a4483fc2d8cc6f8dc08b9251895bbaa3177e485c6e2318bb1f603694ebecafea

General

Target

Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe
Size

146.0MB
MD5

61ac8392c96af5f5bad9085a16ae52c8
SHA1

69eb81d0796b434d18e8781fac88ca384560a7e3
SHA256

d36f8acca0cdc116dd026dc674091f710f8ddf3a246bf4d1a8e4f69db924c8bb
SHA512

1bdb8245106337c79f51a1708db65822ce1f4ee776fb8cdaf00605e1e107a22b23d11965c98b5bbafa68aed501d2b7cdace83f650ffb19b749d573bf2eaee6f9
SSDEEP

3145728:UojCLiaWvhBPdI6/TE2f0kCjhHDdwV6eRIgNRz6E9zfByir8adJR9YD:CrWDPdNbT0pjhH5wVd7Rz/9lyi9JwD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Loads dropped DLL 8 IoCs

pid	Process
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4752	Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4880	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4880	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 4752	1108	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe	83
PID 1108 wrote to memory of 4752	1108	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe	83
PID 1108 wrote to memory of 4752	1108	Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe	83

C:\Users\Admin\AppData\Local\Temp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\is-GKLQO.tmp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GKLQO.tmp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp" /SL5="$A0208,152626678,176128,C:\Users\Admin\AppData\Local\Temp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x3f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GKLQO.tmp\Palworld 0.1.3.0 Hotfix to 0.1.4.0.tmp

Filesize
1.2MB

MD5
5cdd44fdc8fb3fc334357c753483fb79

SHA1
884867ca9a35f2132bd29aad209cf4eb29a79abc

SHA256
648ac396838721a39226ab390bce79ab899092c86a72f268e8bf1a0ca5959696

SHA512
35bdad8f629f2c59f19fbec60e906514a737a84bd3668f9cf17720479e98cdaa4eb7232ed05542b46b6fa06342a7f7431cb9acc94c9128960d2aaecf4fb087eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDHDV.tmp\BASS.dll

Filesize
109KB

MD5
36946ab0740fa086bfc8b8a86260eee9

SHA1
57e154464dd247f14ec90de065d7be685dcc1293

SHA256
9ac13f9bc5564fd8a1eab5f7c945dce1c27940dd63a913108eac64481ddde6af

SHA512
51a090119c36f19c8b008d52f1faf76ee1d511e151df777c577cf91da84300a8474d7e17004e3f374434b2d16eb1da3cfaee853e47528f9a1f6fb8bab71ed3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDHDV.tmp\English.ini

Filesize
20KB

MD5
4fb66af3052a25731d1f9c96bd17a654

SHA1
d6c4fcdb1e5bd644365c52445a91075d4278b81a

SHA256
c15e8ce6fe9cbf5ff30d3002619a55774f8c6198678cf6da26c6768f2a56b6fa

SHA512
4e0ad7aece3b227d658bcaf401195803e5acfbed8e44ae2bc810ff862aacc264fc231585a5833ad587c17c30ea76ba9defed4c6108755462643bccaa28d94832

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDHDV.tmp\crc32c.dll

Filesize
30KB

MD5
bfca8a245fc3a7fe7a3561aaf687cbba

SHA1
1b4dd6544baf59632198f6c00e48f741325abcff

SHA256
f82e3de7d8d9a400e9d54348909a9ffa64a609d1644161ee40f7ae53c79215ff

SHA512
90c924813a59015475717ce7b0271d503a3e3f365f25a62765e16d612c220b29ab7d665575be206758878f4927a420bf186acfc0cad1472ed4c9a12a44fd835c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDHDV.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDHDV.tmp\isproc.dll

Filesize
16KB

MD5
4bafb0739c5fcd96be991f2a3cc9ac2f

SHA1
9372b03e4515660f732bf6338c4d7e183a78d2ee

SHA256
7f74f1c445bf5e9456aae6fae695a8ca60e1d0eb5a2f44ac2cf0239a71f1a8a1

SHA512
095946b16020d52beb25b4037775af8bbf6a7f15b56e260a1bf90af5ccadc11cbcb78c80540f087597a2df6bf5d6b2c8358249aed121ef68e96a302a9fb2ec55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HDHDV.tmp\wintb.dll

Filesize
16KB

MD5
9436df49e08c83bad8ddc906478c2041

SHA1
a4fa6bdd2fe146fda2e78fdbab355797f53b7dce

SHA256
1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435

SHA512
f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

Download Submit
memory/1108-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1108-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-27-0x00000000025F0000-0x0000000002601000-memory.dmp

Filesize
68KB

Download
memory/4752-19-0x00000000025F0000-0x0000000002608000-memory.dmp

Filesize
96KB

Download
memory/4752-20-0x0000000073D90000-0x0000000073DE0000-memory.dmp

Filesize
320KB

Download
memory/4752-14-0x00000000025D0000-0x00000000025E5000-memory.dmp

Filesize
84KB

Download
memory/4752-5-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4752-56-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4752-60-0x0000000002530000-0x000000000253A000-memory.dmp

Filesize
40KB

Download
memory/4752-59-0x00000000025F0000-0x0000000002601000-memory.dmp

Filesize
68KB

Download
memory/4752-58-0x00000000025D0000-0x00000000025E5000-memory.dmp

Filesize
84KB

Download
memory/4752-57-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/4752-67-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4752-68-0x00000000025F0000-0x0000000002608000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing