fd04e88c7b8a79cf0116e974f385c7ab688a31909b0a571418e06fb390587eaa

Analysis

max time kernel
152s
max time network
134s
platform
windows7_x64
resource
win7-20230831-de
resource tags

arch:x64arch:x86image:win7-20230831-delocale:de-deos:windows7-x64systemwindows
submitted
21/09/2023, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe
Size

195.6MB
MD5

ab3dee37a39f8b2cfdc52b9115c17617
SHA1

5fd1e67492347a1528dc709381bb69a18a50ec85
SHA256

fd04e88c7b8a79cf0116e974f385c7ab688a31909b0a571418e06fb390587eaa
SHA512

88fc3b80706a202619dfd7517dada310a14650cc50d217de0e82309e1d888c3c7eebca4445bd999c0d64b86ab6d2760357fdfb55fbda52f5887b95f3709649d7
SSDEEP

6291456:/SMRLUhEYUaju1oheFPDIVEMF1SCwnrAd:/RRIgaju15PDIVEMF1UnrAd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2076	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp

Loads dropped DLL 5 IoCs

pid	Process
1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe
2076	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp
2076	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp
2076	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp
2076	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30
PID 1716 wrote to memory of 2076	1716	setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe	30

C:\Users\Admin\AppData\Local\Temp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe
"C:\Users\Admin\AppData\Local\Temp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\is-4UQNK.tmp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4UQNK.tmp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp" /SL5="$7012E,204457012,192512,C:\Users\Admin\AppData\Local\Temp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4UQNK.tmp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp

Filesize
1.3MB

MD5
6d6a3de8ef3a9708cbdef41cade828ff

SHA1
3b621f1e50f3517e2b044eee4e11888d951e6282

SHA256
cf03a97aa4cbfac73cd509f75aea4752ae3b39f740d7f9b0d253ccd0a99941d4

SHA512
18ebfca00de223a1cba49868bfa01b9d233be9b4276762edc4b5bf781a9d14d12ef4b4ad1e1ea4a548d7af189fec39b8b2c34315fd7906ddbfd380dadc6abefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\1134577161_german.jpg

Filesize
192KB

MD5
f51be1c68ee6cff6e332979c6b66c484

SHA1
da897642aeb11979dc2648c5034e75ab14f0ac1b

SHA256
5bb52b41866a1b66b3956bdf1d258eb96595f31440fd2c2f769b1b13cf985902

SHA512
668c506dbfd4f0c7a259ead0cb668fce070b02849b2cfcfb84454614ed6ec8347a46d59add5052ba7fc10b50b91700639009ed4b1a9e6b3717d493909109cb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\1207665683_german.jpg

Filesize
170KB

MD5
c5ff3ad305ef7cf6b2c4da15ae512469

SHA1
493e0ae84babb3a5e22d8c42cb2a8e964c2ae261

SHA256
39d8fe232fddd410b2292208c766011e2643519aeb4a0753f1c660e57da20e19

SHA512
143987995e7d4fc6a3dba4dc81bbd57bffb471eb8df91a6535075e27b3199d071b770e2124bbadcddc46614d0520955dcf4a7744914c9c4c3d98730446c5cfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\1432297044_german.jpg

Filesize
227KB

MD5
f4a17703e01be4650dee411528692129

SHA1
ab75ceb2b6abf1b6e0746e57acef4207445ed72e

SHA256
076bef901722ed7c8fb831a426f6f10eeb137ea1c4e6554f53e7c11b67649f15

SHA512
644d8ece33e3f2752d9cd06ec83f9145674f547e9cd3cd661a33d8217375917bfff9393fe0cfabcf50835d5412e28763a772562f955dcddb91227599c69371ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\1452777713_german.jpg

Filesize
208KB

MD5
11594158555adf28b11e819843adac53

SHA1
5ff87d09e3a970b68052f15a90348bdb2149f321

SHA256
4b07e2c68580920c285e88eff933a94851e4ede480fe7006d79fe2cc55f7db99

SHA512
72483f13fcc8e7986f699e529dd444b144f17182bab72133f2aa22a62c3b203d7c67dec5b417a6d3e79dbe6987bc0288d535228ece7582645ebb7d7e381776a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\BigOK.png

Filesize
3KB

MD5
5b43a5d975a53f4fc1da67ce9f7784c1

SHA1
8543fa1e471030049942252b23cb22e0880c3af5

SHA256
59d8bb3e87a89ef523c0495addce38d69560af42aaa82f56dd41b12e6612c13a

SHA512
5dd5c4e9859a555a4a32da76f5231b44f7556274c6501da530b2cdd570bcb4675f710bee708322a40ed3ef9280c0d652b4e7ef0e9eaf128c08534f59291917f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\EULAAccepted.png

Filesize
2KB

MD5
461dfeb75927bdb39f9db5348612a611

SHA1
b7893b1fff6801e37ee7337d876962a09184941e

SHA256
0de278f5ca6d8570d9bda592268a14a28b87d3631fea2d25721947397aaab79c

SHA512
68528cf45c81c2c024a672f42c2cd6d4f72c015b443f103ca21deb8ee2bec4f4027490e7f33b5338a87537b5bf7f255f2828aed149f622155ec89cc81687651b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\EULAShow.png

