6ed10daf58abe8c00ac68bc835b5c08f12434233f01c5eede125bef5757bdbdd

Analysis

max time kernel
82s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2023, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpaceShootersSetup.exe
Size

27.0MB
MD5

ff8ccfeaf187a2ea046c9feddc74b7ce
SHA1

799b75821c1b629b1130a41fdf7fcd15086d0d7b
SHA256

6ed10daf58abe8c00ac68bc835b5c08f12434233f01c5eede125bef5757bdbdd
SHA512

30488df29254bc0849acff854370a8b55c6e2d27e30c59b08b13fcaaee5b6fc2e139c2d54da0457cc94572afb9ab2375564d32faf930c63d334aff4685579e21
SSDEEP

786432:gCDYa2DTB3XRuwis8VwAuE1yaki6i8EQ3Ls:gn5RZis8qAuQyRiQg

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1780	4880	WerFault.exe	84
1376	4520	WerFault.exe	101
4920	4968	WerFault.exe	105
4912	1892	WerFault.exe	108
3184	2224	WerFault.exe	113
4080	2780	WerFault.exe	116

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	taskmgr.exe
Token: SeSystemProfilePrivilege	2328	taskmgr.exe
Token: SeCreateGlobalPrivilege	2328	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4520	SpaceShootersSetup.exe
4968	SpaceShootersSetup.exe
1892	SpaceShootersSetup.exe
2476	SpaceShootersSetup.exe
3752	SpaceShootersSetup.exe
2224	SpaceShootersSetup.exe
2780	SpaceShootersSetup.exe

C:\Users\Admin\AppData\Local\Temp\SpaceShootersSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SpaceShootersSetup.exe"
1⤵
PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 808
  2⤵
  - Program crash
  PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4880 -ip 4880
1⤵
PID:992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2220

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 828
  2⤵
  - Program crash
  PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4520 -ip 4520
1⤵
PID:1300

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 824
  2⤵
  - Program crash
  PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4968 -ip 4968
1⤵
PID:2808

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 824
  2⤵
  - Program crash
  PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1892 -ip 1892
1⤵
PID:1988

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 824
  2⤵
  - Program crash
  PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2224 -ip 2224
1⤵
PID:3764

C:\Users\Admin\Desktop\SpaceShootersSetup.exe
"C:\Users\Admin\Desktop\SpaceShootersSetup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 824
  2⤵
  - Program crash
  PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2780 -ip 2780
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IF{1E272922-FDAA-4764-98DA-F2D9CB0B4444}\Deutsch.ifl

Filesize
3KB

MD5
981077ef92410cbf204c59e5465de5dd

SHA1
ad253930fd3a5edd8a81dc473f89132ff2243699

SHA256
a792f4f5edee0e158798b75b82f6ac720e51957498450161b04ee812101f801c

SHA512
3f1e30cd667a658f3a2f1388efbd712b57cc5b028de431fd995d8ff376734a8e7ec62a686502761c03214eded30b0ab445d0762b58e5d24663cd25ef8749725c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{1E272922-FDAA-4764-98DA-F2D9CB0B4444}\English.ifl

Filesize
2KB

MD5
2922d0c758d9c3c10cbdc59f91979d0c

SHA1
feb69bdf58d06cca776db63036811af0764ca013

SHA256
20f6d12eac29bd6ddc6a99dd276c5e200fac25c976ab4293195b58ec164c253f

SHA512
d15e888bae4e23ce5d61becc3c47d9b5f61fbbe4612cf90677314570fe1df1f4fde6c519b789ad46cc50d19c2b3701bc9bd968e85bb618fb7127950d4ae92695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{1E272922-FDAA-4764-98DA-F2D9CB0B4444}\languages.dat

Filesize
18B

MD5
a3ae2c67104c86a3197586c115a96136

SHA1
925e56044b3b98947ae208b22d8011b78613c56d

SHA256
8422463648619e4c5205304db50282cab2dba418f25b3ae32d14648293a0c019

SHA512
beb890e6cb8209e78db5d4ffe86aaf342efdb29ec912f9b55de2c3f20d309880d9daf013c9e7c25d7e612e51f416d572b68f547d5ba7eede3c2861357dd4dab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{1E272922-FDAA-4764-98DA-F2D9CB0B4444}\licence.rtf

