f7192526dbe47540e5b2d3b58a511bc65b8a08f76a31c95adc40921f25f8acf3

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Papers.Please.v1.2.76/setup_papers_please_1.2.76_(54232).exe
Size

40.8MB
MD5

354d10586bd68448685e925e48810bed
SHA1

ddfbe39b92b2277f989e7597af91379d7ec2ef7e
SHA256

412de5f617c9115d8199d78ef93e34a9b46e021b81902feb9eef14a4b2c035f0
SHA512

6f4f17b5dc51b8448184ba21af9b7dda7f7c91f5c4eef609ae6699b8bead4019fdb6280bf83853cd1db98b1a621c8dfaad4bf2fb13305ba726b66aa046bdb469
SSDEEP

786432:pBaa+1a5dqYwSYjm9x+hvRprsSLQWvVyPf/Wj8LT3y53RZYvv/w/go1PIGvUaQvL:ma+1QqYHYSerDHuf/c8LTuT+iNu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup_papers_please_1.2.76_(54232).tmp

pid process

2284 setup_papers_please_1.2.76_(54232).tmp

Loads dropped DLL 6 IoCs

Processes:

setup_papers_please_1.2.76_(54232).tmp

pid	process
2284	setup_papers_please_1.2.76_(54232).tmp
2284	setup_papers_please_1.2.76_(54232).tmp
2284	setup_papers_please_1.2.76_(54232).tmp
2284	setup_papers_please_1.2.76_(54232).tmp
2284	setup_papers_please_1.2.76_(54232).tmp
2284	setup_papers_please_1.2.76_(54232).tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

setup_papers_please_1.2.76_(54232).exe

description	pid	process	target process
PID 1664 wrote to memory of 2284	1664	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1664 wrote to memory of 2284	1664	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp
PID 1664 wrote to memory of 2284	1664	setup_papers_please_1.2.76_(54232).exe	setup_papers_please_1.2.76_(54232).tmp

C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe
"C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\is-896IN.tmp\setup_papers_please_1.2.76_(54232).tmp
"C:\Users\Admin\AppData\Local\Temp\is-896IN.tmp\setup_papers_please_1.2.76_(54232).tmp" /SL5="$70066,42151039,192512,C:\Users\Admin\AppData\Local\Temp\Papers.Please.v1.2.76\setup_papers_please_1.2.76_(54232).exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-896IN.tmp\setup_papers_please_1.2.76_(54232).tmp
Filesize
1.3MB

MD5
584b93c043e09f22f0f94d90220b90d2

SHA1
0cc5a8f9c7f6924dc1198001db3218953ac0ad99

SHA256
ca4b29bc6469a8a733431e071a360dcca48cf5d4886f455514161c9c62c44256

SHA512
2039520e5b8d71984e3203d63472d2ee3d1be2d9294f3add58804f0f55fe361c7de2a82855f3a3f18c9920198eb31a9471a2987c69961c0caef74b7671114736

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\1134577161_english.jpg
Filesize
192KB

MD5
339f7594a4b849625de4e6f1ed00a0a5

SHA1
57627516ac4931938e1680a6ac8b5bce7ac5feeb

SHA256
d85be7db9614ff25af54ef04b92703aea750e2092e2d648b7d14af8bff80cb2f

SHA512
514c83d7222770cc7d6c0cf8cdc70e3f75ac8f8839efa2ff11c6ef7c5f3831479365a02b74c773c7ef1d8ea0dc70dfcfcd4ffb0e813668fee52988e1c850aaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\1449651388_english.jpg
Filesize
175KB

MD5
ae8c0b7dd3bf13bc6409ae912036ce7b

SHA1
86242f1b6bd60f90c6aaeede756ff07dc3c02492

SHA256
fb01ffdf0743e3ae4d3e1a4c80d6f4c487330926deff4f4c78aadf0636f331d7

SHA512
7085eaba6d999ee3850303e5b5b410030106e504a7decc05ca7352a7082c9c391a0dd6c609fe6552985870edaa2772cf12ff203b7e32a9702bfc4f845774c0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\BigOK.png
Filesize
3KB

MD5
5b43a5d975a53f4fc1da67ce9f7784c1

SHA1
8543fa1e471030049942252b23cb22e0880c3af5

SHA256
59d8bb3e87a89ef523c0495addce38d69560af42aaa82f56dd41b12e6612c13a

SHA512
5dd5c4e9859a555a4a32da76f5231b44f7556274c6501da530b2cdd570bcb4675f710bee708322a40ed3ef9280c0d652b4e7ef0e9eaf128c08534f59291917f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\EULAAccepted.png
Filesize
2KB

MD5
461dfeb75927bdb39f9db5348612a611

SHA1
b7893b1fff6801e37ee7337d876962a09184941e

SHA256
0de278f5ca6d8570d9bda592268a14a28b87d3631fea2d25721947397aaab79c

SHA512
68528cf45c81c2c024a672f42c2cd6d4f72c015b443f103ca21deb8ee2bec4f4027490e7f33b5338a87537b5bf7f255f2828aed149f622155ec89cc81687651b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\EULAShow.png
Filesize
1KB

