6fdfebc76195793c43ae7439ba54b9022346dfda713c3b7bcf8b5371d62e1779

General

Target

Harry.Potter.and.the.Sorcerers.Stone/Harry Potter/System/HP.exe
Size

136KB
MD5

7523f60d502b93a5ace911a32d0d0ef7
SHA1

9aad58812940d27c7cd96d2920c726cc2d2fdde9
SHA256

0c274cb13c49893fd56dac30fb87177ab3fa178762a9271572a75063da251417
SHA512

46ec53d86816c3ea532cd69f4f8e22e2a233f0f1e97e6b15c97eb1aadbe4c9d39e60a1e3d7faccad677318695476a317613a56475323e37ed8e962d37099e4fc
SSDEEP

1536:KHJ0mjPWMlPO+t+/U1gJKy0tCxfNxLKCNasI6Dxv9aGS0941vCgJMN:7A7lPiU1mSMxf34sIwxv9aGVuCgG

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1984	rundll32.exe
7	1984	rundll32.exe
10	2532	rundll32.exe
11	2532	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1972	HP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1972	HP.exe
2120	HP.exe
1972	HP.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 1984	1972	HP.exe	28
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 1972 wrote to memory of 2120	1972	HP.exe	29
PID 2120 wrote to memory of 2532	2120	HP.exe	30
PID 2120 wrote to memory of 2532	2120	HP.exe	30
PID 2120 wrote to memory of 2532	2120	HP.exe	30
PID 2120 wrote to memory of 2532	2120	HP.exe	30
PID 2120 wrote to memory of 2532	2120	HP.exe	30
PID 2120 wrote to memory of 2532	2120	HP.exe	30
PID 2120 wrote to memory of 2532	2120	HP.exe	30

C:\Users\Admin\AppData\Local\Temp\Harry.Potter.and.the.Sorcerers.Stone\Harry Potter\System\HP.exe
"C:\Users\Admin\AppData\Local\Temp\Harry.Potter.and.the.Sorcerers.Stone\Harry Potter\System\HP.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {f46b9fd7-537c-4dab-82f3-b2217985e494};C:\Users\Admin\AppData\Local\Temp\Harry.Potter.and.the.Sorcerers.Stone\Harry Potter\System\HP.exe;1972
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\Harry.Potter.and.the.Sorcerers.Stone\Harry Potter\System\HP.exe
  "C:\Users\Admin\AppData\Local\Temp\Harry.Potter.and.the.Sorcerers.Stone\Harry Potter\System\HP.exe" testrendev=D3DDrv.D3DRenderDevice log=Detected.log
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {f46b9fd7-537c-4dab-82f3-b2217985e494};C:\Users\Admin\AppData\Local\Temp\Harry.Potter.and.the.Sorcerers.Stone\Harry Potter\System\HP.exe;2120
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Harry Potter\HP.ini

Filesize
10KB

MD5
41e8d38c4e901d54e3e55bf320cdd4b7

SHA1
a6355c97be4ec2f4dd81f2ec4ac8f226d3da2180

SHA256
712619c3b8b992b6cee07ef16a2acffb616eff7818017f9a2fcd92bf087b9891

SHA512
61c828b23472a2c3fae54406fc199a954380bcf7e9597233e12f502d85bbfb16daa2f94e9cef6884f1f1dbcac698e4d5d48b7473026725daec47c1f32adde521

Download Submit
C:\Users\Admin\Documents\Harry Potter\HP.ini

Filesize
10KB

MD5
b9e0deba81e255e9719c333a953f86ca

SHA1
911e735773b00b6ffc80a7584d0c4e3a94e64d65

SHA256
f4e93a0e2a3e7821456d9a53f61c4b72aa7f89a5c8f7e48e4ea70b10b3091759

SHA512
a70b761ada2bced2215837e123c0754c37de997591536d6255a1129279bd40aeea2f98161558a73a32aa3b6f00480aecf275944f8ad0ae1c568459a34af84ac1

Download Submit
C:\Users\Admin\Documents\Harry Potter\User.ini

Filesize
4KB

MD5
a4f6d3fb15fe2d5e580c0770f1444e26

SHA1
5aa4c4572b2845fdaec2473dba4905fbaea07165

SHA256
954f30b3a6e8d9ac701656c8714d0761f13f969a8ce8542c7259e0b70b3b1548

SHA512
84078bc20102ca5c89ea0b5bf46a9a4b334118a0d2f009a51abe5584bcf0513615a3eb11872ac325d7c2fbc01974abb3f908856f5c609e40fa433f6afb9e5386

Download Submit
memory/1972-14-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-32-0x0000000009710000-0x0000000009796000-memory.dmp

Filesize
536KB

Download
memory/1972-0-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-18-0x00000000039D0000-0x0000000003A42000-memory.dmp

Filesize
456KB

Download
memory/1972-44-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-4-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-43-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-42-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-28-0x00000000054B0000-0x00000000054CC000-memory.dmp

Filesize
112KB

Download
memory/1972-13-0x00000000039D0000-0x0000000003A42000-memory.dmp

Filesize
456KB

Download
memory/1972-36-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-37-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-38-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-39-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-40-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1972-41-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download
memory/1984-3-0x0000000010900000-0x0000000010910000-memory.dmp

Filesize
64KB

Download
memory/1984-6-0x0000000010900000-0x0000000010910000-memory.dmp

Filesize
64KB

Download
memory/2120-26-0x0000000010900000-0x0000000010972000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing