6012a045f413abdf7e8f1c70848448ff307a3e1854a2313d7d4998f8ebc96f5d

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29-06-2023 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Buff Achievement Tracker - Installer.exe
Size

2.0MB
MD5

e9d1d646b6376de5c6f6b50d6576b500
SHA1

0e89df9bcf7451019152febe5b2af6d3ea5dc3cf
SHA256

6012a045f413abdf7e8f1c70848448ff307a3e1854a2313d7d4998f8ebc96f5d
SHA512

a2784682ec031a015c83f5d463358482c1b898ee6a616e40a24c73051e8c68caa2bbc1172213393bec4405bafc67989a04cbb58cd19235e8366d2c52e9ffa178
SSDEEP

49152:FT/vxE87vxpsrFpIvxrpLCvsMcOiX8isGAYkjyRUcL:FT/ZPN+TIvvLCvslsiHzDC

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	SetupUtility.exe

Executes dropped EXE 4 IoCs

pid	Process
1544	ndp48-web.exe
1888	Setup.exe
1520	SetupUtility.exe
1796	SetupUtility.exe

Loads dropped DLL 14 IoCs

pid	Process
840	Buff Achievement Tracker - Installer.exe
840	Buff Achievement Tracker - Installer.exe
840	Buff Achievement Tracker - Installer.exe
840	Buff Achievement Tracker - Installer.exe
840	Buff Achievement Tracker - Installer.exe
840	Buff Achievement Tracker - Installer.exe
840	Buff Achievement Tracker - Installer.exe
1544	ndp48-web.exe
1888	Setup.exe
1888	Setup.exe
1888	Setup.exe
1888	Setup.exe
1888	Setup.exe
1888	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Buff Achievement Tracker - Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Buff Achievement Tracker - Installer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 840 wrote to memory of 1544	840	Buff Achievement Tracker - Installer.exe	28
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29
PID 1544 wrote to memory of 1888	1544	ndp48-web.exe	29

C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Buff Achievement Tracker - Installer.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\ndp48-web.exe
  "C:\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\ndp48-web.exe" /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\2db1dfefde68f4b8421ca6336dba\Setup.exe
    C:\2db1dfefde68f4b8421ca6336dba\\Setup.exe /norestart /x86 /x64 /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1888
  - - C:\2db1dfefde68f4b8421ca6336dba\SetupUtility.exe
      SetupUtility.exe /aupause
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:1520
  - - C:\2db1dfefde68f4b8421ca6336dba\SetupUtility.exe
      SetupUtility.exe /screboot
      4⤵
      Executes dropped EXE
      PID:1796
  - - C:\2db1dfefde68f4b8421ca6336dba\TMP80AD.tmp.exe
      TMP80AD.tmp.exe /Q /X:C:\2db1dfefde68f4b8421ca6336dba\TMP80AD.tmp.exe.tmp
      4⤵
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2db1dfefde68f4b8421ca6336dba\Setup.exe

Filesize
119KB

MD5
057ce4fb9c8e829af369afbc5c4dfd41

SHA1
094f9d5f107939250f03253cf6bb3a93ae5b2a10

SHA256
60dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b

SHA512
cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52

Download Submit
C:\2db1dfefde68f4b8421ca6336dba\SetupUtility.exe

Filesize
304KB

MD5
2a20ff4988db90ae0632d898916950ca

SHA1
f822b12f4efb31a99ec4df9a4d9c9806c55648fa

SHA256
289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243

SHA512
02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0

Download Submit
C:\2db1dfefde68f4b8421ca6336dba\SetupUtility.exe

Filesize
304KB

MD5
2a20ff4988db90ae0632d898916950ca

SHA1
f822b12f4efb31a99ec4df9a4d9c9806c55648fa

SHA256
289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243

SHA512
02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt

Filesize
3KB

MD5
bdcc919b748a2c9da0c6eee7044a14be

SHA1
a979d48e116a92ff01bdb7524c8753af65605291

SHA256
04e5b42790caff6a78332c8f87874cc1173cfaefa3cd6c7818f0e9a2fd3e4a9c

SHA512
f4641505b669ae1d900ee3e844d9821933d983e1e9e53f232a631c6059f85a050e1a9fd94edaa5fd30f5c3955aa13a51f8e42e1aec07d741ab07c1ecb5f1688e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\ndp48-web.exe

Filesize
1.4MB

MD5
34a5c76979563918b953e66e0d39c7ef

SHA1
4181398aa1fd5190155ac3a388434e5f7ea0b667

SHA256
0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa

SHA512
642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\ndp48-web.exe

Filesize
1.4MB

MD5
34a5c76979563918b953e66e0d39c7ef

SHA1
4181398aa1fd5190155ac3a388434e5f7ea0b667

SHA256
0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa

SHA512
642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040

Download Submit
\2db1dfefde68f4b8421ca6336dba\1033\SetupResources.dll

Filesize
23KB

MD5
3f975e8bb4cd4adb9b5d21b2da436ab6

SHA1
e017dd66cbd964228b3b9b84b14c892709fe3915

SHA256
ab1d462944fdcb4ad2e6a4d37257f2fe2063744bb4e3de55b4126dfb65d383fc

SHA512
f99359f9118409fe7cbdc4390a48f2f661d7e1622b08af75080e036400e1a3dae118d92848e54a24168eb8b27e69d51a920bb26511c466868afb42257b3ea048

