24b5578098c1de410c64b317710b803c764616f1216f7dad85b1acffb7b9568c

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.0MB
MD5

a1e13d3ec0d3300bf14542c180da4ed3
SHA1

5eb87eda959629a1098155a91fad87c37db29504
SHA256

24b5578098c1de410c64b317710b803c764616f1216f7dad85b1acffb7b9568c
SHA512

9c5b5de2fe31f551a457feba76ca3863065cbff0fda549f2896726fe881f945407678b605b3af6ac973fa2408c63d1dcee71699d990eb031f5bd9d55d45ef316
SSDEEP

49152:48lW/poKxe7XmFxajEXouJDZEup637/bpJa9DjGq:vWhlw2F+9nc637/QjGq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2940	setup.tmp
2632	unins000.exe
448	_iu14D2N.tmp

Loads dropped DLL 6 IoCs

pid	Process
2940	setup.tmp
2940	setup.tmp
2940	setup.tmp
2940	setup.tmp
2940	setup.tmp
2940	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	setup.tmp
2940	setup.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2940	setup.tmp
2940	setup.tmp
448	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2940	4508	setup.exe	84
PID 4508 wrote to memory of 2940	4508	setup.exe	84
PID 4508 wrote to memory of 2940	4508	setup.exe	84
PID 2940 wrote to memory of 2632	2940	setup.tmp	93
PID 2940 wrote to memory of 2632	2940	setup.tmp	93
PID 2940 wrote to memory of 2632	2940	setup.tmp	93
PID 2632 wrote to memory of 448	2632	unins000.exe	94
PID 2632 wrote to memory of 448	2632	unins000.exe	94
PID 2632 wrote to memory of 448	2632	unins000.exe	94

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\is-75EFF.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-75EFF.tmp\setup.tmp" /SL5="$70118,1442669,489472,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Games\Medal of Honor Airborne\unins000.exe
    "C:\Games\Medal of Honor Airborne\unins000.exe" /VERYSILENT /NODELSAVE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\Medal of Honor Airborne\unins000.exe" /FIRSTPHASEWND=$17004C /VERYSILENT /NODELSAVE
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\Medal of Honor Airborne\unins000.dat

Filesize
26KB

MD5
794b313abc26e201205ee013f6d9a086

SHA1
d6ea3ceb7e1b10ddd058ff964bbc5e84ba725301

SHA256
1f0e69a93e9ae1591acb10ddb91dcfb56acf6f5219c98f48255bf9767bb61e1f

SHA512
486ca1339abbe9ce0f21d3b98ac103fb21091599afb96d9b846a431a805b8b395102acc70c22a5f33e02a6196c0dd4325633e34be06ba109bb2d9dff8476c0eb

Download Submit
C:\Games\Medal of Honor Airborne\unins000.exe

Filesize
1.1MB

MD5
bf73195ff24eb6fdc160d26319906a22

SHA1
9662cc355b0d8abb5e6f95c96da9ab6fb4bf7c4b

SHA256
8d8150b4f6dee806243fd1b1ce436a7d050638f61c026eb8c2607aa2dcc1d17f

SHA512
0970a7e8b52f1cf11f2c640cb2b78593aebd6e99010187cf3fd4898b1cd18489271489f24ccf79a23a0d22e0e8809473f56c8fe861f975aeff56483f9fe1bd52

Download Submit
C:\Games\Medal of Honor Airborne\unins000.exe

Filesize
870KB

MD5
01353a9744b7d3d241ad68e9f8dd0bc1

SHA1
42275df8d0378e31acce1a22c3975f9d01540867

SHA256
db985ad827eeed4da4c103470b38d58140c0a67790ca3c3a1080e74f3cf8bb01

SHA512
9833330a2246b7370b5517cbc2128784e14f19287ef9cd584295cb5ef8cc57f386d4ef8ab23d5566023e10860803fc4d2be138cd9dffc02c5b12d33df68fcc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
553KB

