ae97f04d201983bd8e0b815a55161a3b5ce5cae025ad8e1365ba2180aebccf04

Analysis

max time kernel
34s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.6MB
MD5

b256c4c1dfe3dcda4aeb098580dd7d5f
SHA1

bcd82ca4d2865f3cf43f06b74fb655e6954c56d8
SHA256

ae97f04d201983bd8e0b815a55161a3b5ce5cae025ad8e1365ba2180aebccf04
SHA512

9036713f80714cf418a819c7ae3a208516ea1974fca80b615804dd658d65305f0ab43786391abdfaef5a0eeac28e499186a517e11686496b81f9af6c0da5eba9
SSDEEP

24576:PxGUmMn4xnsmCxZglmdy1YO9BFNP5NvxUsg9ZVSdOimeklkYaGWnG6:4Ujs/CTumdy1x7a9DjpaGal

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4852	setup.tmp
5072	unins000.exe
3108	_iu14D2N.tmp

Loads dropped DLL 3 IoCs

pid	Process
4852	setup.tmp
4852	setup.tmp
4852	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Grand Theft Auto III\is-13LVI.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Grand Theft Auto III\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Grand Theft Auto III\unins000.dat	_iu14D2N.tmp
File created	C:\Program Files (x86)\Grand Theft Auto III\unins000.dat	setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4852	setup.tmp
4852	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4852	setup.tmp
3108	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4852	1988	setup.exe	81
PID 1988 wrote to memory of 4852	1988	setup.exe	81
PID 1988 wrote to memory of 4852	1988	setup.exe	81
PID 4852 wrote to memory of 5072	4852	setup.tmp	82
PID 4852 wrote to memory of 5072	4852	setup.tmp	82
PID 4852 wrote to memory of 5072	4852	setup.tmp	82
PID 5072 wrote to memory of 3108	5072	unins000.exe	83
PID 5072 wrote to memory of 3108	5072	unins000.exe	83
PID 5072 wrote to memory of 3108	5072	unins000.exe	83

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\is-23NJ3.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-23NJ3.tmp\setup.tmp" /SL5="$4020C,1041943,489472,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Program Files (x86)\Grand Theft Auto III\unins000.exe
    "C:\Program Files (x86)\Grand Theft Auto III\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Grand Theft Auto III\unins000.exe" /FIRSTPHASEWND=$F004E /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:3108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Grand Theft Auto III\unins000.dat

Filesize
17KB

MD5
b55ea8e83411dcf2c601a79603e5fd01

SHA1
a5295356f34042e8ab62a61019350abf181f09ba

SHA256
a15d068aee3ea5cb8b3d78896126c7277b824c9b2607996705030464e58d5f04

SHA512
9674f618be37e38b3172c9ec4524abcdc9035c3392bcb60a9c47d90de871f204a6d5e6b5e383eea9217706045b1f82964e7f8574e12af5c62b608f8d4e75b752

Download Submit
C:\Program Files (x86)\Grand Theft Auto III\unins000.exe

Filesize
1.5MB

MD5
7f1551bdbce41ff7c4cb92e91c8d16eb

SHA1
e8ff32f4aa9a7fa06e877209d89f7538d97e6fbc

SHA256
42d2a3ab2aee19101af2ecacddc4a10e276d850a5ecd5a1d31f69aee947579a9

SHA512
fc3744dd301a5b1f215bd9b14ba97e560e829a3112259b6814b02c00a0d5caf8e979ddd911bcf23cfbd5f23b9221903078a671f70b545f97fee45236e0619094

Download Submit
C:\Program Files (x86)\Grand Theft Auto III\unins000.exe

Filesize
1.5MB

MD5
7f1551bdbce41ff7c4cb92e91c8d16eb

SHA1
e8ff32f4aa9a7fa06e877209d89f7538d97e6fbc

SHA256
42d2a3ab2aee19101af2ecacddc4a10e276d850a5ecd5a1d31f69aee947579a9

SHA512
fc3744dd301a5b1f215bd9b14ba97e560e829a3112259b6814b02c00a0d5caf8e979ddd911bcf23cfbd5f23b9221903078a671f70b545f97fee45236e0619094

