2e41aaa2ae216cc9005fb22030d76a9628f7de3b63c569e094a6810054afeef3

Analysis

max time kernel
145s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Buckshot-Roulette-v1.1-Fixed_setup.exe
Size

266.0MB
MD5

090ef0d0fb449abf3d84691e0804388b
SHA1

9ea5e6aa77e3779af0aa12efa2c2363f142bc237
SHA256

2e41aaa2ae216cc9005fb22030d76a9628f7de3b63c569e094a6810054afeef3
SHA512

2d38d67d3b0ad11f424447334120fee71132100fa341c70e166ac62d6970a5340965f6344b51295a4c48122731ecd2decbcc54bf231300dbe2454ee8f552fd23
SSDEEP

6291456:5OhT5Z6w+9NRbObLKbQcEWybDVeoG9FxZSU+uJtgHXZyNohw/6PQz:5OAwSfObeQHdbRG9PwwUHUNQwCS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp
2836	Buckshot Roulette.exe

Loads dropped DLL 7 IoCs

pid	Process
904	Buckshot-Roulette-v1.1-Fixed_setup.exe
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp
1220	Process not Found
1220	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WrpYGF74DrEm.ini	Buckshot-Roulette-v1.1-Fixed_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	226	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	201	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1140	Buckshot-Roulette-v1.1-Fixed_setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2836	Buckshot Roulette.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 904 wrote to memory of 1140	904	Buckshot-Roulette-v1.1-Fixed_setup.exe	36
PID 2812 wrote to memory of 2736	2812	setup.exe	54
PID 2812 wrote to memory of 2736	2812	setup.exe	54
PID 2812 wrote to memory of 2736	2812	setup.exe	54

C:\Users\Admin\AppData\Local\Temp\Buckshot-Roulette-v1.1-Fixed_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Buckshot-Roulette-v1.1-Fixed_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\is-E14BB.tmp\Buckshot-Roulette-v1.1-Fixed_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E14BB.tmp\Buckshot-Roulette-v1.1-Fixed_setup.tmp" /SL5="$5018C,277965535,981504,C:\Users\Admin\AppData\Local\Temp\Buckshot-Roulette-v1.1-Fixed_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:8
1⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=3624 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3644 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=3648 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4128 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=2484 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3828 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3552 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=3948 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=2472 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3136 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:8
1⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1980 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:8
1⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:8
1⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=4232 --field-trial-handle=1248,i,16366547989528638412,11524157582344918863,131072 /prefetch:1
1⤵
PID:2676

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f897688,0x13f897698,0x13f8976a8
  2⤵
  PID:2736

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2384

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1740

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2832

C:\Games\Buckshot Roulette v1.1 Fixed\Buckshot Roulette.exe
"C:\Games\Buckshot Roulette v1.1 Fixed\Buckshot Roulette.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\Buckshot Roulette v1.1 Fixed\Buckshot Roulette.exe

Filesize
15.8MB

MD5
a3f2bab800587dee10f6e53b3edc80ae

SHA1
303efa3581bb5b118f4e7f3b05253e4f75cd9770

SHA256
8462e911aaf944387fe24ea6d6f2d2c540a89396da044d58154da0abe936d363

SHA512
5fedcf87ee0e0b989f24b70a6e203bccf88ebb0cbe88ced57b30e2097382ab759ad7c38092560e302bcace411c1f3a1a5b28f3ec941fb40b6e367d5ab9441467

Download Submit
C:\Games\Buckshot Roulette v1.1 Fixed\Buckshot Roulette.exe

Filesize
7.9MB

MD5
08de1f9dce868fbbc4af9f2460ed5e3d

SHA1
bfaee7cbdefb8ab288b55a8efbbcfee3d4054f5f

SHA256
4a7cb0455ba813de58eccf36736a383ce21483de2c79dc199cb73be3ad3979bb

SHA512
bd73917a263110b43ebe1b413082db714b30b915da14d53a02b61b0bab07a1c9a722f242e2ffb1f3bad3b721d3ad38fbbf56e043dd517c762ff35f122d63049a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-89G54.tmp\360ts-en.png

Filesize
10KB

MD5
0ceb435954c8c4cc7000d8baf85eef84

SHA1
b6782dbd6bbc8bb662004dd56874d19e164417c5

SHA256
f0a992920b230f70672d7fd8cc8d3064aad516ae5ff6fc0245b39cdc9829945e

SHA512
3d858e367509cb453bbfae2db7990775bbef5a309d0bbf1f35cf170043eac2fa9a46d2358302bb6627118cfbae96737865aa440b151431d9fc6ac56f07087284

