Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://www.mediafir...

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2023, 08:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.mediafire.com/file/kfmz1fvfna133z5/GrowtopiaInstaller.exe/file

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
    installer
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/kfmz1fvfna133z5/GrowtopiaInstaller.exe/file
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1448
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\GrowtopiaInstaller.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\GrowtopiaInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
        C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
          "C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe" -burn.unelevated BurnPipe.{56320F11-D846-49FC-8CA0-59BB02100A55} {AC89772D-3366-4FEA-BEE9-D2C3EF8D3CDD} 3188
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3740

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          bd71617256882953841a8337a4dd5d5c

          SHA1

          d9b47492fafc72a5fbca10c56229fe6a2757331a

          SHA256

          8f2693e8b656256ad2faa63c3421eb6f1a4e278d2e2e3cc97d5acd5642f97ba2

          SHA512

          2d40d636e04523d2095e6896f24a911c523d581b93d486af41275b3b6dc94e05bf5e4de8e2c8479886e4c3f2ff87215fd25c028846ba5a868258875dcca3fa2b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          31fbe61bb80976c8e30fc5e5b960d8b9

          SHA1

          a3039e1ed4d41c3c2433c1eb4218527cec744ab8

          SHA256

          94f4acd6a85024769200c7d52afb34f8d679acf4d2b6372b963866410c977f3b

          SHA512

          b81f61f156e10ce4fd3d20351b51f042987c77a3b80418a68e57f1407468386aa873f2ad0da0ee0b8ea97b724532682d86f71478999849efebcbade78f78ece0

          Download Submit

        • C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
          Filesize

          13.9MB

          MD5

          27b141aacc2777a82bb3fa9f6e5e5c1c

          SHA1

          3155cb0f146b927fcc30647c1a904cd162548c8c

          SHA256

          5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

          SHA512

          7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

          Download Submit

        • C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
          Filesize

          13.9MB

          MD5

          27b141aacc2777a82bb3fa9f6e5e5c1c

          SHA1

          3155cb0f146b927fcc30647c1a904cd162548c8c

          SHA256

          5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

          SHA512

          7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

          Download Submit

        • C:\Users\Admin\AppData\Local\Growtopia\vc_redist.x64.exe
          Filesize

          13.9MB

          MD5

          27b141aacc2777a82bb3fa9f6e5e5c1c

          SHA1

          3155cb0f146b927fcc30647c1a904cd162548c8c

          SHA256

          5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

          SHA512

          7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\GrowtopiaInstaller.exe
          Filesize

          226.9MB

          MD5

          a3661ab3bfc991df508da9b77375dafb

          SHA1

          6ae0b9a440a8b8365f275299f1e3e8942be9c19c

          SHA256

          9ee67780827e04fecf7c31813ac2917b48079e192a91e841645a308244645268

          SHA512

          989983584d1bcaa952249e46298bd56c73eea07a1519c95d323c85f58ca6343ef83656ac51b1d912bcd8087dd6917ecf327b776fcf1fa6be5ac08c2a3e3cdd83

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\GrowtopiaInstaller.exe.lryokh9.partial
          Filesize

          226.9MB

          MD5

          a3661ab3bfc991df508da9b77375dafb

          SHA1

          6ae0b9a440a8b8365f275299f1e3e8942be9c19c

          SHA256

          9ee67780827e04fecf7c31813ac2917b48079e192a91e841645a308244645268

          SHA512

          989983584d1bcaa952249e46298bd56c73eea07a1519c95d323c85f58ca6343ef83656ac51b1d912bcd8087dd6917ecf327b776fcf1fa6be5ac08c2a3e3cdd83

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsbEF62.tmp\InstallOptions.dll
          Filesize

          14KB

          MD5

          3e277798b9d8f48806fbb5ebfd4990db

          SHA1

          d1ab343c5792bc99599ec7acba506e8ba7e05969

          SHA256

          fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c

          SHA512

          84c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsbEF62.tmp\System.dll
          Filesize

          11KB

          MD5

          3f176d1ee13b0d7d6bd92e1c7a0b9bae

          SHA1

          fe582246792774c2c9dd15639ffa0aca90d6fd0b

          SHA256

          fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

          SHA512

          0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsbEF62.tmp\System.dll
          Filesize

          11KB

          MD5

          3f176d1ee13b0d7d6bd92e1c7a0b9bae

          SHA1

          fe582246792774c2c9dd15639ffa0aca90d6fd0b

          SHA256

          fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

          SHA512

          0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsbEF62.tmp\ioSpecial.ini
          Filesize

          565B

          MD5

          5a803dfb48998d559bcf5cc2dd5ab1e0

          SHA1

          fc6f56c6f1eb9a04f134648ee3577c90de73978c

          SHA256

          1afeae1722d27a932aa2d99745f86c30a542c5e1423580c926f734402ded2921

          SHA512

          30a9bcb0d6304296c1c8d8d2531a2de9db4a94ddab038ca51d4c72081893def39955e1d782fd3f3a5d9df7f79c61b30dd292bd4e9092358e1e0e3361e871ac04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\logo.png
          Filesize

          1KB

          MD5

          d6bd210f227442b3362493d046cea233

          SHA1

          ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

          SHA256

          335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

          SHA512

          464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\wixstdba.dll
          Filesize

          118KB

          MD5

          4d20a950a3571d11236482754b4a8e76

          SHA1

          e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

          SHA256

          a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

          SHA512

          8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

          Download Submit