433f23ed1bf357118d7f3e071712a5

SHA512
6bd2360692a9a0c1715853b0e579a7af2fb9217b12f1986ecb9989c23509db5e13fe2f83bc2b549df58dec7ef7a94f86b197fc270fd20d1ecb478d30e078b5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
715.8MB

MD5
6697e2951a46bee77fcbd59321c8fc06

SHA1
c8966259d2aa9c216f173f566f3962531b405f10

SHA256
1d3193d3f4806b993f8bf3874f0bfbacfedd860a82ed8b6ab26a9a0d30338a7d

SHA512
fe2be9aeb203bcc81c205e833a1ed9a698cf6edc82053431a34e8d84f2447e9bcaddda11ff4a5b93df7a45ffcd2a6c4f483907f30326d6ce43faf9ee2ffdb1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
715.8MB

MD5
6697e2951a46bee77fcbd59321c8fc06

SHA1
c8966259d2aa9c216f173f566f3962531b405f10

SHA256
1d3193d3f4806b993f8bf3874f0bfbacfedd860a82ed8b6ab26a9a0d30338a7d

SHA512
fe2be9aeb203bcc81c205e833a1ed9a698cf6edc82053431a34e8d84f2447e9bcaddda11ff4a5b93df7a45ffcd2a6c4f483907f30326d6ce43faf9ee2ffdb1c1

Download Submit