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
1.5MB

MD5
7f1551bdbce41ff7c4cb92e91c8d16eb

SHA1
e8ff32f4aa9a7fa06e877209d89f7538d97e6fbc

SHA256
42d2a3ab2aee19101af2ecacddc4a10e276d850a5ecd5a1d31f69aee947579a9

SHA512
fc3744dd301a5b1f215bd9b14ba97e560e829a3112259b6814b02c00a0d5caf8e979ddd911bcf23cfbd5f23b9221903078a671f70b545f97fee45236e0619094

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
1.5MB

MD5
7f1551bdbce41ff7c4cb92e91c8d16eb

SHA1
e8ff32f4aa9a7fa06e877209d89f7538d97e6fbc

SHA256
42d2a3ab2aee19101af2ecacddc4a10e276d850a5ecd5a1d31f69aee947579a9

SHA512
fc3744dd301a5b1f215bd9b14ba97e560e829a3112259b6814b02c00a0d5caf8e979ddd911bcf23cfbd5f23b9221903078a671f70b545f97fee45236e0619094

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
1.5MB

MD5
7f1551bdbce41ff7c4cb92e91c8d16eb

SHA1
e8ff32f4aa9a7fa06e877209d89f7538d97e6fbc

SHA256
42d2a3ab2aee19101af2ecacddc4a10e276d850a5ecd5a1d31f69aee947579a9

SHA512
fc3744dd301a5b1f215bd9b14ba97e560e829a3112259b6814b02c00a0d5caf8e979ddd911bcf23cfbd5f23b9221903078a671f70b545f97fee45236e0619094

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23NJ3.tmp\setup.tmp

Filesize
1.5MB

MD5
c940debd7153593544749dc4ac27a0e5

SHA1
90cf88f01e99b392cb1e8b84a281643a0eb41126

SHA256
ab6de9ec5970612e48a9f5ac426083b8962c435fbf26bce42e73bf20025dfe8c

SHA512
7300c8faed4fdb5f85db4d4f4f659ddaee100ac87d3743a195a8cf1871b26e61d523c5a6171f418ecce61d03940a6b6196f30b942b5abcbb3458adaede7833a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23NJ3.tmp\setup.tmp

Filesize
1.5MB

MD5
c940debd7153593544749dc4ac27a0e5

SHA1
90cf88f01e99b392cb1e8b84a281643a0eb41126

SHA256
ab6de9ec5970612e48a9f5ac426083b8962c435fbf26bce42e73bf20025dfe8c

SHA512
7300c8faed4fdb5f85db4d4f4f659ddaee100ac87d3743a195a8cf1871b26e61d523c5a6171f418ecce61d03940a6b6196f30b942b5abcbb3458adaede7833a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-686A4.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D4A2V.tmp\ISDone.dll

Filesize
453KB

MD5
34b88e02562a274b786f3e2a2caa4697

SHA1
8e9b2217a223cb197537bf0d4e288f9152a2609d

SHA256
367e83cd3122c3ea8518bf080ae161d350a63a3eda13ab901997aa72b6217ac8

SHA512
2bdc4c145ee94224a9750fb81b1f7b3a968d525b3e8dad06ad9fbed2bfd4aab54425a0326a3a3e221863dd767a38898027b7912543bd178ef028995bae24deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D4A2V.tmp\ISDone.dll

Filesize
453KB

MD5
34b88e02562a274b786f3e2a2caa4697

SHA1
8e9b2217a223cb197537bf0d4e288f9152a2609d

SHA256
367e83cd3122c3ea8518bf080ae161d350a63a3eda13ab901997aa72b6217ac8

SHA512
2bdc4c145ee94224a9750fb81b1f7b3a968d525b3e8dad06ad9fbed2bfd4aab54425a0326a3a3e221863dd767a38898027b7912543bd178ef028995bae24deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D4A2V.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1988-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1988-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1988-209-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3108-190-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3108-193-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4852-152-0x0000000003370000-0x00000000033E7000-memory.dmp

Filesize
476KB

Download
memory/4852-162-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4852-160-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4852-159-0x0000000003370000-0x00000000033E7000-memory.dmp

Filesize
476KB

Download
memory/4852-158-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4852-195-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4852-196-0x0000000003370000-0x00000000033E7000-memory.dmp

Filesize
476KB

Download
memory/4852-208-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4852-139-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/5072-189-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download