2e35fb77767d8fca6608da30ee098fca15bbcb10881635e151ecbf7abe3c75cf

Analysis

max time kernel
101s
max time network
66s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Astroneer update 1.27.264 - 1.27.301.exe
Size

23.0MB
MD5

85ca50919065ea21c607688a649c3148
SHA1

bb7ad44c2f4443524cfe5297475a002c23785a56
SHA256

2e35fb77767d8fca6608da30ee098fca15bbcb10881635e151ecbf7abe3c75cf
SHA512

b4406d4797439d58b7d805cc6cc805e2ef53364632b565315d1ec7e15c945ebe6ae4b8c35fadf460425796f2fe2dd8613a28ac4331602c1c241235b1b622a71b
SSDEEP

393216:agdN9jm+v+4l/ifmKDny+SMSdwsgqiO8bSntT1shkJbRIMXBOpi7MdPWT/Ty:agr9fv+4EfmKrVpqihbeVbR/0pAMdOC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1652	Astroneer update 1.27.264 - 1.27.301.tmp
1772	hpatchz.exe
896	RapidCRC.exe

Loads dropped DLL 8 IoCs

pid	Process
1376	Astroneer update 1.27.264 - 1.27.301.exe
1652	Astroneer update 1.27.264 - 1.27.301.tmp
1652	Astroneer update 1.27.264 - 1.27.301.tmp
1652	Astroneer update 1.27.264 - 1.27.301.tmp
1648	cmd.exe
1652	Astroneer update 1.27.264 - 1.27.301.tmp
1208	Process not Found
1208	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	Astroneer update 1.27.264 - 1.27.301.tmp
1652	Astroneer update 1.27.264 - 1.27.301.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE
Token: 33	996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	996	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1652	Astroneer update 1.27.264 - 1.27.301.tmp
896	RapidCRC.exe
896	RapidCRC.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1376 wrote to memory of 1652	1376	Astroneer update 1.27.264 - 1.27.301.exe	27
PID 1652 wrote to memory of 1648	1652	Astroneer update 1.27.264 - 1.27.301.tmp	28
PID 1652 wrote to memory of 1648	1652	Astroneer update 1.27.264 - 1.27.301.tmp	28
PID 1652 wrote to memory of 1648	1652	Astroneer update 1.27.264 - 1.27.301.tmp	28
PID 1652 wrote to memory of 1648	1652	Astroneer update 1.27.264 - 1.27.301.tmp	28
PID 1648 wrote to memory of 1772	1648	cmd.exe	30
PID 1648 wrote to memory of 1772	1648	cmd.exe	30
PID 1648 wrote to memory of 1772	1648	cmd.exe	30
PID 1648 wrote to memory of 1772	1648	cmd.exe	30
PID 1652 wrote to memory of 896	1652	Astroneer update 1.27.264 - 1.27.301.tmp	31
PID 1652 wrote to memory of 896	1652	Astroneer update 1.27.264 - 1.27.301.tmp	31
PID 1652 wrote to memory of 896	1652	Astroneer update 1.27.264 - 1.27.301.tmp	31
PID 1652 wrote to memory of 896	1652	Astroneer update 1.27.264 - 1.27.301.tmp	31

C:\Users\Admin\AppData\Local\Temp\Astroneer update 1.27.264 - 1.27.301.exe
"C:\Users\Admin\AppData\Local\Temp\Astroneer update 1.27.264 - 1.27.301.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\is-IM7N2.tmp\Astroneer update 1.27.264 - 1.27.301.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IM7N2.tmp\Astroneer update 1.27.264 - 1.27.301.tmp" /SL5="$90122,23522064,484352,C:\Users\Admin\AppData\Local\Temp\Astroneer update 1.27.264 - 1.27.301.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Games\Astroneer\batch.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Games\Astroneer\hpatchz.exe
      hpatchz.exe "Astro\Content\Paks\Astro-WindowsNoEditor.pak.tmp" "Astro\Content\Paks\Astro-WindowsNoEditor.pak.patch" "Astro\Content\Paks\Astro-WindowsNoEditor.pak"
      4⤵
      Executes dropped EXE
      PID:1772
- - C:\Games\Astroneer\RapidCRC.exe
    "C:\Games\Astroneer\RapidCRC.exe" v1.27.301.blake3
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:896

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\Astroneer\Astro\Binaries\Win64\Astro-Win64-Shipping.exe

Filesize
76.3MB

MD5
8b422bf04bd7b7c174f5c5c64ceb96b7

SHA1
3ea42671e7f9646c8e9380433056ef7afcbe0d35

SHA256
f27f3c061061598748c5bca5bf3dac6887794ca55487faed13f1e5b9e800a68e

SHA512
27e5746e73ed41bd3e1d493bdade65cbb6809d53ff2fcacfb320d0bf6e6a23052db3266c0b416e436626a08d78b530ba7743ea5767c64d685c9e65e0345938b1

Download Submit
C:\Games\Astroneer\Astro\Content\Paks\Astro-WindowsNoEditor.pak.patch

Filesize
3.8MB

MD5
0f9f284682bf88456ee7a01449de39e2

SHA1
b465ce7e6ddb7705d9f33047b2e5ec3cad5634fd

SHA256
4063aa794ed92020105b2316ba4433b0efcbf1d7af7a7733fb3b5b5de02080d3

SHA512
8733291191facbbd04fdd5e98fd26648fa086d750194e8c7c23f1f45d4b62408c33d04a7a9db7195d3f802cbbdd7873eca6b2916a215a3ca05160c992875500b

Download Submit
C:\Games\Astroneer\Astro\Content\Paks\Astrooptional-WindowsNoEditor.pak

Filesize
38KB

MD5
043616a7caca09a0c445d2f999047ac2

SHA1
70863d8d9b0a7b7542ce632ec48f89a0a9c5a952

SHA256
1ae05ad64c0cc34e534e34253b04b3a5cebf919128b3c0781d89e3e6dbd285fa

SHA512
93036a7651f6f9d58cec040bacd6b1228c557d94f94d6573329ed14c4e723c8767e9306eb60074ab5f33028b25efcc08ebf257e07ba88decd3e635f6d24666d7

Download Submit
C:\Games\Astroneer\Manifest_DebugFiles_Win64.txt

Filesize
1KB

MD5
68eb353ec6d9fc48b885654cf2d087ae

SHA1
2eda817fb45e593ec65b9f72d613af15b48879ac

SHA256
e723b2783169a469d20b0348aea22dbc01b86efcb19f7d0a7910333bcc4fb22a

SHA512
125feaf429824e0abaf95def57b3d1f232001be7de9842d1c2464423c97fc429ea7079586baaf9efa31fa7688f1fd58f40f0b75988066701460d12ed462d49a5

Download Submit
C:\Games\Astroneer\Manifest_NonUFSFiles_Win64.txt

Filesize
2KB

MD5
79e02e8dc51ba832b93b16efd51c2ef1

SHA1
b8540fdeedcd1ba2dccd5a637a336be998f1791e

SHA256
7a1a850574200255ee0fc3019fb93897c63c6c978aba851941964cffd8e60dcd

SHA512
c5431da32b916d09725b2d6f7d7a3ca3eee3008658fb48905fb640080b577f3460ffc81ee0417447b772b557d278f5aaabcadde1074aad173cc2cc742d6eef36

Download Submit
C:\Games\Astroneer\RapidCRC.exe

Filesize
1.0MB

MD5
9093193b7babba1091648086fc60b29f

SHA1
4631ac47245679270948ea989b4dfaf3b91604f8

SHA256
8f86efd6e5e88e7ec48aa10370db79f6dad6c37ed740e614b5cc42e83b692fb9

SHA512
d7d55a228bf1b0a38b8264082ff78c8e38cbce8acb973edc8a620d43300e77282908aaf61bbf6936ffb5ecfc4ff70d5bc09daa78ddb989d92221bd7cd0fa8915

Download Submit
C:\Games\Astroneer\batch.bat

Filesize
426B

MD5
32b89d8a7debc87da1783e0f125df502

SHA1
9b4eb5c4f9af1da668d77a00433cde9df76b6b73

SHA256
ebbda062d26087d627cfdde94a2e4f457a5b6aff97c226c6470f0a39e5fa30a9

SHA512
6e2d5d481845059d4db0a31b41cff90bba0b6e66f86c5dac42c5939976d74530ed8a8121fdd6ac1752f85210bbdc0619899b1a54084b21f4b2944aa1ee362c62

Download Submit
C:\Games\Astroneer\build.version

Filesize
35B

MD5
40e3dfbc5b2874f31b5937630b191a6b

SHA1
ac665832dc6e7b109de76b651b0bab3080d8e46f

SHA256
7027585c50d1f5188836c0d93f9c1a42233d928ae626fe0c134ea9209ac4ce9d

SHA512
98c8ae6c7c9cbc335e015df5bb9a0c886f93c33636f777efe90b25e4b077aacaa38b25a56544b6ba01c60c3b7710700e273d134b87004e465a17252775ec64ca

Download Submit
C:\Games\Astroneer\hpatchz.exe

Filesize
358KB

MD5
f53343818956e1df482c01ebd16f1f37

SHA1
9701d00e6ba0cfac1b15fd0adfdb33b0369cb552

SHA256
42985002d1e4b453f11113628a6adca74416a820562914a54fd8f4788602acf6

SHA512
982d2dece92c53a17895146c1ed6c97344d3ba431a0a4e2ae0af60c5a4c2a8f372ee8af9331829e3704756a3e07ad9ffd3bb161261bfcb900071ee5c6f9da205

