2d3ddaf7da231e79bff773a421526458128ca84cf4aaf5f06bad31e20e06cde5

Analysis

max time kernel
125s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231020-es
resource tags

arch:x64arch:x86image:win10v2004-20231020-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06-11-2023 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adventure Time/setup.exe
Size

621KB
MD5

1a7bb86336a129b039087cce0cfbbfef
SHA1

ceefd22ae179752abe0137870afb55ff481f27b0
SHA256

b8072d28e9f8892f7c9cb63f19cd1c3c741872542e0359920ae857ecbb3b8804
SHA512

f792b9f629f674036b3fae0c4c5d6eb2c41949a6ae48b81a733b6ecd87cdb42875547323e713b711a040dfafd27a2df96834be80aa2cd7ba419294ac66e28451
SSDEEP

12288:iSxG0h888888888888W88888888888wXpp2XgFEDm4RqOP/8O0ISBL/0ntZBIVlm:JxGnXpp4gQR1HA/0tMfm9aI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1500	setup.tmp
4996	AdventureTime.exe

Loads dropped DLL 3 IoCs

pid	Process
4996	AdventureTime.exe
4996	AdventureTime.exe
4996	AdventureTime.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-RL9N8.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-S2098.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-T318V.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-9IG5D.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-4JC7F.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-BABBE.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-QGGIN.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\fmod_event.dll	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-NTH2P.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-1N30K.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-8PV8V.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-2V4IU.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-0IONJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-QH5TO.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-C2LKD.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-CRFP5.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-5FQP0.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-BNBE9.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-7APB6.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-Q292N.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-KTVIB.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-BDC37.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-2PDUE.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-BM12V.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-22CE2.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-21DAC.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-ES497.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-2FQQP.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-J70AP.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-R13RU.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-KS438.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-VMCPQ.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-CBLHR.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-REEJ8.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-5ULHO.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-GC9MM.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-65HDS.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-U4VP7.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-CM3SR.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-J49DO.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-P96E6.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\libpadfilter.dll	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-UEIL4.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-TP01J.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-LU8PE.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-2IBKJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-DKGM1.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-O524C.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-LS9UJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-MOAT9.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-Q0HL9.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-LAHFH.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-IG2J9.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-77QH6.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-TSF9B.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-L4HJ6.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-NDF0R.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-0TJ1Q.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-PL2VT.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-TJB5G.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-503LG.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-03QJB.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-LOVEP.tmp	setup.tmp
File created	C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-0DM8A.tmp	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	setup.tmp
1500	setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1500	setup.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1500	1208	setup.exe	91
PID 1208 wrote to memory of 1500	1208	setup.exe	91
PID 1208 wrote to memory of 1500	1208	setup.exe	91

C:\Users\Admin\AppData\Local\Temp\adventure Time\setup.exe
"C:\Users\Admin\AppData\Local\Temp\adventure Time\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\is-7CFDT.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7CFDT.tmp\setup.tmp" /SL5="$E0226,118784,0,C:\Users\Admin\AppData\Local\Temp\adventure Time\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1500

C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\AdventureTime.exe
"C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\AdventureTime.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\data\is-65HDS.tmp

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\AdventureTime.exe

Filesize
7.4MB

MD5
f59b58795e81c0de149f3cbc6a52e682

SHA1
fa716820e5200c7049857c1f556faba12eadab35

SHA256
021c980e49169ef87ec90ed1f75a548344ab8baa15f528f8ae99419d2571b57f

SHA512
a63b8198bc032d638683269dce1a71c4edbffc458beb63275a603b58f9150fb23c28b1216db41158dee5ad007abb279b0049a94ca966b1bc3bd0e7fbd3193d62

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\AdventureTime.exe

Filesize
7.4MB

MD5
f59b58795e81c0de149f3cbc6a52e682

SHA1
fa716820e5200c7049857c1f556faba12eadab35

SHA256
021c980e49169ef87ec90ed1f75a548344ab8baa15f528f8ae99419d2571b57f

SHA512
a63b8198bc032d638683269dce1a71c4edbffc458beb63275a603b58f9150fb23c28b1216db41158dee5ad007abb279b0049a94ca966b1bc3bd0e7fbd3193d62

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\AdventureTime.exe

Filesize
7.4MB

MD5
f59b58795e81c0de149f3cbc6a52e682

SHA1
fa716820e5200c7049857c1f556faba12eadab35

SHA256
021c980e49169ef87ec90ed1f75a548344ab8baa15f528f8ae99419d2571b57f

SHA512
a63b8198bc032d638683269dce1a71c4edbffc458beb63275a603b58f9150fb23c28b1216db41158dee5ad007abb279b0049a94ca966b1bc3bd0e7fbd3193d62

