ed8b75e3154e7767dd9cddae858a21cbadc76dc8e83a0c7d3e7bc34bca636c60

General

Target

Setup_MultiMinecraft_Deluxe_v3.3.2.exe
Size

60.9MB
Sample

230324-v754fagc72
MD5

2882ed8a193f0626b73ba15c4f1154d6
SHA1

904b78c79b999b38fe0d21aad18b0c68584198d0
SHA256

ed8b75e3154e7767dd9cddae858a21cbadc76dc8e83a0c7d3e7bc34bca636c60
SHA512

2868b376da214e9c6fa250bcadc37df31f8060cbbd4bcb0462e93aa0253b29dd1c4026c1ae67897b4285731cae9618047501bd39a43e984376947316980a9179
SSDEEP

1572864:3QcIIb7jQKtw8bFpKsExBKHKiabK9X+Eer50ukw3:3Pz3QKtw8b4xBSKiiB0uR

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\MC\MultiMinecraft\System.Configuration.dll

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L�V��S��" ��$��BC�� `��7`� ��<��`��B�O��`��.��>�� H��.text��#�� $�� `.rsrc��`��&��@��@.reloc��,��@��B��$C��H��(#�� @}��A��BSJB��v4.0.30319��l��X[��#~��[��@0��#Strings��#US��#GUID��l��#Blob��Wߴ# ��3��N��m��1��B��$��U��@��O��*��,((�#��#!� �� <*�/�� J#- ��--� ��s((�%.��((��"((�%(( �]�� " ��-��(( �z�eh'�h'��/��/��h'��h'��+�/ �z��(�. ��z��*��\��'��` ��a�/ m%� a��a�G�%��F%��%��8�%��a��%��X�/��/�,*�/��a�� a��m%�.a�~a��a�M a�j a�� %��%�h�/�a��)��F%�)��*�%��+��)��3��=��Y��E��$��H��K��| ��O��-��U��-��~��--��Q��>-��#8��0=��=�� G�� =��/�� U�� ` ��"��Y��'��m��*��,��"��<!�� u��G!��I��/��Q��c��f��p��S(=��|��=��|!�M��|�� !�l��d=��4 �� &� ��P� �� $� ��1>!� ��!�� ~!�� ] `� ��Y-� ��#8� ��*� ��S$8� ��#8� ��$� � �� -P� ��^+� �"��$� �*�e � �/��P� �7��@+� �C��=� �J��$�$�J�� $�M��$�O!��$�_��=�$�d��#�(�d��>!�+�f�� +�r��+�u��&�+�{ �t>!Y�+�~��&�+��P�+��$�+��G �+��\!��+��+��+��$�+��L �+��$�+��( �+��:$8�+��#`+��!$8�+��f#h+��$�+�� +��8#8�-��-��#8�-��C��-��-��"��-�(��/��-�)��+,��-�+��?/��-�6� '��-�8��"��-�;��j��-�?��/��-�C��2�C��2�C��e��2�C��V�/�V� ,�V�D�V�� V�/�V�D�V��"�V�#��V�T �V�} �V��V��V�C �V�3�V��V��.�V�'�V�N�V��V��V��V��V�C �V�y�V��V�y*�V�.�V�/��V��*�V��V�� V��V��V� �V��V�;��)��=��Q� P ��.% ��Q ��t* ��R ��s&�S ��Z,�T ��)�U ��v,�V ��)�W ��6��X ��Y �� Z ��.�[ ��. ��\ ��;)�] ��* ��^ ��_*!�_ ��-''�` ��,�a ��0�b �� 6�c ��=�d �� B �e ��^H�f �� d&P�g ��kV�h ��*+a�i ��+h�j ��+o�k ��=�l �� m ��v�n ��E|�o ��*��p ��q ��K��r ��s ��-��t �� /��u ��-�v ��w ��4%��x ��.% ��y ��z ��*��{ ��| �� } ��I��~ ��8� � ��|�#�� V�'�� *�� .% �+�� d&P+�� *�+�� &�+�� +�� +�� _*!,�� -�� 8�-�� +o0�� 2�� 2�� ))2��) �2�� =2��s=3��4�� 5�� 5��6�� .% �7�� .%�7�� 9�� :�� .% �;�� .%�;�� <�� <�� <�� .% �<�� N <�� W �<�� =�� -�=��t* >��@��"E��l'F��e*-G��J,"H��I��`3J��=L��-9M��-?N�� FP�� OS��YW��`Z�� ^��"_�� '`��D&h`��%&pb�� hd�� d�� od��1"d��3e��"g��@xh��T�k��"o��'p��'�q��t��|t��|v��d-=x��-�y��C�{��R�~��j ��f�� .% �� ,�� ,�� t* �� "�� l'�� e*-�� J,"�� `3�� =�� -9�� -?�� F�� O�� Y�� `�� "�� '�� D&h�� %&p�� h�� o�� 1"�� @x�� T�� 3�� "�� "�� '�� '�� |�� |�� d-=�� -�� C�� R�� j �� f�� "��5"��I"��T�� =��'�� [�� .% �� .% �� &�� &�� (�� -�� (�� x(�� ?%�� ?% �� ?%(�� 4"1�� HN":�� h"1�� H�":�� D�� H�I�� .% �� .%�� x �� O�� T�� .% �� .%Z�� 7�� J�� ]�� s�� .�� . �� -''�� ,�� kV��!��_*!��!�� +,��!�� !�� !�� !�� ,��!�� `��!��!�� %h�� !��G!�� !��Gm��!��t�!��Gz !��!��$*�!��'!��$*�!��)�!��.�!�� !��)+�!��+h !��*�!��+� ��+��.�!��!�� '�!��"!�� t!�� O!��.%�!��u$�!��.%� !��.% �!!��.%�"!��.%�#!��.%�$!��.%�%!��.%�&!��.%�!'!��.%�#(!��.%�&)!��@��(*!��*+!��"�*,!��*-!��5 ,*.!��)�*/!��!�*0!�� +1!��!,2!�� -3!��.4!��.% �/5!��.%�/6!��H �07!�� 08!�� 09!��|�1:!��1;!��.% �1<!��1=!��.% �2>!��K�2?!��3@!�� %h4A!��! �4B!��_'"4C!�� +,5D!�� 5E!�� ,�5F!�� 5G!��7H!��9I!��."9J!��,�:K!��,�:L!��);M!��.% �;N!��4%�;O!��&";P!��&';Q!�� -;R!��2<S!��Y7=T!��:<=U!��C>V!��K?W!��rQ@X!��r\BY!��.%hEZ!��nF[!��.%sF\!��G]!��/nG^!��zG_!��*zH`!��Ia!��Jb!��Kc!��.%�Kd!��.%�Me!��.%�Pf!��.%�Tg!��.%�Zh!��ai!��aj!��N ak!��al!��am!��.an!��ao!��#ap!��Jaq!��ar!��*#�as!��u$�at!��4%�au!��.%�av!��bw!��bx!��by!��;(�cz!��G(�c{!��d|!��/�d}!��e~!��e!��.f�!��.�f�!��4%�g�!�� +,g�!�� g�!�� ,�g�!��g�!�� i�!�� %hk�!��k�!��_'"l�!��K�m�!��"n�!��! �o�!��.% �o�!��@��o�!��q�!��r�!��K�s�!��! �u�!��+,u�!�� u�!��(*�w�!��(*x�!�� %hy�!��. y�!��) z�!��z�!��)+�{�!��.% �|�!��.% �|�!��|�!��u|�!�� |�!��|�!��E�}�!��}�!��N �}�!��W �}�!��(�~�!��x(�~�!��+�~�!��@��!�� !�� !��K ��!��! ��!��+,��!�� " ��!��(* ��!��(* ��!�� %h��!��. ��!��) ��!��!��)+��!��.% �� !,��!��4%��!��.% ��!��.%��!��.%+ ��!��d&P��!��!�� !��!��!��B��!��k��!��|��!��4%��!��d&P��!��.% ��!��2 ��!�� 9 ��!��A ��!��H ��!��Gz��!��KO ��!��O ��!��)+��!��!��+��!��.��!��! ��!��4%��!��.% ��!��*��!��d&P��!��&V ��!��-��!��C��!�� =��!��.% ��!��.% ��!��d&P��!��!�� !��_*!��!��I��!��8��!��!��!��.% ��!�� !�� !��\ ��!��.% ��,c ��,c ��!��.% ��!��,c ��!��,c ��!��!��\ ��!��.% ��!��d&j ��!��+��!��!��!��3��!��!,��!��N ��!��u$��!��)��!��.% ��!��.% ��!��.%��!��H ��!��K ��!��a ��!�� "�� "�� "�� "��Vp �"��"��.% ��"��.%��"��"�� "��.% �� "��d&P�"��"�� "��_*!�"��I��"��8��"��"��"��.% ��"��"��"��.% ��"��4%��"��.%v �"��.%| �"��.%� �"��"��"��.% ��"��"��,�"��+�� "��!,�!"��.+��""��C�#"��T��$"��4%��%"��d&P�&"��.% ��'"��t�("�� )"��)� �*"��K� �+"��K��,"��-"��! ��."��+��/"��.��0"��4%��1"��d&P�2"��.% ��3"��.%��4"��t* ��5"��=.��6"��7"��8"��.%� �9"��.%� �:"��.%� �;"��<"��="��>"��.% ��?"�� @"�� A"��!� �B"��.� �C"��C�D"��T��E"��4%��F"��d&P�G"��.% ��H"�� I"�� J"��)� �K"��K� �L"�� M"��N"��! ��O"��+��P"��.��Q"��4%��R"��d&P�S"��.% ��T"��.%��U"��V"��W"��X"��Y"��Z"��.% ��["��.% ��\"��]"��^"��_"��`"��a"�� b"��c"��.d"��e"��f"��3�g"��!,h"��N i"��u$�j"��*#�k"��l"��.% �m"��@��n"�� o"�� p"�� %hq"��.% �

Targets

- Target
  
  Setup_MultiMinecraft_Deluxe_v3.3.2.exe
- Size
  
  60.9MB
- MD5
  
  2882ed8a193f0626b73ba15c4f1154d6
- SHA1
  
  904b78c79b999b38fe0d21aad18b0c68584198d0
- SHA256
  
  ed8b75e3154e7767dd9cddae858a21cbadc76dc8e83a0c7d3e7bc34bca636c60
- SHA512
  
  2868b376da214e9c6fa250bcadc37df31f8060cbbd4bcb0462e93aa0253b29dd1c4026c1ae67897b4285731cae9618047501bd39a43e984376947316980a9179
- SSDEEP
  
  1572864:3QcIIb7jQKtw8bFpKsExBKHKiabK9X+Eer50ukw3:3Pz3QKtw8b4xBSKiiB0uR
Score

10^/10

adware discovery persistence ransomware stealer
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral1