1daac4c6aa30ce62ec58b47f3c7c51ffb2741d66f29504801959f85c04f85f50

Analysis

max time kernel
54s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/03/2023, 10:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

5.3MB
MD5

25f6141aa0c8662b9137c5c1bdd775a2
SHA1

47b41c75ab75259cdd6b9b433255530ac1178a7c
SHA256

1daac4c6aa30ce62ec58b47f3c7c51ffb2741d66f29504801959f85c04f85f50
SHA512

5e8cb4040020e30c9f3945e43e2ffb768f004792661c6c2f5ecb8424a4f5e0428ce22ff5f08fad26104d4086fcf10aa4b0b4ce74812fa97c664f185f3c116cb3
SSDEEP

98304:MPMQeEc7GUFJD08CKwcw0jQdK1XkXMU36LLK9NQLXEXtYW:M0pzFd5JPjHXBWAXCtZ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1336	setup.tmp
532	BlackOps3.exe
1668	BlackOps3.exe

Loads dropped DLL 8 IoCs

pid	Process
1616	setup.exe
1336	setup.tmp
1336	setup.tmp
1336	setup.tmp
1336	setup.tmp
1336	setup.tmp
1336	setup.tmp
1336	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Call of Duty Black Ops III\unins000.dat	setup.tmp
File opened for modification	C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe	setup.tmp
File created	C:\Program Files\Call of Duty Black Ops III\unins000.dat	setup.tmp
File created	C:\Program Files\Call of Duty Black Ops III\is-U20AH.tmp	setup.tmp
File created	C:\Program Files\Call of Duty Black Ops III\is-SJR9D.tmp	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	setup.tmp
1336	setup.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	760	AUDIODG.EXE
Token: 33	760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	760	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1336	setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1336	setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1336	1616	setup.exe	27
PID 1616 wrote to memory of 1336	1616	setup.exe	27
PID 1616 wrote to memory of 1336	1616	setup.exe	27
PID 1616 wrote to memory of 1336	1616	setup.exe	27
PID 1616 wrote to memory of 1336	1616	setup.exe	27
PID 1616 wrote to memory of 1336	1616	setup.exe	27
PID 1616 wrote to memory of 1336	1616	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\is-HKCB8.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HKCB8.tmp\setup.tmp" /SL5="$70120,5115314,484864,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe
"C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe
"C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe"
1⤵
- Executes dropped EXE
PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe

Filesize
365KB

MD5
9dc8a18c637a9e9b9edb31890c3bfd31

SHA1
f9aae7d04b6ceb542cf9c8ddac96448820ff0d41

SHA256
7c7db703e1ff519dba7299bc0d827b4ee87f2a0230e12cbe89158e7cf243c9a6

SHA512
216d83a9e0bab59a54e2e03f8d9033e48c0ef0ab0c4bc1c02717e647273d84355eca0d42b52ec75ac22b8e6f73484bfaa72e37924e6906ac0e61121e70b7bd74

Download Submit
C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe

Filesize
365KB

MD5
9dc8a18c637a9e9b9edb31890c3bfd31

SHA1
f9aae7d04b6ceb542cf9c8ddac96448820ff0d41

SHA256
7c7db703e1ff519dba7299bc0d827b4ee87f2a0230e12cbe89158e7cf243c9a6

SHA512
216d83a9e0bab59a54e2e03f8d9033e48c0ef0ab0c4bc1c02717e647273d84355eca0d42b52ec75ac22b8e6f73484bfaa72e37924e6906ac0e61121e70b7bd74

Download Submit
C:\Program Files\Call of Duty Black Ops III\BlackOps3.exe

Filesize
365KB

MD5
9dc8a18c637a9e9b9edb31890c3bfd31

SHA1
f9aae7d04b6ceb542cf9c8ddac96448820ff0d41

SHA256
7c7db703e1ff519dba7299bc0d827b4ee87f2a0230e12cbe89158e7cf243c9a6

SHA512
216d83a9e0bab59a54e2e03f8d9033e48c0ef0ab0c4bc1c02717e647273d84355eca0d42b52ec75ac22b8e6f73484bfaa72e37924e6906ac0e61121e70b7bd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HKCB8.tmp\setup.tmp

Filesize
1.5MB

MD5
fe527c164cce7b2b50e29ee70cef7055

SHA1
11b120bdcf52347bae186d2e7c25c1939bdeea8d

SHA256
74ea2c9bf6f54ac4eb7d271bcc20cc006408091b0c0354197bbde9c6140eb7b4

SHA512
f39ced01268ba4285c4d1e12c4c43a04cf98e0e7fd25f07d7aed2cd6d65f1eaeadf892cc89cb7afc2ed97a2f0d5944cfcd2b072c6998e570d433066bbebb0d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HKCB8.tmp\setup.tmp

Filesize
1.5MB

MD5
fe527c164cce7b2b50e29ee70cef7055

SHA1
11b120bdcf52347bae186d2e7c25c1939bdeea8d

SHA256
74ea2c9bf6f54ac4eb7d271bcc20cc006408091b0c0354197bbde9c6140eb7b4

SHA512
f39ced01268ba4285c4d1e12c4c43a04cf98e0e7fd25f07d7aed2cd6d65f1eaeadf892cc89cb7afc2ed97a2f0d5944cfcd2b072c6998e570d433066bbebb0d24

Download Submit
\Program Files\Call of Duty Black Ops III\BlackOps3.exe

Filesize
365KB

MD5
9dc8a18c637a9e9b9edb31890c3bfd31

SHA1
f9aae7d04b6ceb542cf9c8ddac96448820ff0d41

SHA256
7c7db703e1ff519dba7299bc0d827b4ee87f2a0230e12cbe89158e7cf243c9a6

SHA512
216d83a9e0bab59a54e2e03f8d9033e48c0ef0ab0c4bc1c02717e647273d84355eca0d42b52ec75ac22b8e6f73484bfaa72e37924e6906ac0e61121e70b7bd74

Download Submit
\Program Files\Call of Duty Black Ops III\BlackOps3.exe

Filesize
365KB

MD5
9dc8a18c637a9e9b9edb31890c3bfd31

SHA1
f9aae7d04b6ceb542cf9c8ddac96448820ff0d41

SHA256
7c7db703e1ff519dba7299bc0d827b4ee87f2a0230e12cbe89158e7cf243c9a6

SHA512
216d83a9e0bab59a54e2e03f8d9033e48c0ef0ab0c4bc1c02717e647273d84355eca0d42b52ec75ac22b8e6f73484bfaa72e37924e6906ac0e61121e70b7bd74

Download Submit
\Users\Admin\AppData\Local\Temp\is-HKCB8.tmp\setup.tmp

Filesize
1.5MB

MD5
fe527c164cce7b2b50e29ee70cef7055

SHA1
11b120bdcf52347bae186d2e7c25c1939bdeea8d

SHA256
74ea2c9bf6f54ac4eb7d271bcc20cc006408091b0c0354197bbde9c6140eb7b4

SHA512
f39ced01268ba4285c4d1e12c4c43a04cf98e0e7fd25f07d7aed2cd6d65f1eaeadf892cc89cb7afc2ed97a2f0d5944cfcd2b072c6998e570d433066bbebb0d24

Download Submit
\Users\Admin\AppData\Local\Temp\is-KAVR7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KAVR7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KAVR7.tmp\bassmusic.dll

Filesize
103KB

MD5
8005750ec63eb5292884ad6183ae2e77

SHA1
c83e31655e271cd9ef5bff62b10f8d51eb3ebf29

SHA256
df9f56c4da160101567b0526845228ee481ee7d2f98391696fa27fe41f8acf15

SHA512
febbc6374e9a5c7c9029ccbff2c0ecf448d76927c8d720a4eae513b345d2a3f6de8cf774ae40dcd335af59537666e83ce994ec0adc8b9e8ab4575415e3c3e206

Download Submit
\Users\Admin\AppData\Local\Temp\is-KAVR7.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KAVR7.tmp\innoextractor.dll

Filesize
299KB

MD5
d6c79afef36773206e479e0b1a7cf059

SHA1
5faa19aa1629e401915001a3392e3d916be38578

SHA256
5b08aff352a39b7e10efdaa99efb27e02c2fe16b6e5c2e4c14b84a64eee86d6b

SHA512
4016292d81779f635baf6f5756b6f07474a0265d3845a02937d30422427e11e5b27b8494689ebd6242c07f50642d2b2d3589f43d97b3b121927fb99bb1c2c5e2

Download Submit
memory/532-114-0x0000000000CD0000-0x0000000000D32000-memory.dmp

Filesize
392KB

Download
memory/1336-84-0x0000000061080000-0x000000006110B000-memory.dmp

Filesize
556KB

Download
memory/1336-110-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1336-82-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1336-69-0x0000000002DA0000-0x0000000002DB5000-memory.dmp

Filesize
84KB

Download
memory/1336-83-0x0000000002DA0000-0x0000000002DB5000-memory.dmp

Filesize
84KB

Download
memory/1336-100-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1336-101-0x0000000011000000-0x000000001104C000-memory.dmp

Filesize
304KB

Download
memory/1336-85-0x0000000011000000-0x000000001104C000-memory.dmp

Filesize
304KB

Download
memory/1336-77-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1336-78-0x0000000011000000-0x000000001104C000-memory.dmp

Filesize
304KB

Download
memory/1616-81-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1616-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1616-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1668-116-0x0000000000120000-0x0000000000182000-memory.dmp

Filesize
392KB

Download