Filesize
118B

MD5
4dba5fbd2236ac8da7f465446b57c2ba

SHA1
1e75f578a073419f57789324b41b04e1bf43ea04

SHA256
ce8cdae2f53ae589c97048a4d9f504136485cde920c5579f7329a9405abfc02d

SHA512
3ca76ad19933342d9b5ac22e5edb68637f3b93b6cda8568849dec912f1539e6f33cd5a0aa5ba579bd4e54e1fe879c5b9f1280abeb3d5bccfd9b74367d3f00cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{69A0EE51-7824-4593-A7B1-3438D4AFC54A}\wizardImage.dat

Filesize
79KB

MD5
70f09446f7972f8b37c81ee04bfaa181

SHA1
43b57ba58b0f63974ac499d7d4f515e80d5d17ad

SHA256
d0a75f242e61977eedf63e337b2df34591b0f05a349b9a0956dde2d1c1e27e53

SHA512
f5571df5192064fc633f73f946dee884624bd22c343f6240b930d537e45c474f3931d156289a31bf8972de70536077ed630516a8810769a2f1a04566c2be6e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{A727F6BD-A40A-43DE-ADEA-D4B7A51B5E2D}\OS.dat

Filesize
194B

MD5
6290f382a10b4fc5ae26f7d5d986cbd4

SHA1
dc7339847cb92ba3a9d5b653a8ea2166a50a5233

SHA256
bf05cd83699f1afea3f5c5e041353b189404698683841ff2a4cb166e600237d1

SHA512
c78e4aa46819a71fc956f45985c43099dad38b0959f846b0c3fcad558dfd7231bdf3cb29487efac681a312f5302aecbcd4ab48a1e51df5d6a7fb042064834b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{A727F6BD-A40A-43DE-ADEA-D4B7A51B5E2D}\SC.dat

Filesize
837B

MD5
cbd3ef5b9ba4934bcfca790b82e6f2e9

SHA1
49984b0476df9f8181f5d32b8d63908750accdff

SHA256
2cb35ee08a368126afd4b904d1c703ce1a33bbbeb79f39df7c493388366ff858

SHA512
97ae3adb2eed048963be6b3a4d47d8628b6bbf0426513e67b2e278d1651330eea240f99d010a0ba14b802f56d8888219293d87fe3f391e76fb4329fa2f8257ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{A727F6BD-A40A-43DE-ADEA-D4B7A51B5E2D}\headerImage.dat

Filesize
8KB

MD5
22cfd03cf970e9d8ab21c6e51a412de5

SHA1
750de9dafbdcd76be709982f594642d4ddcbc422

SHA256
c313a1302b8b59b818bf158d33fdcf8f2b90bec7a320702c8643f2c2b03fab1e

SHA512
907809aee43c9c1ed6239f2ed02ea857463d1439f2b1d2bb7229615f7b0ac6b8dc43a51628b5aaa9e51538f0ebe71b8eb769a04ed04c0d6d73487fecef6d38b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{A727F6BD-A40A-43DE-ADEA-D4B7A51B5E2D}\setupConfiguration.archive

Filesize
91KB

MD5
0d69c98bcfe9be1b8ea861d99c5af0ef

SHA1
cc9f8ad462a34b50d60391d309b52c3f12712ba5

SHA256
13f6cdf77a580459081c1948c3a9bef6a6fd75f07bd39ab99780f9f0a37e7889

SHA512
06bca8b924b28bca8a2422f4802ef849914a87b1dce176fef0cffd98c42e71a6365d80616ad64dc4a0deb45d71c8004da9e73cb7464e01e7d0f34d1dad2f0672

Download Submit
memory/2328-156-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-160-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-161-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-158-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-159-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-157-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-149-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-155-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-151-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download
memory/2328-150-0x0000024F323A0000-0x0000024F323A1000-memory.dmp

Filesize
4KB

Download