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-89G54.tmp\InvisibleButton.png

Filesize
106B

MD5
2a92c5347fd3690183856aa7b5f710f3

SHA1
c810d0425f71afa75e2bb67aeb0311905c66db33

SHA256
fb6c82c72a40910c3e2e488c68f38b701a9e784bde39738f537a224861adc31c

SHA512
3dd281cb9f93af92acf2c9b9faddb8b4dd7007013a3a808ea239f9ff1d4104bd25b253a2cde638632808a2ec2b90d391fa0f164ca89bf792fa38fc9d2fff3f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-89G54.tmp\NextRP.bmp

Filesize
2KB

MD5
10236e50e1b3c07ccfb8c50d8cf14748

SHA1
2307263e906306bca5524d6f72209659cf9e9fe6

SHA256
8a4c1abe773e2e0cbd2746351d583708c7ca6ccf4ac00d5122fa039345d5e615

SHA512
e58ed770c31eec2428b6bd0035efd1e96df02d8ddc70453c457d5cb3cbb533d53f46b6c4fa3df6595dbc749b256ef55a4c9678a15c899c0d8c6cc88ec96083be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-89G54.tmp\links-logo.bmp

Filesize
2KB

MD5
67703a819b0e504a3b30fd30af44c2bf

SHA1
5b9b927a6c67556af954701ac8eebaf5b7ff856e

SHA256
6038e3cedd880a22708ca4ca53e1ddc09335c956dd0e08fb72a433ea2e44686b

SHA512
2493ff325f34f0ed71d1bd06b7ee043db02fe4251734b53031441e98275dbe769a6cc539618ab260e24caafc0ad524da64f74b5102ca0ac4b071cc0839e0ef3b

Download Submit
\Games\Buckshot Roulette v1.1 Fixed\Buckshot Roulette.exe

Filesize
22.3MB

MD5
9a8ca5655aa03c8ad45d3170b45cf02b

SHA1
c83209f8d2e2c6d57fcec99b232c10805640d6db

SHA256
5eadb776316035c20ef5a0fadb2f99d9c44f35ff928158531fd9b9f69705895b

SHA512
9cfd48ded1c718e7e14d32c4b941ac27ceb1de4768a2269833d261bcec6ae7fdfdf52f70a445352a692aa86dbc2d5a631f3aa27a26ff32034486f60a8ca5d71f

Download Submit
\Games\Buckshot Roulette v1.1 Fixed\Buckshot Roulette.exe

Filesize
9.6MB

MD5
d542c4d26c132ce26344c45b2a3204a4

SHA1
4078552d5b5f810e313ecc3f0dfe663e9bd360c7

SHA256
f505144cf5f23ae4ceae1bc9a070fa90862427eaf48f602fd075b9ec93095468

SHA512
bbb086c8286d8d281629c2ea8c0ea43482b8782aece04a1e6b6ef76dd5f9518ca0893c4e2890782392367a718012f00b386c128c7c37a9dd5347e54e020f2aec

Download Submit
\Users\Admin\AppData\Local\Temp\is-89G54.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-89G54.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
\Users\Admin\AppData\Local\Temp\is-89G54.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-89G54.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-E14BB.tmp\Buckshot-Roulette-v1.1-Fixed_setup.tmp

Filesize
3.2MB

MD5
93e3220ffb1530831d194f0fdded241e

SHA1
b29e1298733ea25b659524aae711f8425fc10c47

SHA256
2141150df2ef00fab25cee0b7701bf2182e3cc566d8473651d47c61780e41762

SHA512
1e15ae779d034d5424a57c363b15ca17831b8dafd6ac4d6c445e456f88eaa5f49ef9f8214b7b7c37bb0384dc37cd139acc4d4baf9071a010da529b8ab5ef5554

Download Submit
memory/904-158-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/904-1-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/904-9-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/1140-92-0x0000000003440000-0x000000000344F000-memory.dmp

Filesize
60KB

Download
memory/1140-91-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1140-127-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1140-128-0x0000000003440000-0x000000000344F000-memory.dmp

Filesize
60KB

Download
memory/1140-131-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1140-10-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1140-141-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1140-157-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1140-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1140-38-0x0000000003440000-0x000000000344F000-memory.dmp

Filesize
60KB

Download
memory/1140-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1140-34-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2836-163-0x000000013FD40000-0x000000014406E000-memory.dmp

Filesize
67.2MB

Download