07a4c72903c22343938a9f3151b2e5a7f272eba8c3c79c2a36c0b1347473b438

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.3MB
MD5

36cb2865742f095aba20bfeb868f8e1f
SHA1

41418696704ac3028e34b5e8bdc8ea7e97800da6
SHA256

07a4c72903c22343938a9f3151b2e5a7f272eba8c3c79c2a36c0b1347473b438
SHA512

5746f34052e28f46471b9c632e731878f9d4076eb1a958acbe3eb2d900f5e56a33214cd4dd0dcd7ae010ee49efff99ae8daf27ca25e2889a5a0a4aa9877c815d
SSDEEP

49152:HqUsn4CcPKJXjvC+cp9w+/KvxQtFPsaXPI0Mrp:KUIxcPAX7C+m/KQtjPI0Ml

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2948	setup.tmp
2456	unins000.exe
2472	_iu14D2N.tmp

Loads dropped DLL 11 IoCs

pid	Process
1720	setup.exe
2948	setup.tmp
2948	setup.tmp
2948	setup.tmp
2948	setup.tmp
2948	setup.tmp
2948	setup.tmp
2948	setup.tmp
2456	unins000.exe
2472	_iu14D2N.tmp
2472	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	setup.tmp
2948	setup.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2948	setup.tmp
2948	setup.tmp
2472	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 1720 wrote to memory of 2948	1720	setup.exe	28
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2948 wrote to memory of 2456	2948	setup.tmp	29
PID 2456 wrote to memory of 2472	2456	unins000.exe	30
PID 2456 wrote to memory of 2472	2456	unins000.exe	30
PID 2456 wrote to memory of 2472	2456	unins000.exe	30
PID 2456 wrote to memory of 2472	2456	unins000.exe	30
PID 2456 wrote to memory of 2472	2456	unins000.exe	30
PID 2456 wrote to memory of 2472	2456	unins000.exe	30
PID 2456 wrote to memory of 2472	2456	unins000.exe	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\is-34KFO.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-34KFO.tmp\setup.tmp" /SL5="$500F8,1797722,677376,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Games\House Party\unins000.exe
    "C:\Games\House Party\unins000.exe" /VERYSILENT /NODELSAVE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\House Party\unins000.exe" /FIRSTPHASEWND=$301FA /VERYSILENT /NODELSAVE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Games\House Party\unins000.dat

Filesize
23KB

MD5
9e5ccdb6019ea6df87b4eecb88d7ef23

SHA1
fcee46e31621cf2dc9ffe628687adcec506bb29e

SHA256
76265bc335972e54421819a8068f79d0922d3fb767e145a2702aefc1f8f56ae1

SHA512
9ea0dff7700fece6439ae2f19814e75bf11da2b01bbaae0c7cb1110d59aa2c4610f58c9c959af9f13aac93b53f31775e241e599217ba5327df83d57832d01eb6

Download Submit
C:\Games\House Party\unins000.exe

Filesize
909KB

MD5
c307fb46bbbdf5d5093cbaffbac4c584

SHA1
927aa80c3090dab175968c355111ca78ea47c35f

SHA256
85f81bb0834a57c3ca8b160e11fb21479ee78181e2ad7d0922b2ee3bb38c46d1

SHA512
7f563d720ec992ef3171bdc16d75d883f4e63bc3db4b050b21bef0f2927ea717d7351e7ae7e6e6c458457e0fd0ee283553d066057af96834045b5549e6ea1e6d

Download Submit
C:\Games\House Party\unins000.exe

Filesize
849KB

MD5
9d70303c6e78be1cbcdba846c3252696

SHA1
c27de5531da0645f46289096fcb6fdc6c844e449

SHA256
49f9c5c9ec63d2d4e4e22008a57bf69353c8dae971320858e23796bbba4ab0a8

SHA512
7a5667a136661daa28a78634e210ed21c908ba2072bfd0c5139080e6b8aed596e22fd113a2c53920d899bb7eb0197b4daba04c5db57f22dfff90b8756a2c1997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
964KB

MD5
e1767f72b1d900700e7ad349702a2070

SHA1
177581af1c1c5578e296565e88632e396e4df03a

SHA256
2fc060e1542e1d9314c8ee5052f83f703f1aba7ee9dd15c44f1a6ee7b44dc36f

SHA512
36bcdc520014c841d99c079fa4de064aa2623b12b2b6fb891ff69758b8f6986f7ca780c3384f9d1780c713d66022660cc334ce872b73ed362a1f3b07fb7be343

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
788KB

MD5
48718aa6a207757d729884b8937f2cd8

SHA1
536a06d7cd025349331acf16cdb91d7c37135e3e

SHA256
29ed81d2a4e1db89b5768c33dff810aa2ae71700fafe9b58abc1cdc13e3cb9be

SHA512
edac852a680547759c5316b8c1f2105d99768f52fd137f603c7810a5fc24038bee4a782f7333300df4eae8919bfe2fb1102622aa0feecbb3a875d4d3620c6b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
779KB

MD5
111c146ac299a1dcf2b61b54e996a3fa

SHA1
7c1105d05586ce484c7178a564bde43aa891ada0

SHA256
7ade198fcacf06fda29957e31d393572ac0d2017af37e24d3e9122b08b27f228

SHA512
650b6e916593e5b8f5b4b43432281f02ecbd689438a7c66535d62e678dedb606bf58df7d6b4e55d72daf7242d2b7f84123e96db6f3735f8a4904c6cd31acbf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-34KFO.tmp\setup.tmp

Filesize
1.7MB

MD5
396948c5280f871a33884f67cae59080

SHA1
1719c7a22cf994970cb3e1af1d0be60223a2393a

SHA256
7c5620b745d52b426c2caa9ca2f2058a88ef0a5c1316b7eb0f9e32d102dac63b

SHA512
ac8f81aafdd92bb9871c3f056f31fb84481d04debd8b74e7d06a7f57e519bfa60b30b17ef4ba3cbb75b6e74f8863cc63c300611b9a35ca74ceb547b69c0b4fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-34KFO.tmp\setup.tmp

Filesize
422KB

MD5
7ed493fb1a39207bcfba16e7919ea5dc

SHA1
58e5d05384debdf41046f12fc5af7f0fdb04e5ed

SHA256
ad0cc73b0bffaa0adeb4ae91484b9f3a0a23d6dd05a8fc9953990403b9e72ec1

SHA512
f4c16add919539266a39e76b2ce1bf8f01c95e9b45e33bace2825e7942bd26e0797005d13026d7a37bd5ee3e7eef0b88f1dff416cdcd8623e43f1a6db0814677

Download Submit
\Games\House Party\unins000.exe

Filesize
960KB

MD5
5bb6b645f9146e9bf1eb9ea4d68b1fda

SHA1
1dfe381ef3c139e7efc7a0b53323f2acc7fb9fa5

SHA256
20faec88d4a32511a9d751d5c57bad39acc21f835c99c343ac1d325c9d9b89d7

SHA512
59b066f59f671e265e7986a65aa9d357184b65ccbf3a6e0cf49b56f41f2737fc5d0fc7765fde93b75a8a0a38d637998cbf52da4cafdb6d578c0ffaea2e5c3ae6

Download Submit
\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
844KB

MD5
9a673e99a53be1befdc5b09baf9a085c

SHA1
88a0d1b8bdf4c4076087d0c0230940050405ddd1

SHA256
531e4c0e0dd85094f5b4efcc81fceff79374b39b2ef074573fe5026394c9c7e5

SHA512
c362a31569833f4a17dab1964ceff236c3082828871a88a35eb26aeb474b0e113c6e8d0ae4bc5c2a88f12e0abf1144a7756cc849b277ae68842993f66f3f3026

Download Submit
\Users\Admin\AppData\Local\Temp\is-34KFO.tmp\setup.tmp

Filesize
706KB

MD5
8a192add7107b987d6126ed7ce7d7931

SHA1
500df86ff142a0c72a143db3a16264c409a35264

SHA256
ff1ab9d6640289d0ed872ee3edaca5801893e3180ccfa86ff5b797734a796217

SHA512
67ce080caa44b9f91ce16725c1cc477ea2030dc4ac2ca69c9a14393bfd1b0004a5f818e7ef25045e41cdee4a62a2183b01298be9ad6523bc955988da0ebf57ee

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECS0K.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECS0K.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECS0K.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECS0K.tmp\callbackctrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-ECS0K.tmp\wintb.dll

Filesize
16KB

MD5
9436df49e08c83bad8ddc906478c2041

SHA1
a4fa6bdd2fe146fda2e78fdbab355797f53b7dce

SHA256
1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435

SHA512
f9dc6602ab46d709efdaf937dcb8ae517caeb2bb1f06488c937be794fd9ea87f907101ae5c7f394c7656a6059dc18472f4a6747dcc8cc6a1e4f0518f920cc9bf

Download Submit
memory/1720-109-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1720-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1720-1-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2456-81-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2456-68-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2472-84-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2472-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2948-38-0x0000000002070000-0x00000000020E7000-memory.dmp

Filesize
476KB

Download
memory/2948-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2948-20-0x0000000002070000-0x00000000020E7000-memory.dmp

Filesize
476KB

Download
memory/2948-39-0x000000006B080000-0x000000006B08D000-memory.dmp

Filesize
52KB

Download
memory/2948-108-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2948-37-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download