8f83ffe5c62c39f0c1bb58a5651f02ad9e57f1e75c860c8dececc0bd6c430d5b

Analysis

max time kernel
100s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

38.9MB
MD5

f6e422650e6550f8fb790f5daede5df9
SHA1

9a095c15b281c94bd3e55d660880baa8bbcd9258
SHA256

8f83ffe5c62c39f0c1bb58a5651f02ad9e57f1e75c860c8dececc0bd6c430d5b
SHA512

3c59fd4f88a3cba736e1d294a6e371a6c84d88a4e742cfb31d9686a1bda07ff02ab222e54ab76193c30e7425196d4f1cf6458e3e12f1a0b6612ad094236925a6
SSDEEP

786432:XFuya1no7JdLXWvsP/5TXViq2Ibx/IzUGAFW05uSgu8x5HsZ1SrWLUgjW:XFuBno7JdLmCxDVigdwNMJuSX8kZ1Sr5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1088	setup.tmp
1428	unins000.exe
4816	_iu14D2N.tmp

Loads dropped DLL 6 IoCs

pid	Process
1088	setup.tmp
1088	setup.tmp
1088	setup.tmp
1088	setup.tmp
1088	setup.tmp
1088	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	setup.tmp
File opened (read-only)	\??\K:	setup.tmp
File opened (read-only)	\??\N:	setup.tmp
File opened (read-only)	\??\O:	setup.tmp
File opened (read-only)	\??\U:	setup.tmp
File opened (read-only)	\??\E:	setup.tmp
File opened (read-only)	\??\L:	setup.tmp
File opened (read-only)	\??\P:	setup.tmp
File opened (read-only)	\??\R:	setup.tmp
File opened (read-only)	\??\W:	setup.tmp
File opened (read-only)	\??\Z:	setup.tmp
File opened (read-only)	\??\A:	setup.tmp
File opened (read-only)	\??\Q:	setup.tmp
File opened (read-only)	\??\V:	setup.tmp
File opened (read-only)	\??\X:	setup.tmp
File opened (read-only)	\??\Y:	setup.tmp
File opened (read-only)	\??\G:	setup.tmp
File opened (read-only)	\??\H:	setup.tmp
File opened (read-only)	\??\I:	setup.tmp
File opened (read-only)	\??\J:	setup.tmp
File opened (read-only)	\??\M:	setup.tmp
File opened (read-only)	\??\S:	setup.tmp
File opened (read-only)	\??\T:	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1088	setup.tmp
1088	setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1088	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1088	setup.tmp
1088	setup.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1088	4552	setup.exe	80
PID 4552 wrote to memory of 1088	4552	setup.exe	80
PID 4552 wrote to memory of 1088	4552	setup.exe	80
PID 1088 wrote to memory of 1428	1088	setup.tmp	82
PID 1088 wrote to memory of 1428	1088	setup.tmp	82
PID 1088 wrote to memory of 1428	1088	setup.tmp	82
PID 1428 wrote to memory of 4816	1428	unins000.exe	83
PID 1428 wrote to memory of 4816	1428	unins000.exe	83
PID 1428 wrote to memory of 4816	1428	unins000.exe	83

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\is-A4G37.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A4G37.tmp\setup.tmp" /SL5="$40216,40165843,489472,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Games\Bully Scholarship Edition\unins000.exe
    "C:\Games\Bully Scholarship Edition\unins000.exe" /VERYSILENT /NODELSAVE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\Bully Scholarship Edition\unins000.exe" /FIRSTPHASEWND=$700D8 /VERYSILENT /NODELSAVE
      4⤵
      Executes dropped EXE
      PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\Bully Scholarship Edition\unins000.dat

Filesize
25KB

MD5
5168410cd16be57f749a9517fd6364a8

SHA1
4f68b129dc88991578e4e57016d75b6af073f87d

SHA256
ea144a24a530021ebc78185f8bea2709316a69c2ff3cb8d97b936657cd6e21ce

SHA512
0a69cc19531ae704b5df7495051ab1aba302937c75039321f1d3b611524b9b56c4c6e59da03da5a9b4b44a6adb4c76226880c5e0c0e8a42b852b72dfa537fa78

Download Submit
C:\Games\Bully Scholarship Edition\unins000.exe

Filesize
182KB

MD5
70f1923b55e2feae68ad26f25b597aab

SHA1
f0faf9ed940bcb4834325b9458dd59587b4ef424

SHA256
b46d5f9d6ec94db1ab0d859d4423260073d5ee3b7052964faf22340ad7791925

SHA512
ee797a55b2faa5f7553997dd3d82a857ac695cf5105a82ce4d9905acb6e641a0550a1fa14b5690fb243f6582c1f07bea825b2f3d5e737704046aec12a2f678ee