Download Submit
\2db1dfefde68f4b8421ca6336dba\Setup.exe

Filesize
119KB

MD5
057ce4fb9c8e829af369afbc5c4dfd41

SHA1
094f9d5f107939250f03253cf6bb3a93ae5b2a10

SHA256
60dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b

SHA512
cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52

Download Submit
\2db1dfefde68f4b8421ca6336dba\SetupEngine.dll

Filesize
893KB

MD5
f9618535477ddfef9fe8b531a44be1a3

SHA1
c137a4c7994032a6410ef0a7e6f0f3c5acb68e03

SHA256
236bf2b5cf6014b8ee22484afe172ace512cc99dba85080b082d47e9e189ea5c

SHA512
b85ae1a9cc334e9352c51aa94b2c74c6c067957e0e6021f7309a1c194fc64c0c50bb5efeaef7030e8689d75a22798f74cf719366a2fdcce26e23692510bfe064

Download Submit
\2db1dfefde68f4b8421ca6336dba\SetupUi.dll

Filesize
336KB

MD5
6f51e9b469f95edb9156c74b4b0f4e1b

SHA1
5224c3de0fa4895297898f76ed5647ef40d924f8

SHA256
9fd4639955338928731a8ab6e131175949a179931b8c9d4fcadd2367d749b826

SHA512
920f6525852a3a3636722fa8a36112d5402b22b7d93469443eba2b782ef27d25532a8b6a922dad2a60709c24e74527f639e2744bfd30635dda80ab364376a32e

Download Submit
\2db1dfefde68f4b8421ca6336dba\SetupUtility.exe

Filesize
304KB

MD5
2a20ff4988db90ae0632d898916950ca

SHA1
f822b12f4efb31a99ec4df9a4d9c9806c55648fa

SHA256
289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243

SHA512
02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0

Download Submit
\2db1dfefde68f4b8421ca6336dba\SetupUtility.exe

Filesize
304KB

MD5
2a20ff4988db90ae0632d898916950ca

SHA1
f822b12f4efb31a99ec4df9a4d9c9806c55648fa

SHA256
289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243

SHA512
02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0

Download Submit
\2db1dfefde68f4b8421ca6336dba\sqmapi.dll

Filesize
223KB

MD5
0c0e41efeec8e4e78b43d7812857269a

SHA1
846033946013f959e29cd27ff3f0eaa17cb9e33f

SHA256
048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c

SHA512
e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\UserInfo.dll

Filesize
4KB

MD5
9301577ff4d229347fe33259b43ef3b2

SHA1
5e39eb4f99920005a4b2303c8089d77f589c133d

SHA256
090c4bc8dc534e97b3877bd5115eb58b3e181495f29f231479f540bab5c01edc

SHA512
77dc7a1dedaeb1fb2ccefaba0a526b8d40ea64b9b37af53c056b9428159b67d552e5e3861cbffc2149ec646fdfe9ce94f4fdca51703f79c93e5f45c085e52c79

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\ndp48-web.exe

Filesize
1.4MB

MD5
34a5c76979563918b953e66e0d39c7ef

SHA1
4181398aa1fd5190155ac3a388434e5f7ea0b667

SHA256
0bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa

SHA512
642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\uac.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0A.tmp\utils.dll

Filesize
55KB

MD5
aad3f2ecc74ddf65e84dcb62cf6a77cd

SHA1
1e153e0f4d7258cae75847dba32d0321864cf089

SHA256
1cc004fcce92824fa27565b31299b532733c976671ac6cf5dbd1e0465c0e47e8

SHA512
8e44b86c92c890d303448e25f091f1864946126343ee4665440de0dbeed1c89ff05e4f3f47d530781aa4db4a0d805b41899b57706b8eddfc95cfa64c073c26e2

Download Submit
memory/1888-460-0x00000000734F0000-0x0000000073623000-memory.dmp

Filesize
1.2MB

Download
memory/1888-447-0x00000000734F0000-0x0000000073623000-memory.dmp

Filesize
1.2MB

Download
memory/1888-425-0x00000000734F0000-0x0000000073623000-memory.dmp

Filesize
1.2MB

Download
memory/1888-505-0x0000000002710000-0x0000000002745000-memory.dmp

Filesize
212KB

Download
memory/1888-504-0x0000000002710000-0x000000000275D000-memory.dmp

Filesize
308KB

Download
memory/1888-541-0x00000000734F0000-0x0000000073623000-memory.dmp

Filesize
1.2MB

Download
memory/1888-557-0x00000000734F0000-0x0000000073623000-memory.dmp

Filesize
1.2MB

Download