7e91f09bc83a25007caf1338e87a39ac6116dde653b2326abf479089eb2d8ed3

Analysis

max time kernel
65s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.5MB
MD5

98fd9df65b347689f7b9b500ccef1e4f
SHA1

c1d7bdbc6616d659364213aef124b71f26ad241c
SHA256

7e91f09bc83a25007caf1338e87a39ac6116dde653b2326abf479089eb2d8ed3
SHA512

fef905ba6e7ce512ee3cdcfd61bb787ad778b752eb4218d16ca5a3d4ab44f25bd364195f83d715b2b29dc6936de8dc3b69b6984d741891329eab54da0ac7331f
SSDEEP

24576:sMjh/JxOSFHdbA5JDtoyHaBIX2GG8kHQBiF3vwQsFwhpZY7Qp1y/PnqTyI:PdOS/oDto4aK7Jro9ovFw+7Q/qqGI

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation	_iu14D2N.tmp

Executes dropped EXE 3 IoCs

pid	Process
3024	setup.tmp
3544	unins000.exe
3556	_iu14D2N.tmp

Loads dropped DLL 6 IoCs

pid	Process
3024	setup.tmp
3024	setup.tmp
3024	setup.tmp
3024	setup.tmp
3024	setup.tmp
3024	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_iu14D2N.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3024	setup.tmp
3024	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3024	setup.tmp
3556	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3024	4992	setup.exe	87
PID 4992 wrote to memory of 3024	4992	setup.exe	87
PID 4992 wrote to memory of 3024	4992	setup.exe	87
PID 3024 wrote to memory of 3544	3024	setup.tmp	108
PID 3024 wrote to memory of 3544	3024	setup.tmp	108
PID 3024 wrote to memory of 3544	3024	setup.tmp	108
PID 3544 wrote to memory of 3556	3544	unins000.exe	109
PID 3544 wrote to memory of 3556	3544	unins000.exe	109
PID 3544 wrote to memory of 3556	3544	unins000.exe	109

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\is-O67QE.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O67QE.tmp\setup.tmp" /SL5="$501DC,1047734,152064,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Lethal Company\unins000.exe
    "C:\Lethal Company\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Lethal Company\unins000.exe" /FIRSTPHASEWND=$701C4 /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Lethal Company\FreeTP.Org.url

Filesize
45B

MD5
69a62507139452e5b5f1826996482a8e

SHA1
3ff9b7aa788ebfcebe743120692944b4eae7e274

SHA256
c7b1e51a4b8c5eccc5bc4f47d1fe0dd3bdff13afb34aed209754d7300025b00c

SHA512
ee2447d7a0c2c86cddfe24b362632a941025064c15d5263616f8499f3eb20d91911751ad3d96c7d8ce7f4b9cda202b4e4925afbf30fc23b57efb8783c5c5c627

Download Submit
C:\Lethal Company\ReadMe - Как играть по сети.url

Filesize
55B

MD5
35ce730f728fc1f32e14384abcf625e5

SHA1
cb9e92dcd4e2ae573fc18ca87204d0cd579cf9fd

SHA256
27a8bb6957b834a5a17f7ca9c8ac49896d0621f4fcee796d838cbb787e58a840

SHA512
f28b07d3bdb95e56bdae312537ebf113c7f741f1ee6fbda3221b3ebb99d2f93b7ac36375556ab7dfaf2e58f0005559937e85adb533e5220c290c1c24506b3337

Download Submit
C:\Lethal Company\favicon.ico

Filesize
15KB

MD5
b32f6c0c2f5f52faa59069d1c17844b3

SHA1
0906b72a709a2070c14ad20d2feb0fac864a830a

SHA256
0344024fa74bd58cabd5083066b79ff2fa9efee380f5c1fb456f07e1c86646c8

SHA512
5d7f26c43dd1f53e38d0127c3468929b8d6ca9bd4555a29bee2c891cfb97c143949a0e5d9763273b24fb71fe40bd91b783c26ad0d7616d4e2c59648f2b9e493c

Download Submit
C:\Lethal Company\unins000.dat

Filesize
53KB

MD5
6277918b0b8c64ed1f0db75ced0d4e76

SHA1
cd43373f7242f3c8194045286382074263d1e047

SHA256
b3a26bb7623886f8fe6734138a4b57c4e07bddb0033548f24e603f927edd8f9b

SHA512
503597f07c7aa1566f5a4f6a7a086d146a3f96cb19f21142b0ba5c220b33b639bf573009a25624214511ffeaac8ccb3188b20f58c8848382a3bad86d4377a308

