7cea668e88130102c3bfbb870ef5c624fda3339a98b02402983c761d1397c0b9

Analysis

max time kernel
139s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hamsterballsetup.exe
Size

6.5MB
MD5

a52c341f23be100b9f5029711093e8cf
SHA1

d9318c917c71e119c1505521dea88833a61905c6
SHA256

7cea668e88130102c3bfbb870ef5c624fda3339a98b02402983c761d1397c0b9
SHA512

dcaf10f8985b0f81d27c93831a58297b7232f77e57ef0040805aaf7ec159fad979e2f1a619ff6df0a500158e998ad2e9f76eadea9c3dedd14111a96e70855e74
SSDEEP

196608:oxBMD4dMv8L8MQLVfu7XTzw5lZXQ8EGyn5Iqwqz:oxKD4dL8MQs7XTzw5laBGynSE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1012	Hamsterball.exe

Loads dropped DLL 13 IoCs

pid	Process
2312	hamsterballsetup.exe
2312	hamsterballsetup.exe
2312	hamsterballsetup.exe
2312	hamsterballsetup.exe
2312	hamsterballsetup.exe
1012	Hamsterball.exe
1012	Hamsterball.exe
1012	Hamsterball.exe
1012	Hamsterball.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\gold-Icon.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\orangebrick.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\tourney-tower.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Meshes\Mouse.MESH	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\bubble1.ogg	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\silver-icon.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\ToobCurvedArrow.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Meshes\8Ball.MESH	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Fonts\ShowcardGothic72\Data1.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\BlueChecker.bmp	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\SpeedCylinder.ogg	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\ArrowCurve1-Mip3.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Meshes\Sawblade.MESH	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\brightgreenbrick.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Levels\PopupSign.MESHWORLD	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\Vac-o-sux.ogg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\BlueBlot2.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\OrangeCheckerFlag.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Levels\Level9-TrapDoor.MESHWORLD	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Fonts\ShowcardGothic14\Data0.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\TitleText-Left.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Dizzies.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Levels\Level7-Wobbly6.MESHWORLD	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\ArrowCurve1-Mip1.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\Burst.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Burst.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Dust-Mip1.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\TarSplotch.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Arrow2-Mip4.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\Arrow2-Mip4.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Meshes\Hamster.MESH	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\GreenChecker.bmp	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Practice-Level9.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Levels\Level7-Wobbly4.MESHWORLD	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Sounds\popup.ogg	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Silver-Small.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\BrightGreenChecker.bmp	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\Hamster-Mip3.jpg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\WhiteCheckerFlag.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\DawgSmash.ogg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\sawface2.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\YellowRing.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\FunBall.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Levels\Level10.MESHWORLD	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Levels\Level4.MESHWORLD	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\Whistle.ogg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\Unlock.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Tourney-Wobbly.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\RaceData.xml	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Arrow3-Mip1.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\BallBurner.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\goal-round.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\HamsterBall-Mip1.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Sounds\ting.ogg	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Sounds\Collide.ogg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\Grow.ogg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Sounds\BallBreakSmall.ogg	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\Arrow3-Mip1.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Glare.png	hamsterballsetup.exe
File created	\??\c:\program files\raptisoft\Hamsterball\Textures\Practice-Level2.png	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\Ranks\15.jpg	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Levels\Level4-Trapdoor2.MESHWORLD	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Sounds\BallBreakSmall.ogg	hamsterballsetup.exe
File opened for modification	\??\c:\program files\raptisoft\Hamsterball\Textures\RedChecker.bmp	hamsterballsetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rsoftinfo.dat	hamsterballsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
940	1012	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.orig	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.orig\ = "orig_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\orig_auto_file\shell\open	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3032	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	hamsterballsetup.exe
2312	hamsterballsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2136	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1012	Hamsterball.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1012	Hamsterball.exe
1012	Hamsterball.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 2312 wrote to memory of 1012	2312	hamsterballsetup.exe	30
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 1012 wrote to memory of 940	1012	Hamsterball.exe	31
PID 2136 wrote to memory of 3032	2136	rundll32.exe	41
PID 2136 wrote to memory of 3032	2136	rundll32.exe	41
PID 2136 wrote to memory of 3032	2136	rundll32.exe	41

C:\Users\Admin\AppData\Local\Temp\hamsterballsetup.exe
"C:\Users\Admin\AppData\Local\Temp\hamsterballsetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
- C:\program files\raptisoft\Hamsterball\Hamsterball.exe
  "C:\program files\raptisoft\Hamsterball\Hamsterball.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 744
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:940

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2452

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\196451693\zmstage.exe.orig
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\196451693\zmstage.exe.orig
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\raptisoft\Hamsterball\DATA\HS.CFG

Filesize
1KB

MD5
7095258d70dd813649b966882de290c1

SHA1
1af7ab63c03c05500660eb324970880a15f8f01e

SHA256
ac6bfd4fc92bc79ef2ac2d4d8c7062b7fc2a717fe74726d990b3231dbe7dcd34

SHA512
f8523ef0c67697bb1af86b7aeefbbc1fc35717eb60ae960d0dc79fae1fbfe29a5f54f7fb58506d6c597309765ad9b639390667ef0918506a795121b97297c2cf

Download Submit
C:\Program Files\raptisoft\Hamsterball\Meshes\DawgShoe2.MESH

Filesize
10KB

MD5
1a5fccfc479e1080e5dcbe59b2edcd3a

SHA1
4ca6539f6034fc30917c700d8c293c8476454e0c

SHA256
fd7f81dc99504dd9579e6096c158c3526a34d4e125665c4e5cb4e35d6fe38b7f

SHA512
37758b3015492497cb58f6445f91dec7cb99f386d99e1a2d00ede744b79560e12ff07b16c91973bc93a724de416f588e421dd6c28cfb6ad5eebd9a6f5bdcd2dc

Download Submit
C:\Program Files\raptisoft\Hamsterball\Readme.txt

Filesize
21KB

MD5
8695c9b16cfcc3991b7738b09cc07c5b

SHA1
a2270fda5ba52445cf9e87a6558250fe4dcd2d70

SHA256
ad67cec9eba76af34baa36e8e11fe8a8ae8bb398d3955b16a9162ae32a95d7c5

SHA512
50fd49660c6486ec98c7306feba0b8afacf78a71c653d95d0c9c5ff2f2ac190d6d14198f7a5d3ac340d50cf0174fc4b46c6a507d0128ebab22418dd278dc33a1

Download Submit
C:\Program Files\raptisoft\Hamsterball\license.txt

Filesize
7KB

MD5
4a46e570251c70cdb18443afe4f93933

SHA1
772f38d7969975b1b7a4bcee9ac40273f8bf1d62

SHA256
dbcea76997bb9f7e0d6140980b972db90e5915c445e22f51b5cb5d14d8a60960

SHA512
ab110b476ca2689b93e470f685641894c72d1b5568595367d8e82246e11eaf4168b9361f3bf50d537ad790f772d27ab5030dc3f10384cc67ae9045bfe3639f38

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raptisoft\Hamsterball\Visit Raptisoft.com.url

Filesize
114B

MD5
fb6e22c9e435a0df5e8ecdaedc6fad6e

SHA1
fe236c47e88f31441733e0ae54aa94e2c7737371

SHA256
d1ddf20d210e27b135fb149e77ffe27fc19dbbab7c937b347a5fe62a0a40a692

SHA512
0630dcd29e4ec399977ca03deaebf4181865b76958263c2c2c480739fff590234297aaad613145fa5f127d121b9abecbd1bddc4158bd28ec5143d985d93931ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\files.cab

Filesize
378KB

MD5
5568b70fc5f84b2ac5e3c8daf67f2c36

SHA1
152d17d9a7edc89fe084b5114d9162f810e97cef

SHA256
1362a4da81516ac86f39481be59d8e3052e1e1d3179e58dc09afedd6be4ddd20

SHA512
5a4c396ada69ee2e82a0924b8c611010b0ce986c415621209cc43b99bbdf961497d4d9ed69f1592ddddd6481bbb38be1ee67c192d6dd123dc6b87f042cc003a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\popcfg2\props.xml

Filesize
3KB

MD5
7c29b81983a9f366acf3988807e54a06

SHA1
b3f227f90138f43616a548d217a0797349e864e0

SHA256
88f75ce0b3f5db1e19f2e54fb4f6c530fc0bb910944ac51b61cd06904b0fc455

SHA512
727fb740b57ac99952e93aedda7e3f936517f8d96ccac31976db674bee2a27c0248643cc5beab0c6e464d82b33431da8462b81f4ccf0dfa2fef977d4b738688f

Download Submit
\Program Files\raptisoft\Hamsterball\Hamsterball.exe

Filesize
1.2MB

MD5
fae6479e1fe64af57c3c9f9923df7d11

SHA1
b9ac84bcf650814f3773484e9f1475cbf3dcf3d1

SHA256
6ec5ee7fa29fa5957965cfb3019231711963b0f62dc1b6c2b48e658afef71e79

SHA512
193c61b00e5563a9214b6f887813bc188c19007a36a2f7e3dd23027b1b7b486cb38b402b7980e4139afdf03d62c295a6c398000ce482302844dc430ff60c5707

Download Submit
\Program Files\raptisoft\Hamsterball\Hamsterball.exe

Filesize
1.3MB

MD5
2b9fb97e043f60844fa00b741e498ede

SHA1
b38a4c6baaecd9f916a62652321db0c8f2ac6819

SHA256
a6ed22916bdd144b3334550b66af82dd344081332d67afdd2e9ba2f43e738516

SHA512
734659dd7950c19f01437aca63afeaf852849976a6acb12d042f2e8e420f035488a80444c10e8600066c3bc667f7ef7c4f2a70b47f25277481e1964314dec93b

Download Submit
\Program Files\raptisoft\Hamsterball\Hamsterball.exe

Filesize
185KB

MD5
cc4e71fbf055f21208efb2808e837e06

SHA1
c4af16bac748caecda5e54873ce4e3cf9eba0f0a

SHA256
12cdb4a5d219a0303769e42f22b5f8ddc5402f9d1edfcc7d112ca7d39fd2048f

SHA512
fb7e1b410253fed31ef17d2373a1608bc0b3ba3dd39b14dafd364f3d28204fd40bb556c2b7fa51e3c1da8f0f35a4e4d90f0aa90db5951d4b5d87d14d8e1f6291

Download Submit
\Program Files\raptisoft\Hamsterball\PopUninstall.exe

Filesize
140KB

MD5
151a07ad1b9dee1aade94b77869e1bda

SHA1
ea6fb603a0b433f6933c0a9bd3177fad8edab27d

SHA256
e68fc6c19bc605b8a932674fd85edb7b06f80316295f6d8e13da6b92cf2264c5

SHA512
0a1c6d49c07b566d51ebd0bb0e33134801059ee263a59c5e9c79215de73cf8d5687195d4107e2091b17d21397fe5e8c43779a97d5604332a6d513aa3413c03e1

Download Submit
\Program Files\raptisoft\Hamsterball\bass.dll

Filesize
106KB

MD5
99c2d4bce27b70a26b9c6f68691f6777

SHA1
82386b2d2668175e9e61aeff4908a30352ced716

SHA256
d0d43cbde1edea42062afd34ecfcd1a3632417d92e69cb72d6a37afce145497c

SHA512
8e8523cf7b6ae04fbd48063160fe73d5b55c985000dda3ab6690d6539c9f6657583f77a90861750b3d89c7f50b1b751c4a7f5aeed7424f7ad4534cd707acaaf0

Download Submit
memory/1012-1267-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/1012-1272-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/1012-1278-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/1012-1279-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download