b072cd5dfe9bcdb08250fac0647e5040ca03ebfde85bc0083c7766d1cf9930c5

Analysis

max time kernel
141s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-03-2023 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Papers Please De SmoggyBox7636/Papers Please -Survarium100/setup.exe
Size

828KB
MD5

051be444bb912b68b005a03d165e5328
SHA1

17d41f81d8bea23d43aab6830b852dd441a8e0ce
SHA256

6148ded4c2efae5064b48b331fbc4684421afeeb89bce849ebeace952c46572b
SHA512

d78a268e6e2db9b8c9d394dac1072bd001064e8c301a750fedf1a2e17df23bd4f1431de92c39e50e31dcd9bb0e1eba637d6b89d61ab7e68861767c43c91016c3
SSDEEP

12288:sjxolfRJjrQ94OQ/Z2/QPy22ScjY6YCnJUsQOA0q6HRHazuaWtQLH5/yl:sjKVbr44tRXa22SEY6YCqHOEVJp8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.tmp

pid process

1112 setup.tmp
Loads dropped DLL 4 IoCs

Processes:

setup.exesetup.tmp

pid process

1264 setup.exe
1112 setup.tmp
1112 setup.tmp
1112 setup.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup.tmp

pid process

1112 setup.tmp

pid	process
1112	setup.tmp

pid	process
1264	setup.exe
1112	setup.tmp
1112	setup.tmp
1112	setup.tmp

pid	process
1112	setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp
PID 1264 wrote to memory of 1112	1264	setup.exe	setup.tmp

C:\Users\Admin\AppData\Local\Temp\Papers Please De SmoggyBox7636\Papers Please -Survarium100\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Papers Please De SmoggyBox7636\Papers Please -Survarium100\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\is-G75CN.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G75CN.tmp\setup.tmp" /SL5="$70126,436752,83968,C:\Users\Admin\AppData\Local\Temp\Papers Please De SmoggyBox7636\Papers Please -Survarium100\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1112

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-G75CN.tmp\setup.tmp
Filesize
923KB

MD5
6efab7ad87ecb5df6601a10c63b62a2c

SHA1
cd739a9ac81aedb8b88c8b9f03da10a2632cdddd

SHA256
97a772425f76e192adc79efb571cecdbf132066db6f6e8316bfb6c6ac4364b1b

SHA512
0341eeea4150e067a2e841d6bb8b587aec88c209f20f5730c1a502b2263c7ba0c95e6c63f91b3718d8bed88ea010e66b8102d44d9b3b0e8e51c9632897aba16b

Download Submit
\Users\Admin\AppData\Local\Temp\is-G75CN.tmp\setup.tmp
Filesize
923KB

MD5
6efab7ad87ecb5df6601a10c63b62a2c

SHA1
cd739a9ac81aedb8b88c8b9f03da10a2632cdddd

SHA256
97a772425f76e192adc79efb571cecdbf132066db6f6e8316bfb6c6ac4364b1b

SHA512
0341eeea4150e067a2e841d6bb8b587aec88c209f20f5730c1a502b2263c7ba0c95e6c63f91b3718d8bed88ea010e66b8102d44d9b3b0e8e51c9632897aba16b

Download Submit
\Users\Admin\AppData\Local\Temp\is-NMPML.tmp\ISDone.dll
Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-NMPML.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NMPML.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1112-70-0x00000000020C0000-0x0000000002137000-memory.dmp

Filesize
476KB

Download
memory/1112-72-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1112-74-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1112-75-0x00000000020C0000-0x0000000002137000-memory.dmp

Filesize
476KB

Download
memory/1264-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads