f88893cf74fecf8cb8a79a76c3ee11cd5e3dd51ea9e68a2f7962df61c33aaace

Resubmissions

15-03-2024 13:46

240315-q28vxsca83 7

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_SE.exe
Size

5.2MB
MD5

fe6a250db845e9d2b0f1a952327d3c55
SHA1

41514117299e33d043e854a900085b7a6799cbe3
SHA256

f88893cf74fecf8cb8a79a76c3ee11cd5e3dd51ea9e68a2f7962df61c33aaace
SHA512

4e89841a162ea6fe5bd272d3115070ebbaf45896a57fbca9ed71eea9511d5e6abb9f70b3ea16b66d836a2bf13a73af80b97f721b148e4c2067df9b037eb8e68f
SSDEEP

98304:AX9GKVeltUhSPeYg92zL/S9bb6hur3YCjT19VlZfRIQ:SHI3RGC2bb66rHZL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2220	Setup_SE.tmp
2856	unins000.exe
2992	_iu14D2N.tmp

Loads dropped DLL 9 IoCs

pid	Process
2204	Setup_SE.exe
2220	Setup_SE.tmp
2220	Setup_SE.tmp
2220	Setup_SE.tmp
2220	Setup_SE.tmp
2220	Setup_SE.tmp
2856	unins000.exe
2992	_iu14D2N.tmp
2992	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	Setup_SE.tmp
2220	Setup_SE.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2220	Setup_SE.tmp
2220	Setup_SE.tmp
2992	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2204 wrote to memory of 2220	2204	Setup_SE.exe	28
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2220 wrote to memory of 2856	2220	Setup_SE.tmp	30
PID 2856 wrote to memory of 2992	2856	unins000.exe	31
PID 2856 wrote to memory of 2992	2856	unins000.exe	31
PID 2856 wrote to memory of 2992	2856	unins000.exe	31
PID 2856 wrote to memory of 2992	2856	unins000.exe	31
PID 2856 wrote to memory of 2992	2856	unins000.exe	31
PID 2856 wrote to memory of 2992	2856	unins000.exe	31
PID 2856 wrote to memory of 2992	2856	unins000.exe	31

C:\Users\Admin\AppData\Local\Temp\Setup_SE.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_SE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\is-U6QNK.tmp\Setup_SE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U6QNK.tmp\Setup_SE.tmp" /SL5="$4010A,4800482,287232,C:\Users\Admin\AppData\Local\Temp\Setup_SE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2220
- - F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe
    "F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe" /Silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe" /FIRSTPHASEWND=$401F2 /Silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-F24S8.tmp\CLS.ini

Filesize
457B

MD5
2196a9e75bb5a097db805af5570ef74a

SHA1
a379d19d05aee7314da4c69ff6a611f5ee621ca2

SHA256
6132b49e9beb704fa6b3dfeb162176a222f9250df55b8a80be0421dfefa1bd10

SHA512
3f321583fd8fde014d64e803d2cdf6e992585448f946e700092487f879f6325ed67e6c098182b1bef99487b2de82e61a74613803cb6975f30362824300b08364

Download Submit
C:\Users\Admin\Documents\My Games\Skyrim Special Edition\Skyrim.ini

Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\2.ico

Filesize
146KB

MD5
f0b47f005c151ffdf9a7998091ec8006

SHA1
ce56a13460dc2e1dff4521579fb5e85810df62a1

SHA256
e867b0f97f17ed122c55f0d289844c1665b4889a7aedf4eca667cd79b0288b20

SHA512
22d630e9e4f37c250b3fad27f0c7ffa1c1a76afdd75f4f842bfa48ad41fa69abf0ec174841cb4b8595200fe71fb269e41bcc6344a38894ed8ca1b0611bea4d96

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Skyrim_Default.ini

Filesize
324B

MD5
44b6e5054189d586f74f7ce26ef69530

SHA1
432599eb892411a879ee8bf840bf570af1e229bb

SHA256
548d7f4e018f7e96fe9de18318dcaf343eb258561f8c37d7088a4392390f6107

SHA512
48981397372f4fcc6de9e8072dd2169bd58eec807561e14a542efa06fa484908b27fd6704cc34210192ff2155d4bed798cd52b8e5b3f80aa933c55936d0b4c36

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.dat

Filesize
91KB

MD5
2e26666a914ca5676c340f2ed11d17e1

SHA1
9328e9400bd78bce5c55de4aa7a244690fb82eed

SHA256
5e1873f990918ac52612a3c9e72055dad72ce4f3aa077c93f38d9b9865e29212

SHA512
ded8bd2b96c53d78ba61bccb5d7e4d508d116cfaf3332605cebcbef8bc2b9cc4bc9b73095e2336c5a1a012353bb86f9865d50ac11f778096436e63edf8205cdf

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe

Filesize
1.6MB

MD5
eb3bc48dbf7d88f3995f8964464974da

SHA1
443d287216be6b56a7410a65729bdd21a0ea9744

SHA256
dd0eb3e9c6cc911dc8c7d396682528578a0af01f23c2458253e4c631078f0c95

SHA512
9f320f7a56a3a74fb51ab144405d55da93b73229996d5320fc85282365fb407cb6e8feed427166df032141bd5209799969bc56480513f1883ae9a899d840f269

Download Submit
\Users\Admin\AppData\Local\Temp\is-F24S8.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-F24S8.tmp\WinTB.dll

Filesize
3KB

MD5
348f5c9651b979191373eba950d0edc3

SHA1
7c2af0023c6d07bfcee4fe9bb0d82c58c3259b49

SHA256
6922915886745d1b59320dee9a87311aadd57f924ffb73cac1d27573e75bcecc

SHA512
57712ca55e65f66974492ba4e209b8e97bc559978a510e48bac521441d3123aef812cbb71990c5baa0446818a6cda7902d5b9b601af7ffc2c8c9ecae98b15082

Download Submit
\Users\Admin\AppData\Local\Temp\is-F24S8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F24S8.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-U6QNK.tmp\Setup_SE.tmp

Filesize
1.6MB

MD5
db8975469c6cb751b5b86da8e4542bdb

SHA1
1864ab79ae9bff8d9eb3d9a4ba1c16348eb6f9fe

SHA256
6adf3b6e6272466729c396f0149ed82061dbeb2b65c0870f8f5f030cc45bee4f

SHA512
a790d6af5040887b0734f2edb2a40a9b51bd7c39765f7d21cc7043046d01f58ebdec48d254fda268d856221ff6bdfd833e9b2b4934b2abac6e9e74083ca482c6

Download Submit
memory/2204-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2204-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2204-147-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2220-39-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2220-22-0x0000000003230000-0x00000000032A7000-memory.dmp

Filesize
476KB

Download
memory/2220-37-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2220-77-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2220-78-0x0000000003230000-0x00000000032A7000-memory.dmp

Filesize
476KB

Download
memory/2220-35-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2220-34-0x0000000003230000-0x00000000032A7000-memory.dmp

Filesize
476KB

Download
memory/2220-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2220-146-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2220-33-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2220-41-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2220-16-0x0000000002080000-0x00000000020BC000-memory.dmp

Filesize
240KB

Download
memory/2856-112-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2856-96-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2992-115-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2992-101-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download