MD5
c596bc9111edc702bbbb29b70984254f

SHA1
d4712c7b91ff4f8994e7907d31357c42eb47c738

SHA256
6112851daea2aaa7174e8cfac4a0f61c968bc090342503804c476eff47cc2462

SHA512
db50d0a39ec644873a03d64552fff1776cc94f016e8dfc8918e65aee94f7529a6de4637567b5e65c4ea988f3775785c4b52c2d96fe8dbc52b1e21ff59c737c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\background.jpg
Filesize
416KB

MD5
500498a437a2fc611721405ba1f67746

SHA1
a13af882cf40884f62d8ef2fa97c5c321db7e3fd

SHA256
c25063204ea2bf9311c6e77720d4a69bf11999fb719e78012c1ffa5a4cd3ca22

SHA512
4e495d484dfbd18489b0cd7f55320ae34b41eb5441a6f8149adea17d167c88b2429237b1a0f59fd883b659c7b3e8d2dbf706077c70a741aa4669351c7938e6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\botva2.dll
Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\botva2.dll
Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\btn_md5.png
Filesize
8KB

MD5
3befe9739354ee24a0b1ea8df05ce274

SHA1
ab0bda986a8c46aa19f57b75a2b7b22445a3c625

SHA256
b0193ab375f604fa4a25cabdea8f713babde1c07ab562ffc5679352c8e01db47

SHA512
ac016a59e0bfc9b22c376ae5d498c5660893a983d932b2bd502dabe032883c69e79ea8d93c2db49f95415c3cdb068e9f7d1d85527a4f9e68e065a989852d09dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\crcdll.dll
Filesize
69KB

MD5
1d51fac9e2384eeb674199cfd5281d7d

SHA1
861dfdc121357d605d0cc3793266713788109eb2

SHA256
23e90ce5a1f2d634a7bf5d5d0522fafeea6df9e536e16f5ce91035d5197128ec

SHA512
921b00adfe43b883200960e8d0958d4e6b97f6d5cfc096ee277766a3e44cc7805a20877a4edf8bd4d9102bb71a20ac218a9a512f4f76bd751d3ef14f4e0a6eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\error.png
Filesize
726B

MD5
df10adc25b673e74e19971c17bee5a98

SHA1
ee16fb1cf9491f5e611282f0574b27d76fede412

SHA256
142b16dc6239421691fa6e619d1a61e61176d89fa018a88b46893c29a57aad8b

SHA512
dc3de10e0321966cbbfb2e57b3b41da6f26dff0c7233a47469da58775b5c471e6b5181e4d4ffc81ef8b83dbcad74ccc1aad7678518f99c9185a441d2a23e010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\ok.png
Filesize
1KB

MD5
103c1368e60806b1b7995a0894eacf87

SHA1
971392527f6e4b655044773132505c901a6b5469

SHA256
0d37d4421a39ca8852eb6760b8e914302bdc6cfcc7b170dc1b6c9bb9be148b7e

SHA512
652177e94438aff102f2ed873b26f0985ebed134763852b49b1ca2698463c1dbeb85152f19c8e18d397229ec5cb2cd1d17c61d454ab7c425a2cab540adc8228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\slideshow.ini
Filesize
279B

MD5
ad0ed70c79608288af8c69914e68c90d

SHA1
87334e310ba0bc5d05b7dffdf6ed258a8b56a4d8

SHA256
67cb7a731cb50a9e45cd684cdae147aee6a34842aea936cca1f9fcde266dc5a7

SHA512
c5606f19e3eabc128e8991821e9cc925d3e0f09dbda16ec9653349ed7d412d1b895634ba0d16396f57c28c478457d8c9aa62704da24f96c7434254da39ba8dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\uninstall.dll
Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQOIT.tmp\uninstall.dll
Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
memory/1664-269-0x0000000000060000-0x0000000000099000-memory.dmp

Filesize
228KB

Download
memory/1664-133-0x0000000000060000-0x0000000000099000-memory.dmp

Filesize
228KB

Download
memory/2284-147-0x0000000003690000-0x0000000003747000-memory.dmp

Filesize
732KB

Download
memory/2284-138-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2284-268-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/2284-192-0x00000000056E0000-0x00000000056EE000-memory.dmp

Filesize
56KB

Download
memory/2284-270-0x0000000000B00000-0x0000000000C52000-memory.dmp

Filesize
1.3MB

Download
memory/2284-271-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2284-273-0x00000000056E0000-0x00000000056EE000-memory.dmp

Filesize
56KB

Download
memory/2284-272-0x0000000003690000-0x0000000003747000-memory.dmp

Filesize
732KB

Download
memory/2284-274-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2284-282-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2284-284-0x00000000056E0000-0x00000000056EE000-memory.dmp

Filesize
56KB

Download