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\fmod_event.dll

Filesize
407KB

MD5
09cc59bb3f17fe183ea551a2dfedaa1d

SHA1
9e1b0569a8adc020c23cc240eee30ea1205515bc

SHA256
de4590b6d4d0480351b1b438fd71cfd73b746bc8dbf24876150290570b1c3d73

SHA512
6d59ca04d9ca4993508fdeb7b11b2878f8f52d2a388e4e399910cb5d6907574d96ec235f85ea990bdfd7354a0d9175c882573c54c6c7a9213103f6b490fe468c

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\fmod_event.dll

Filesize
407KB

MD5
09cc59bb3f17fe183ea551a2dfedaa1d

SHA1
9e1b0569a8adc020c23cc240eee30ea1205515bc

SHA256
de4590b6d4d0480351b1b438fd71cfd73b746bc8dbf24876150290570b1c3d73

SHA512
6d59ca04d9ca4993508fdeb7b11b2878f8f52d2a388e4e399910cb5d6907574d96ec235f85ea990bdfd7354a0d9175c882573c54c6c7a9213103f6b490fe468c

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\fmodex.dll

Filesize
1.2MB

MD5
0d128559e37f0dbf8eb8bfe12d34635e

SHA1
e23342abf403129519d6f8b89cdc651cd2706ed7

SHA256
c11a046af3252fa99106f7123280ad01983c5992fa6c1a521c76b1126d7eb81f

SHA512
f74d1348438b319292312099762ec9d5f095c4b4f7f2a79cadd35ef9683be93ee8fb20f908beae615a1ea3371eae5d6c6cdf40c759520cd55460186a408a47e9

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\fmodex.dll

Filesize
1.2MB

MD5
0d128559e37f0dbf8eb8bfe12d34635e

SHA1
e23342abf403129519d6f8b89cdc651cd2706ed7

SHA256
c11a046af3252fa99106f7123280ad01983c5992fa6c1a521c76b1126d7eb81f

SHA512
f74d1348438b319292312099762ec9d5f095c4b4f7f2a79cadd35ef9683be93ee8fb20f908beae615a1ea3371eae5d6c6cdf40c759520cd55460186a408a47e9

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\steam_api.dll

Filesize
103KB

MD5
cf096fb00135f5350aa466b3ea3d3b9f

SHA1
b54e2da07cfba56a1c0ecba06412e619a39e10d5

SHA256
61846524e09e81eeed65629cf3d65668773c377efefb236088d366c9068aee63

SHA512
42b49e6cdac134df8626689b5a593d44895d854d89eaee58fd3be2e09d4fc827996ac25d87c6b19afd7a633f78fdefaeaaeb236a4592f1c48f400b778a11da61

Download Submit
C:\Program Files (x86)\Adventure Time Explore the Dungeon Because I DON’T KNOW!\executable\steam_api.dll

Filesize
103KB

MD5
cf096fb00135f5350aa466b3ea3d3b9f

SHA1
b54e2da07cfba56a1c0ecba06412e619a39e10d5

SHA256
61846524e09e81eeed65629cf3d65668773c377efefb236088d366c9068aee63

SHA512
42b49e6cdac134df8626689b5a593d44895d854d89eaee58fd3be2e09d4fc827996ac25d87c6b19afd7a633f78fdefaeaaeb236a4592f1c48f400b778a11da61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7CFDT.tmp\setup.tmp

Filesize
1.1MB

MD5
63b15124be653dbe589c7981da9d397c

SHA1
af8874bdf2ad726f5420e8132c10becc2bbcd93c

SHA256
61674b90891ca099d5fee62bf063a948a80863530ab6a31e7f9e06f0e5bc7599

SHA512
339b284b5dd7386dcfa86c8fdcf239a0e97cc168229ea9a66fc0c6b26771401fa7f27c2c6a435a836a43ea9c7e634a3e47ec77e0d27985794bbb4416dfc97ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7CFDT.tmp\setup.tmp

Filesize
1.1MB

MD5
63b15124be653dbe589c7981da9d397c

SHA1
af8874bdf2ad726f5420e8132c10becc2bbcd93c

SHA256
61674b90891ca099d5fee62bf063a948a80863530ab6a31e7f9e06f0e5bc7599

SHA512
339b284b5dd7386dcfa86c8fdcf239a0e97cc168229ea9a66fc0c6b26771401fa7f27c2c6a435a836a43ea9c7e634a3e47ec77e0d27985794bbb4416dfc97ac8

Download Submit
memory/1208-1-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1208-915-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1208-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1500-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1500-14-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1500-914-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1500-810-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1500-13-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1500-32-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download