Filesize
1KB

MD5
c596bc9111edc702bbbb29b70984254f

SHA1
d4712c7b91ff4f8994e7907d31357c42eb47c738

SHA256
6112851daea2aaa7174e8cfac4a0f61c968bc090342503804c476eff47cc2462

SHA512
db50d0a39ec644873a03d64552fff1776cc94f016e8dfc8918e65aee94f7529a6de4637567b5e65c4ea988f3775785c4b52c2d96fe8dbc52b1e21ff59c737c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\background.jpg

Filesize
431KB

MD5
1cb22f1828cc3675fa7ea50c337afd42

SHA1
40470dc53908a87104b07ab132ded11b7ef3af58

SHA256
c3a6533ff22363e547e7dcdf4b7049aec22fc528eb7ee3f28a39c524aa2dba89

SHA512
168066518b9a36eb05d639ef5460b9237f472a36c2fe89de6ee873f271eff4fcd536729e313781b431233b3c8f55b592ecb1dc22cb647f7758714015739b36f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\btn_md5.png

Filesize
8KB

MD5
3befe9739354ee24a0b1ea8df05ce274

SHA1
ab0bda986a8c46aa19f57b75a2b7b22445a3c625

SHA256
b0193ab375f604fa4a25cabdea8f713babde1c07ab562ffc5679352c8e01db47

SHA512
ac016a59e0bfc9b22c376ae5d498c5660893a983d932b2bd502dabe032883c69e79ea8d93c2db49f95415c3cdb068e9f7d1d85527a4f9e68e065a989852d09dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\error.png

Filesize
726B

MD5
df10adc25b673e74e19971c17bee5a98

SHA1
ee16fb1cf9491f5e611282f0574b27d76fede412

SHA256
142b16dc6239421691fa6e619d1a61e61176d89fa018a88b46893c29a57aad8b

SHA512
dc3de10e0321966cbbfb2e57b3b41da6f26dff0c7233a47469da58775b5c471e6b5181e4d4ffc81ef8b83dbcad74ccc1aad7678518f99c9185a441d2a23e010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\ok.png

Filesize
1KB

MD5
103c1368e60806b1b7995a0894eacf87

SHA1
971392527f6e4b655044773132505c901a6b5469

SHA256
0d37d4421a39ca8852eb6760b8e914302bdc6cfcc7b170dc1b6c9bb9be148b7e

SHA512
652177e94438aff102f2ed873b26f0985ebed134763852b49b1ca2698463c1dbeb85152f19c8e18d397229ec5cb2cd1d17c61d454ab7c425a2cab540adc8228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\slideshow.ini

Filesize
547B

MD5
c3734c3c23ebc66daf741e2ded582f3e

SHA1
a85fddcbd3ca8ca4e2a4a43f3fadece3355f234e

SHA256
10786537492cf738b832b1a0ea06fa63ef37bd2737d0de727757c236a626b125

SHA512
6d42299896415fa0ab4c0bf0f8d9ca385165dd9a27e8c7373a3796086f045b0d6ee4f9303b4c37509e340e201bedacf9663f6b1f2572bb402912f568225fb7e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-4UQNK.tmp\setup_rimworld_1.4.3641_rev629_(64bit)_(62467).tmp

Filesize
1.3MB

MD5
6d6a3de8ef3a9708cbdef41cade828ff

SHA1
3b621f1e50f3517e2b044eee4e11888d951e6282

SHA256
cf03a97aa4cbfac73cd509f75aea4752ae3b39f740d7f9b0d253ccd0a99941d4

SHA512
18ebfca00de223a1cba49868bfa01b9d233be9b4276762edc4b5bf781a9d14d12ef4b4ad1e1ea4a548d7af189fec39b8b2c34315fd7906ddbfd380dadc6abefa

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\crcdll.dll

Filesize
69KB

MD5
1d51fac9e2384eeb674199cfd5281d7d

SHA1
861dfdc121357d605d0cc3793266713788109eb2

SHA256
23e90ce5a1f2d634a7bf5d5d0522fafeea6df9e536e16f5ce91035d5197128ec

SHA512
921b00adfe43b883200960e8d0958d4e6b97f6d5cfc096ee277766a3e44cc7805a20877a4edf8bd4d9102bb71a20ac218a9a512f4f76bd751d3ef14f4e0a6eda

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-PNTPG.tmp\uninstall.dll

Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
memory/1716-1-0x00000000012B0000-0x00000000012E9000-memory.dmp

Filesize
228KB

Download
memory/1716-157-0x00000000012B0000-0x00000000012E9000-memory.dmp

Filesize
228KB

Download
memory/2076-156-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2076-8-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2076-16-0x00000000034E0000-0x0000000003597000-memory.dmp

Filesize
732KB

Download
memory/2076-59-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/2076-12-0x0000000000D10000-0x0000000000D25000-memory.dmp

Filesize
84KB

Download
memory/2076-159-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2076-160-0x0000000000E00000-0x0000000000F52000-memory.dmp

Filesize
1.3MB

Download
memory/2076-161-0x0000000000D10000-0x0000000000D25000-memory.dmp

Filesize
84KB

Download
memory/2076-162-0x00000000034E0000-0x0000000003597000-memory.dmp

Filesize
732KB

Download
memory/2076-163-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads