7e93d0ead93a686218b7c671bf099ef42f09f536083bd0b2f0fa6423a39fc19b

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RTP100/Setup.exe
Size

571KB
MD5

f3a1050bac829eebf38a553db08c02e1
SHA1

8a6a2a4e825b1b9de88791c03d7404e181fb0241
SHA256

3b178f718655dab3c444857b5e6fd755dc611de72dc229de486b3e06d8548fd2
SHA512

9e52b8e46192f72eb06971ee06bad397304db7714df4fd0b8397e2bd9d23c1aacdb10667ec1dfeb3b03b600875656f2a60e3b8582ccb6e86aefcae4a38a895f7
SSDEEP

12288:Z3Mjhv8888888888888W88888888888H09+kjn3bVNyRvh6QoqJh5+B+98LApiag:dMjhQ09+miWQpJh5n98LAoa58h5j

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	Setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
2852	Setup.exe
2912	Setup.tmp
2912	Setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-CPDME.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-HV2BI.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-TEBPK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-OEBFJ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-O6B51.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-LJT0F.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-HLS8O.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-I8HQ1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Faces\is-Q780R.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGS\is-JCAD0.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\ME\is-PK6BN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-2P2KO.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8FP28.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-PKI9C.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-GM5DI.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-GCLVI.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Fonts\VLGothic\is-CJJCL.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-2CE4M.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8MV79.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-FR37U.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-2G1F6.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-BNF5B.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles2\is-FMMS8.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-24H5L.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-I1CK7.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-S8CQN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-CDEPT.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-TTC9U.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-6A02D.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-8FJHG.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-7H1R3.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-JAAQN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-2C7TJ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-9531K.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Tilesets\is-ELSOM.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-CPA8N.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-PB2TE.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-2P7SP.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-BTGUQ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\System\is-GPE1E.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SGPQG.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-17LNM.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-90GK5.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-MCUG2.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8SUO8.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-S8BG7.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-SDPMM.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles1\is-SJMM2.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-HGRM2.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-8K3UD.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-GA3N6.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-QMDF3.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-UVQHD.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-9UQSO.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-JT4A9.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-2Q4DN.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-BGMJ1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-BHE7O.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-8LNJQ.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles1\is-5BCHG.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-ASHKF.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-A37A1.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-M61PK.tmp	Setup.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-BNVTK.tmp	Setup.tmp

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2912	Setup.tmp
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe
1712	taskmgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2912	2852	Setup.exe	28
PID 2852 wrote to memory of 2912	2852	Setup.exe	28
PID 2852 wrote to memory of 2912	2852	Setup.exe	28
PID 2852 wrote to memory of 2912	2852	Setup.exe	28
PID 2852 wrote to memory of 2912	2852	Setup.exe	28
PID 2852 wrote to memory of 2912	2852	Setup.exe	28
PID 2852 wrote to memory of 2912	2852	Setup.exe	28

C:\Users\Admin\AppData\Local\Temp\RTP100\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RTP100\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\is-ACFBT.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ACFBT.tmp\Setup.tmp" /SL5="$40150,140800,0,C:\Users\Admin\AppData\Local\Temp\RTP100\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2912

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ACFBT.tmp\Setup.tmp

Filesize
728KB

MD5
c0ca038078c7935ba005b25f745aa894

SHA1
a1ab41b3894eb7ed3adbbee70310ded78bcb6931

SHA256
c5cbb03d06cb0632b154a28c654eb1917f9bce863cf980720241d1117a285f91

SHA512
3d801d74b3eb088be696e52c22e5d664aeb3d22ffb4f83a38aed4de91e968e38b881e4ef5847efe58a82d88b988aa4d9a18f6d2f683a920600962e921cfb3f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ACFBT.tmp\Setup.tmp

Filesize
1.1MB

MD5
394289faec0a43faea574588cb367018

SHA1
b02982a816782c3c16ad5a321dce0a79cab124a2

SHA256
89c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202

SHA512
e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4

Download Submit
\Users\Admin\AppData\Local\Temp\is-PD725.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1712-1588-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1712-1589-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1712-1590-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2740-1591-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2852-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2852-92-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2852-1587-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2852-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2912-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-93-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2912-1582-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2912-1583-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-1586-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download