Download Submit
C:\Games\Bully Scholarship Edition\unins000.exe

Filesize
162KB

MD5
219f28c88ccc3410f62413230e9a37b0

SHA1
91de652e6129c8e3094839a24732dd35f597a3fc

SHA256
67eb19a0cafc21fd2a3d4405c8f7958e0c467718d994a33c3127d6371b438b25

SHA512
cc1e42252d2184094336c0a4447e8cffd1ee89af515bf6c5e314694802f492fe2de49d9ff596c8e9396835c721ceeb99fe2bc730f5ea852d5b50346d6b8b6d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
55KB

MD5
6b7b22914196213b94e85b9e6733d4b7

SHA1
5a3ce5872fdb06745dc220c62a4b18c45fc1b7d3

SHA256
b66d433f43c86b2a1b5f3e1e1e6180783e8a68996dbaafe6c75da127ed8c24e5

SHA512
98fbd6b232ed0f874131a392a4922fa8a353c2491bd07566c6f8bedb2530f756bcc8d672fa2a80235f6107690176954f4942d9f86a70570ddf81a8ec3b2e4d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
69KB

MD5
ee6bee720149561c9bb55dbadad07960

SHA1
bc19b84298c5365c19c46ab2a6b85e98cd4be2be

SHA256
4ab7b0fee089871f8a88f40ea14626bf2af69bade5cd2da30c0f41aee30053ae

SHA512
198ae8b9d90eb256ea9ec4ff9b19df0dfe174f3962ad320d3387e1e4b5d3879f089f02599a21b75d8b50f70a2d339dfbe5f0d680f819235b5294e4abac91e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
153KB

MD5
bd2e9860883df0cfd2827b7683fe58da

SHA1
6f7e3c1d18d2625d7663e049a5660fec30729b1e

SHA256
88c8102fb7048c8329c8662006a132f85126c87f4d98398677c144408eef4818

SHA512
3f2a266dbe264f709aa32dbfefd2e7b5d12b5d1b4942930ad762fc51779acc691a8cfdf19b9bbb7f3da390032fc845b09851baa340ae9749c20b9c21f170160a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A4G37.tmp\setup.tmp

Filesize
1.5MB

MD5
8f81204cf42818df5d22eae7f9832b32

SHA1
78fcb717d45c64ee3639c2d900301862cc36f437

SHA256
107ba41e5baaae4754575dde013265248ea27376c7cd4da4807366efc29880f4

SHA512
f360e571602a61a83151dda4e76c8cf518c990c1cd4f44ca6a176646271ebe0edc5f31e0562feefdbbdfaffb91a03fbfa9635e0ad8c70e8eabf9466f80f2b9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPMDF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQP6O.tmp\ISDone.dll

Filesize
453KB

MD5
34b88e02562a274b786f3e2a2caa4697

SHA1
8e9b2217a223cb197537bf0d4e288f9152a2609d

SHA256
367e83cd3122c3ea8518bf080ae161d350a63a3eda13ab901997aa72b6217ac8

SHA512
2bdc4c145ee94224a9750fb81b1f7b3a968d525b3e8dad06ad9fbed2bfd4aab54425a0326a3a3e221863dd767a38898027b7912543bd178ef028995bae24deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQP6O.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQP6O.tmp\callbackctrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQP6O.tmp\wintb.dll

Filesize
16KB

MD5
9436df49e08c83bad8ddc906478c2041

SHA1
a4fa6bdd2fe146fda2e78fdbab355797f53b7dce

SHA256
1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435

SHA512
f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

Download Submit
memory/1088-44-0x0000000002DB0000-0x0000000002E27000-memory.dmp

Filesize
476KB

Download
memory/1088-47-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-50-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1088-52-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-53-0x0000000002DB0000-0x0000000002E27000-memory.dmp

Filesize
476KB

Download
memory/1088-56-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-60-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-64-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-66-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/1088-84-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-85-0x0000000002DB0000-0x0000000002E27000-memory.dmp

Filesize
476KB

Download
memory/1088-86-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/1088-88-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-92-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-93-0x0000000002DB0000-0x0000000002E27000-memory.dmp

Filesize
476KB

Download
memory/1088-49-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/1088-43-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-143-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-118-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1088-45-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/1088-119-0x0000000002DB0000-0x0000000002E27000-memory.dmp

Filesize
476KB

Download
memory/1088-120-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/1088-6-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1088-19-0x0000000002DB0000-0x0000000002E27000-memory.dmp

Filesize
476KB

Download
memory/1428-114-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1428-107-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4552-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4552-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4552-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4816-117-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4816-111-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download