MD5
d46161da15d10e7e74327df682e40f7e

SHA1
13d38b71ef357c687f29f1c0c61be2b4284e0a12

SHA256
db0cb8570de2e882e422c505bc613d1d0fe0c14359eac8d6d701fcf04363f21f

SHA512
a31edbe6c2340322ee2393b5f336a88ccdcfcc302428eac472dfb4ccce0aa8f24cc959ae448f473222f324980c4110b7953eb05386c7cd0195990aa60dfa25e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
540KB

MD5
cf630f449fe0cf4f8c147ff033c1369e

SHA1
14b84911d3b2d540bf02a9e6dbd7deb1fdf80bba

SHA256
76fc000c3390bf6e7920c88f31a8dd7a9df034f7a7364dee9d20092cab28aba7

SHA512
de987af783bc3654b0e522197981e289e0081ac14743ba98e44b1986a70a0804774fa331fc8fe47005df6f6febe2df7a7349ecb44e85c3d60facaf38014e03ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
459KB

MD5
964c17a32ff8218ba9758abad27adab8

SHA1
308684b0752189aea568014869021c94e41c6b7e

SHA256
6c9599ee6bffda012f457a52473c65f18ac84e05feaf23630c454003268890cd

SHA512
2861570cec385ec3a7922aeb64b2f219a6981c433eb3a389a6de7486c2e5a834f58a0421b90a5220a311abaa6a786dc29aafc2cde04a9a87fa80b405e862653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75EFF.tmp\setup.tmp

Filesize
1.0MB

MD5
08fae7db07e034d51a62ffbf65df6fc5

SHA1
99f394f3af83c78f5e5be3215ed7ad79798c3aad

SHA256
23204fbaa5bc6a2ac790c2d57a2764a0ff76fdd2f1d60167bd6d526dd50d9bb4

SHA512
86fd9099b8eb0c900f3086e5e17f707de354ee72a3c73f08c62fe5ac59630e6b894cfe6f0059c5cdaa762ab8636f6a4e79cdd6f18ccdc6460c811a9a68ebcf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75EFF.tmp\setup.tmp

Filesize
1.2MB

MD5
b8eb62ab4b1d4347416611a3e4a93b83

SHA1
7c034b3e915d79c11feb2725fe1646ae53c33beb

SHA256
0a911a13589b0062b8b4dbcb173a808a11cb2b17a0d0d19c89319bb1797a6149

SHA512
3ab9b7596414ea28c094088d92d36587bf00cbfe7c5c2c005c32dd66f96fc4a6a1d70c134c619de183fa076cac66f11a7f018bdedeaa40d037bb3cd2ce350496

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EVH44.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O7APF.tmp\ISDone.dll

Filesize
453KB

MD5
34b88e02562a274b786f3e2a2caa4697

SHA1
8e9b2217a223cb197537bf0d4e288f9152a2609d

SHA256
367e83cd3122c3ea8518bf080ae161d350a63a3eda13ab901997aa72b6217ac8

SHA512
2bdc4c145ee94224a9750fb81b1f7b3a968d525b3e8dad06ad9fbed2bfd4aab54425a0326a3a3e221863dd767a38898027b7912543bd178ef028995bae24deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O7APF.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O7APF.tmp\callbackctrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O7APF.tmp\wintb.dll

Filesize
16KB

MD5
9436df49e08c83bad8ddc906478c2041

SHA1
a4fa6bdd2fe146fda2e78fdbab355797f53b7dce

SHA256
1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435

SHA512
f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

Download Submit
memory/448-81-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/448-88-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2632-85-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2632-76-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2940-66-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2940-91-0x00000000033C0000-0x0000000003437000-memory.dmp

Filesize
476KB

Download
memory/2940-65-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/2940-64-0x00000000033C0000-0x0000000003437000-memory.dmp

Filesize
476KB

Download
memory/2940-63-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2940-27-0x00000000033C0000-0x0000000003437000-memory.dmp

Filesize
476KB

Download
memory/2940-26-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2940-115-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2940-20-0x00000000033C0000-0x0000000003437000-memory.dmp

Filesize
476KB

Download
memory/2940-7-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2940-92-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/2940-90-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4508-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4508-2-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4508-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4508-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download