Download Submit
C:\Games\Astroneer\hpatchz.exe

Filesize
358KB

MD5
f53343818956e1df482c01ebd16f1f37

SHA1
9701d00e6ba0cfac1b15fd0adfdb33b0369cb552

SHA256
42985002d1e4b453f11113628a6adca74416a820562914a54fd8f4788602acf6

SHA512
982d2dece92c53a17895146c1ed6c97344d3ba431a0a4e2ae0af60c5a4c2a8f372ee8af9331829e3704756a3e07ad9ffd3bb161261bfcb900071ee5c6f9da205

Download Submit
C:\Games\Astroneer\v1.27.301.blake3

Filesize
5KB

MD5
6583270008baa454226cabeb79036b0b

SHA1
e9d486bec4ef7c1e115f2890e7d339f6b53f28cd

SHA256
adfd8500e8b8aef41c0043e0958e5e27f216b4f1fdf053d6441d88a100b8750c

SHA512
53ac5d4f32e8fd84097921c370a531743d7d436a50c6cf199aed70933c37f3e4c00e0359f8f536b90399b75f39ea667edbd04d2dc12c24d441905414f0f6ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IM7N2.tmp\Astroneer update 1.27.264 - 1.27.301.tmp

Filesize
1.5MB

MD5
99ceff86b552f5cc803fdfe41bc6dc5c

SHA1
beefcc27d38ba3e935c964d3d53bcf92abf87ee6

SHA256
eaed0c08e82923c5585e450a978365f83265cf983a5521e108294be4d2b75a70

SHA512
a78668e05762126547076c5b7758c09daf66628c2f18a0e88a92a3cdffd7520097d1fe15a7d59a1ca945f0e6dd4a0211877eb638fc71632176703eb9bb6740c8

Download Submit
\Games\Astroneer\RapidCRC.exe

Filesize
1.0MB

MD5
9093193b7babba1091648086fc60b29f

SHA1
4631ac47245679270948ea989b4dfaf3b91604f8

SHA256
8f86efd6e5e88e7ec48aa10370db79f6dad6c37ed740e614b5cc42e83b692fb9

SHA512
d7d55a228bf1b0a38b8264082ff78c8e38cbce8acb973edc8a620d43300e77282908aaf61bbf6936ffb5ecfc4ff70d5bc09daa78ddb989d92221bd7cd0fa8915

Download Submit
\Games\Astroneer\RapidCRC.exe

Filesize
1.0MB

MD5
9093193b7babba1091648086fc60b29f

SHA1
4631ac47245679270948ea989b4dfaf3b91604f8

SHA256
8f86efd6e5e88e7ec48aa10370db79f6dad6c37ed740e614b5cc42e83b692fb9

SHA512
d7d55a228bf1b0a38b8264082ff78c8e38cbce8acb973edc8a620d43300e77282908aaf61bbf6936ffb5ecfc4ff70d5bc09daa78ddb989d92221bd7cd0fa8915

Download Submit
\Games\Astroneer\RapidCRC.exe

Filesize
1.0MB

MD5
9093193b7babba1091648086fc60b29f

SHA1
4631ac47245679270948ea989b4dfaf3b91604f8

SHA256
8f86efd6e5e88e7ec48aa10370db79f6dad6c37ed740e614b5cc42e83b692fb9

SHA512
d7d55a228bf1b0a38b8264082ff78c8e38cbce8acb973edc8a620d43300e77282908aaf61bbf6936ffb5ecfc4ff70d5bc09daa78ddb989d92221bd7cd0fa8915

Download Submit
\Games\Astroneer\hpatchz.exe

Filesize
358KB

MD5
f53343818956e1df482c01ebd16f1f37

SHA1
9701d00e6ba0cfac1b15fd0adfdb33b0369cb552

SHA256
42985002d1e4b453f11113628a6adca74416a820562914a54fd8f4788602acf6

SHA512
982d2dece92c53a17895146c1ed6c97344d3ba431a0a4e2ae0af60c5a4c2a8f372ee8af9331829e3704756a3e07ad9ffd3bb161261bfcb900071ee5c6f9da205

Download Submit
\Users\Admin\AppData\Local\Temp\is-IM7N2.tmp\Astroneer update 1.27.264 - 1.27.301.tmp

Filesize
1.5MB

MD5
99ceff86b552f5cc803fdfe41bc6dc5c

SHA1
beefcc27d38ba3e935c964d3d53bcf92abf87ee6

SHA256
eaed0c08e82923c5585e450a978365f83265cf983a5521e108294be4d2b75a70

SHA512
a78668e05762126547076c5b7758c09daf66628c2f18a0e88a92a3cdffd7520097d1fe15a7d59a1ca945f0e6dd4a0211877eb638fc71632176703eb9bb6740c8

Download Submit
\Users\Admin\AppData\Local\Temp\is-TASR9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-TASR9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TASR9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1376-71-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1376-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1376-128-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1652-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1652-121-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1652-126-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1652-73-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1652-72-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1652-109-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download