Download Submit
C:\Lethal Company\unins000.exe

Filesize
1.5MB

MD5
ca457125ee4c32f4a8e2a464f029a83c

SHA1
c32a343142dcc34f8a95343852aaf1a97fd41368

SHA256
c1188f3fd2be52d23d9669cf9dabc56ba3c4e93dc7c6d20ffe07a6ccb3156f69

SHA512
4d6076377ed881c92aa0242892e31c109b5bb60ec5f06a5707d18967b9ed544314a0b228e553fa779025841b1c1fa0029c8fc47b727a72403535d137af399dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32ESK.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32ESK.tmp\ISDone.dll

Filesize
446KB

MD5
dce6d68da86f44ba0cb70fa7718e2e84

SHA1
58cd39196abfc70b5b9bcc964f41a21024a61480

SHA256
b9bdc4a0309aa47613a7b5a680c55839aa7ba28e28f96e6b9316d4d5fe1dbe9d

SHA512
bd2f559640b63a46e15a2af90719c10e53e1c30020685163ed6b3bb669197d20d5dd76c7fd1052cf0841e3e1fdbd5a365a4bdb519d2f8fcad9122e77d923e8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32ESK.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32ESK.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DVR0T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O67QE.tmp\setup.tmp

Filesize
1.4MB

MD5
7300211c571951be86be6c6f8cdfc09d

SHA1
5464e16689003406513c7677b3d970f673551d18

SHA256
e77c3184d90f6e7a1276bb8389aba06296be97deb2e8a3433ca9a537538696da

SHA512
9c340edcd63c87565a9de26892d2e83647798583cc942bf608b54e86b8fd36bc2ad64421241b88f0a0682e7c006a5af712e62d3231ca5a81264d8b1a1905ebb4

Download Submit
C:\Users\Admin\Desktop\Lethal Company.lnk

Filesize
1KB

MD5
7dbf902fcc9403bd52eb3b12b171d4c9

SHA1
13c88a18b9bff2ef54b1ae94d880e5c4b8fd8e41

SHA256
57c36acb0c3aedd6219fe9fbdee26d62e48ba518347de870796fb1453c66874f

SHA512
d86cab9bbe388c677e3ade996798102c0297388629b38d59f2bb9f6706e3db0a9bd1544f21b2fcae14fc3de76c7756854e1be030f5d5c1501520ae5f2b4928f2

Download Submit
C:\Users\Admin\Desktop\Игры по сети.lnk

Filesize
1KB

MD5
69f37f61ecbe480f6c13e1e784fcf01e

SHA1
ddde61e13494bea00240e4cb445f034dd7631f4d

SHA256
38358c601f482277a185201b560e0ea96e1aa7f63f8347d714dce975ad19c75e

SHA512
c35e48f290385fbc2ba4a7e68b95ecd92b51af1f921214f77883f31787a8a7249c402b0dd02594acb0278d2879c06a56f9d0f0456532c0c883194f6f0022b60d

Download Submit
memory/3024-41-0x0000000073CA0000-0x0000000073CB1000-memory.dmp

Filesize
68KB

Download
memory/3024-21-0x0000000003370000-0x00000000033E6000-memory.dmp

Filesize
472KB

Download
memory/3024-36-0x0000000003500000-0x0000000003502000-memory.dmp

Filesize
8KB

Download
memory/3024-35-0x0000000003510000-0x000000000351F000-memory.dmp

Filesize
60KB

Download
memory/3024-37-0x00000000065A0000-0x00000000065A1000-memory.dmp

Filesize
4KB

Download
memory/3024-39-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3024-40-0x0000000003370000-0x00000000033E6000-memory.dmp

Filesize
472KB

Download
memory/3024-108-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3024-42-0x0000000003510000-0x000000000351F000-memory.dmp

Filesize
60KB

Download
memory/3024-44-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3024-43-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3024-54-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3024-55-0x0000000003370000-0x00000000033E6000-memory.dmp

Filesize
472KB

Download
memory/3024-57-0x0000000003510000-0x000000000351F000-memory.dmp

Filesize
60KB

Download
memory/3024-32-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3024-5-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3024-17-0x0000000003370000-0x00000000033E6000-memory.dmp

Filesize
472KB

Download
memory/3024-20-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3024-29-0x0000000003510000-0x000000000351F000-memory.dmp

Filesize
60KB

Download
memory/3024-34-0x0000000073CA0000-0x0000000073CB1000-memory.dmp

Filesize
68KB

Download
memory/3544-77-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3544-94-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3556-82-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/3556-97-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4992-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download