9e8e0209026eef6a93f9dcf563d0dd257a3b5091c8ab2d7d6c54076a7b9a327f

General

Target

[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe
Size

1.3MB
MD5

a5c41e111db7548895c5ea16f7436954
SHA1

e3f24bedb3069f9609390c6134e7135e3a1f1b9b
SHA256

9e8e0209026eef6a93f9dcf563d0dd257a3b5091c8ab2d7d6c54076a7b9a327f
SHA512

b7edc5cfb31c1ecd919bd2b77cb08af6f905cf22b5281a9325e53f77bc578dd18cb4aa14b380eb53257f180eb25792deafbc54bc6dd65b95d8e8ceb27b01500e
SSDEEP

24576:+MjhP0Km1aFnFhlMxb8jlJrh+EoPuMvI138ab5dayy5:9h058TlMxb47h+DNI75X2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp

Loads dropped DLL 5 IoCs

pid	Process
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\L:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\T:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\Y:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\W:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\X:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\B:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\H:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\I:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\Q:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\S:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\Z:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\J:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\K:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\M:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\U:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\V:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\R:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\E:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\G:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\N:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\O:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
File opened (read-only)	\??\P:	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4268	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4268	1352	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe	72
PID 1352 wrote to memory of 4268	1352	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe	72
PID 1352 wrote to memory of 4268	1352	[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe	72

C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe
"C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\is-H9MCQ.tmp\[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H9MCQ.tmp\[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp" /SL5="$80236,813944,190464,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0PMF3.tmp\CheckBox.png

Filesize
7KB

MD5
abd301b0263b0e0cebdd71e4855ac7d3

SHA1
1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

SHA256
aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

SHA512
b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0PMF3.tmp\WizardImage.jpg

Filesize
62KB

MD5
b91658597f15d7f689c86f5a2e7824bd

SHA1
00da609aa0b39140b767a3bc2644433d64edbd71

SHA256
b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

SHA512
00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0PMF3.tmp\button.png

Filesize
12KB

MD5
51af4120d6d22b1126cc87a5143740ef

SHA1
1cb4e91e765537a72c9628056d29fbd6a7ce515c

SHA256
c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

SHA512
2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H9MCQ.tmp\[FreeTP.Org]Borderlands-3-Multiplayer-Fix-Online-LAN.tmp

Filesize
1.5MB

MD5
17fac68c3018078e9bedc9d58d02423b

SHA1
e434edc315f792d2835e8d507218890df3eea64c

SHA256
c87bd5d9698eb981ee384baa08305e7b94769e0cf3c1bbc97d11aab096013417

SHA512
bd0f62b2e4e828d2ddda98bdb337fbfc3b6c859781c499deec3130b3922fc0e71d695418881fab5bafb8da44dce6b10141f873fb94fa579d1a847468f4fb8d7f

Download Submit
\Users\Admin\AppData\Local\Temp\is-0PMF3.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
\Users\Admin\AppData\Local\Temp\is-0PMF3.tmp\get_hw_caps.dll

Filesize
76KB

MD5
2e35d2894df3b691dbd8e0d4f4c84efc

SHA1
d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

SHA256
869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

SHA512
29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

Download Submit
\Users\Admin\AppData\Local\Temp\is-0PMF3.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
memory/1352-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1352-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4268-113-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4268-122-0x0000000005050000-0x0000000005150000-memory.dmp

Filesize
1024KB

Download
memory/4268-35-0x0000000003420000-0x000000000342D000-memory.dmp

Filesize
52KB

Download
memory/4268-6-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4268-114-0x0000000003420000-0x000000000342D000-memory.dmp

Filesize
52KB

Download
memory/4268-115-0x0000000004EA0000-0x0000000004EB5000-memory.dmp

Filesize
84KB

Download
memory/4268-116-0x0000000005050000-0x0000000005150000-memory.dmp

Filesize
1024KB

Download
memory/4268-119-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4268-121-0x0000000004EA0000-0x0000000004EB5000-memory.dmp

Filesize
84KB

Download
memory/4268-78-0x0000000004EA0000-0x0000000004EB5000-memory.dmp

Filesize
84KB

Download
memory/4268-123-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4268-125-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4268-129-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4268-132-0x0000000005050000-0x0000000005150000-memory.dmp

Filesize
1024KB

Download
memory/4268-133-0x0000000005050000-0x0000000005150000-memory.dmp

Filesize
1024KB

Download
memory/4268-135-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4268-143-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4268-147-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads