73db1eca7ae24d70cf90bd1b9543b2acf4f74c6a3f8315a427daaad0758aa90d

General

Target

Undertale/Undertale Setup.exe
Size

117.7MB
MD5

78d20884005dd7b4f01487270ca8414a
SHA1

c61ccab304edb844257abf20bf4af01129402a32
SHA256

be571d8d78f5a13bd804ea289be2a0224a29dd37893312668c62c5f347606e67
SHA512

870308d9c893dbd5e18e0abee87b65b4b73f268e7108bf7914c54504d8220864b75485ad550487a8c13fb649b20b467d3c7f01b50f420c92cb8ddbc74ae2b2e3
SSDEEP

3145728:/dbuLhfkuy+v6k8c5hP6oA2+tnS+FTi/5ZnWwY4Gf6YB5qZeHEJf:/ELhfkNm6eUC+QYiBZnWb4GfJBKeq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Undertale Setup.tmp

pid process

1364 Undertale Setup.tmp
Loads dropped DLL 3 IoCs

Processes:

Undertale Setup.exeUndertale Setup.tmp

pid process

1380 Undertale Setup.exe
1364 Undertale Setup.tmp
1364 Undertale Setup.tmp

pid	process
1364	Undertale Setup.tmp

pid	process
1380	Undertale Setup.exe
1364	Undertale Setup.tmp
1364	Undertale Setup.tmp

Drops file in Program Files directory 64 IoCs

Processes:

Undertale Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Undertale\is-EC17Q.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-PLG5M.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-LBGJ2.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-RGJLA.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-N40L7.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-9P4C0.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-SAAB2.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-375IA.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-DA0JG.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-PC18J.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-HUO92.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-51AM0.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-QFMIN.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-T39MV.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-N4TSK.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-DQUPG.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-ML3BH.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-TVTNI.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-6CKBV.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-U0F9K.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-PGQQ9.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-4EG5D.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-LLCS7.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-RACRI.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-CPRQI.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-LIJO7.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-7TNHF.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-66VJP.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-VBMB2.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-P8NKP.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-C9K3E.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-D9VUM.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-Q4NBG.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-UURQ1.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-RCDOD.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-2OGPH.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-KMKRU.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-1L754.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-RNGSK.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-4C631.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\unins000.dat	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-U8MHK.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-DK743.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-NP39E.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-084DU.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-M7PO0.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-C2TS2.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-VINBD.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-L0O0H.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-DK2CG.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-HLC3I.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-14VS1.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-CH6BL.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-PQOJO.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-JAG76.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-C1OQT.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-GJGAQ.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-E9VI1.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-VMQVS.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-QLUGA.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-V5OH8.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-QQQ92.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-CF5JK.tmp	Undertale Setup.tmp
File created	C:\Program Files (x86)\Undertale\is-JRCGV.tmp	Undertale Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Undertale Setup.exe

description	pid	process	target process
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp
PID 1380 wrote to memory of 1364	1380	Undertale Setup.exe	Undertale Setup.tmp

C:\Users\Admin\AppData\Local\Temp\Undertale\Undertale Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Undertale\Undertale Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\is-QBAJH.tmp\Undertale Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QBAJH.tmp\Undertale Setup.tmp" /SL5="$70126,122986545,156672,C:\Users\Admin\AppData\Local\Temp\Undertale\Undertale Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Undertale\is-7A3SL.tmp
Filesize
3.6MB

MD5
93d87952773a2bb59a8667d0bc06c2c0

SHA1
480c87f42e8ecbcde1104f4a61de5dee6a9cb3c5

SHA256
9ec41f5094544c938fc075f5506c089d0c1e11fb93afba79a196981bef81d19b

SHA512
d9fce47e5c037e4954437c95abea6959e39c91d0bcd596f1c3267e5c09e5a0defade4c63617609b5386879bcae06e3c60e909fcf2476e250bc960eea0c2d1c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBAJH.tmp\Undertale Setup.tmp
Filesize
770KB

MD5
c16e0a69c8488637d4d61957a7a99fe2

SHA1
66de164a6b8365aba6220f96df28153c542ca5cc

SHA256
a120ee95eb39faba843f3f7afd8c9507c93a665ba12c1c9853c6e8c5aac4c5b1

SHA512
5fc87953210e62beabbf5f98398a408254192bd1ed87bbf288351ddccead248077a1c0d213b721878abf090d0c50a6e49e5cafd79226f676c5b9da588e287e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBAJH.tmp\Undertale Setup.tmp
Filesize
770KB

MD5
c16e0a69c8488637d4d61957a7a99fe2

SHA1
66de164a6b8365aba6220f96df28153c542ca5cc

SHA256
a120ee95eb39faba843f3f7afd8c9507c93a665ba12c1c9853c6e8c5aac4c5b1

SHA512
5fc87953210e62beabbf5f98398a408254192bd1ed87bbf288351ddccead248077a1c0d213b721878abf090d0c50a6e49e5cafd79226f676c5b9da588e287e2d

Download Submit
\Users\Admin\AppData\Local\Temp\is-EFTGJ.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EFTGJ.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QBAJH.tmp\Undertale Setup.tmp
Filesize
770KB

MD5
c16e0a69c8488637d4d61957a7a99fe2

SHA1
66de164a6b8365aba6220f96df28153c542ca5cc

SHA256
a120ee95eb39faba843f3f7afd8c9507c93a665ba12c1c9853c6e8c5aac4c5b1

SHA512
5fc87953210e62beabbf5f98398a408254192bd1ed87bbf288351ddccead248077a1c0d213b721878abf090d0c50a6e49e5cafd79226f676c5b9da588e287e2d

Download Submit
memory/1364-71-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1364-75-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1364-77-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1364-89-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1364-385-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1364-69-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1364-546-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1364-778-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1380-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1380-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1380-779-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing