f88893cf74fecf8cb8a79a76c3ee11cd5e3dd51ea9e68a2f7962df61c33aaace

Resubmissions

15-03-2024 13:46

240315-q28vxsca83 7

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_SE.exe
Size

5.2MB
MD5

fe6a250db845e9d2b0f1a952327d3c55
SHA1

41514117299e33d043e854a900085b7a6799cbe3
SHA256

f88893cf74fecf8cb8a79a76c3ee11cd5e3dd51ea9e68a2f7962df61c33aaace
SHA512

4e89841a162ea6fe5bd272d3115070ebbaf45896a57fbca9ed71eea9511d5e6abb9f70b3ea16b66d836a2bf13a73af80b97f721b148e4c2067df9b037eb8e68f
SSDEEP

98304:AX9GKVeltUhSPeYg92zL/S9bb6hur3YCjT19VlZfRIQ:SHI3RGC2bb66rHZL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2508	Setup_SE.tmp
744	unins000.exe
3996	_iu14D2N.tmp

Loads dropped DLL 6 IoCs

pid	Process
2508	Setup_SE.tmp
2508	Setup_SE.tmp
2508	Setup_SE.tmp
2508	Setup_SE.tmp
2508	Setup_SE.tmp
2508	Setup_SE.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	Setup_SE.tmp
2508	Setup_SE.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2508	Setup_SE.tmp
2508	Setup_SE.tmp
3996	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2508	2640	Setup_SE.exe	89
PID 2640 wrote to memory of 2508	2640	Setup_SE.exe	89
PID 2640 wrote to memory of 2508	2640	Setup_SE.exe	89
PID 2508 wrote to memory of 744	2508	Setup_SE.tmp	106
PID 2508 wrote to memory of 744	2508	Setup_SE.tmp	106
PID 2508 wrote to memory of 744	2508	Setup_SE.tmp	106
PID 744 wrote to memory of 3996	744	unins000.exe	107
PID 744 wrote to memory of 3996	744	unins000.exe	107
PID 744 wrote to memory of 3996	744	unins000.exe	107

C:\Users\Admin\AppData\Local\Temp\Setup_SE.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_SE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\is-A7AEQ.tmp\Setup_SE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A7AEQ.tmp\Setup_SE.tmp" /SL5="$401C8,4800482,287232,C:\Users\Admin\AppData\Local\Temp\Setup_SE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2508
- - F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe
    "F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe" /Silent
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe" /FIRSTPHASEWND=$901F4 /Silent
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
1.6MB

MD5
eb3bc48dbf7d88f3995f8964464974da

SHA1
443d287216be6b56a7410a65729bdd21a0ea9744

SHA256
dd0eb3e9c6cc911dc8c7d396682528578a0af01f23c2458253e4c631078f0c95

SHA512
9f320f7a56a3a74fb51ab144405d55da93b73229996d5320fc85282365fb407cb6e8feed427166df032141bd5209799969bc56480513f1883ae9a899d840f269

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PBAL.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A7AEQ.tmp\Setup_SE.tmp

Filesize
1.6MB

MD5
db8975469c6cb751b5b86da8e4542bdb

SHA1
1864ab79ae9bff8d9eb3d9a4ba1c16348eb6f9fe

SHA256
6adf3b6e6272466729c396f0149ed82061dbeb2b65c0870f8f5f030cc45bee4f

SHA512
a790d6af5040887b0734f2edb2a40a9b51bd7c39765f7d21cc7043046d01f58ebdec48d254fda268d856221ff6bdfd833e9b2b4934b2abac6e9e74083ca482c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7G8J.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7G8J.tmp\WinTB.dll

Filesize
3KB

MD5
348f5c9651b979191373eba950d0edc3

SHA1
7c2af0023c6d07bfcee4fe9bb0d82c58c3259b49

SHA256
6922915886745d1b59320dee9a87311aadd57f924ffb73cac1d27573e75bcecc

SHA512
57712ca55e65f66974492ba4e209b8e97bc559978a510e48bac521441d3123aef812cbb71990c5baa0446818a6cda7902d5b9b601af7ffc2c8c9ecae98b15082

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7G8J.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\Documents\My Games\Skyrim Special Edition\Skyrim.ini

Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\2.ico

Filesize
146KB

MD5
f0b47f005c151ffdf9a7998091ec8006

SHA1
ce56a13460dc2e1dff4521579fb5e85810df62a1

SHA256
e867b0f97f17ed122c55f0d289844c1665b4889a7aedf4eca667cd79b0288b20

SHA512
22d630e9e4f37c250b3fad27f0c7ffa1c1a76afdd75f4f842bfa48ad41fa69abf0ec174841cb4b8595200fe71fb269e41bcc6344a38894ed8ca1b0611bea4d96

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Skyrim_Default.ini

Filesize
324B

MD5
44b6e5054189d586f74f7ce26ef69530

SHA1
432599eb892411a879ee8bf840bf570af1e229bb

SHA256
548d7f4e018f7e96fe9de18318dcaf343eb258561f8c37d7088a4392390f6107

SHA512
48981397372f4fcc6de9e8072dd2169bd58eec807561e14a542efa06fa484908b27fd6704cc34210192ff2155d4bed798cd52b8e5b3f80aa933c55936d0b4c36

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.dat

Filesize
91KB

MD5
6cfb4293c6fd8b62f2d1c1f27d0d4bb5

SHA1
31e4c3353065de489c1c3c2e69a9bb41e61ea3e4

SHA256
3283b3501b626858f68edd48ce967ca6a4ae0a48f6a24203e6a3b8e829ce6284

SHA512
3960432c808131edf3bf48c7b88c5823236b72ff6169a6a86b524525bd87d56f7357e2bae21e5e8652336f881cc3a564f40188a3818496fb6b7e96e960230cb3

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe

Filesize
1.5MB

MD5
723636bf74688eb896628205e39df3fd

SHA1
c144490f132b495c343db21bc7f995e5417d7e72

SHA256
727edabead3b18c7df23671f4d15875f95e8c08b2520fbc96ea49fab02d76102

SHA512
a4be4b15f77b541b3857cb3068d6d7cc3ee26c83428172524b4dab13fc6449d5de37c869a3f52f4c3a09b9392b6562767fa57ff35aa6828cea43d1dcf911cf6a

Download Submit
F:\Games\The Elder Scrolls V - Skyrim\Uninstall\unins000.exe

Filesize
743KB

MD5
e6fcc7a6fca4f7bc5cb3114107f42089

SHA1
8d00a28deb29faa5367b03e5d766afd5cdb4ec68

SHA256
597d95315167c1eeca102091ad0c3ac18392307737c183562359249e93805970

SHA512
87a41b2b50000fd6b732e8d82b24cdf9e0916e9cf610f7e0ca6500a31326052d29cd7033644536cbac4b7d1ba38a2bcdacaf47a66369fefa249b8bbd66492da4

Download Submit
memory/744-109-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/744-124-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2508-96-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/2508-39-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2508-161-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2508-59-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2508-57-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2508-47-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/2508-44-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2508-40-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/2508-129-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2508-95-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2508-130-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/2508-24-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/2508-15-0x0000000003390000-0x00000000033CC000-memory.dmp

Filesize
240KB

Download
memory/2508-6-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2640-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2640-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2640-162-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3996-127-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3996-116-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download