ca1112dd9429ddc74739928b688751fc28af4f368d18ebec8952858f4fa4377c

General

Target

setup.exe
Size

1.6MB
MD5

f5ab8982b731672950aa6ed2a729bcc0
SHA1

70f6a918c6dfbb9ae2b17c54266a6a3823ed92bf
SHA256

ca1112dd9429ddc74739928b688751fc28af4f368d18ebec8952858f4fa4377c
SHA512

e7943889c63bc5ab6eff6b6fc0ae409057ceb1897fc15e66da32cc54262d07cd11f95231e9d9a8ba29cecfb244f966b1693eb45bfb5d718de19bf48a15b8f1e4
SSDEEP

24576:bxGx3HTnsmCxZglmdy1YO9BFjpJwU3KvnkW9aNS/XlaRrSne6SieClSGJgu:UR/CTumdy1x1pu9a2XeDYSxu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3060	setup.tmp
2888	unins000.exe
2724	_iu14D2N.tmp

Loads dropped DLL 9 IoCs

pid	Process
2896	setup.exe
3060	setup.tmp
3060	setup.tmp
3060	setup.tmp
3060	setup.tmp
3060	setup.tmp
2888	unins000.exe
2724	_iu14D2N.tmp
2724	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Need for Speed Most Wanted 2012\is-RVQM9.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.dat	_iu14D2N.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3060	setup.tmp
3060	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3060	setup.tmp
2724	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 2896 wrote to memory of 3060	2896	setup.exe	28
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 3060 wrote to memory of 2888	3060	setup.tmp	29
PID 2888 wrote to memory of 2724	2888	unins000.exe	30
PID 2888 wrote to memory of 2724	2888	unins000.exe	30
PID 2888 wrote to memory of 2724	2888	unins000.exe	30
PID 2888 wrote to memory of 2724	2888	unins000.exe	30
PID 2888 wrote to memory of 2724	2888	unins000.exe	30
PID 2888 wrote to memory of 2724	2888	unins000.exe	30
PID 2888 wrote to memory of 2724	2888	unins000.exe	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\is-RTQH1.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RTQH1.tmp\setup.tmp" /SL5="$3012E,1013670,238592,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.exe
    "C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.exe" /FIRSTPHASEWND=$301E8 /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.dat

Filesize
17KB

MD5
e8055439f2452961e418843f98ffbe1c

SHA1
9f6242d6fd97dd0f86ff5e5c6389aaeab30dc196

SHA256
3bee9574f8f6dce9ae499374763af3aec2018ba1ac251fe68dfe16742fecce57

SHA512
e21a165c45e63b87c32fab974262268d8f3d6bf803c19efb87d041580657cc8f0b77d01ce5b79c1c1dd89fbec568acfb793a41a02eee284042fb955b23bbdf34

Download Submit
\Program Files (x86)\Need for Speed Most Wanted 2012\unins000.exe

Filesize
1.3MB

MD5
8b57bc03f77ef92739cb2ad69f5ac6e3

SHA1
931dfb6ff9e94bbad2b3602145503c3b4c9e3b6a

SHA256
decac3efbe156cfa4e444c5ab633bbe2fb7af26cde65010ad93e367c740a5731

SHA512
d80aae6fd1e2527ce04f2f57bef304157af1afb85b6174ca859333b60f66da2801139c763bff39765993a5e53b3d38e1d9606579ed0ff22d680089fd49136c00

Download Submit
\Users\Admin\AppData\Local\Temp\is-RTQH1.tmp\setup.tmp

Filesize
1.2MB

MD5
5ec23bf3d9330c95170222e5773050dc

SHA1
9619d7fcf5e16ce717b7e3b112e37f7f067acfd5

SHA256
4a404c6b81dfc861a67e061057468ec61f71b0a2026ce8a34040d7fb51a03358

SHA512
171fc9b55dee9a22b1df46631b7e5fb611a56b8dc30a9ef6791df25a6d4698df6f1d00e45fb4b8c76f18ef58001374f96e5322565f2c5ec7064dd5d01412eebb

Download Submit
\Users\Admin\AppData\Local\Temp\is-STROH.tmp\ISDone.dll

Filesize
453KB

MD5
34b88e02562a274b786f3e2a2caa4697

SHA1
8e9b2217a223cb197537bf0d4e288f9152a2609d

SHA256
367e83cd3122c3ea8518bf080ae161d350a63a3eda13ab901997aa72b6217ac8

SHA512
2bdc4c145ee94224a9750fb81b1f7b3a968d525b3e8dad06ad9fbed2bfd4aab54425a0326a3a3e221863dd767a38898027b7912543bd178ef028995bae24deaa

Download Submit
\Users\Admin\AppData\Local\Temp\is-STROH.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-STROH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2724-71-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2888-68-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2896-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2896-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2896-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2896-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3060-26-0x0000000002040000-0x00000000020B7000-memory.dmp

Filesize
476KB

Download
memory/3060-25-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3060-44-0x0000000002040000-0x00000000020B7000-memory.dmp

Filesize
476KB

Download
memory/3060-43-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3060-20-0x0000000002040000-0x00000000020B7000-memory.dmp

Filesize
476KB

Download
memory/3060-8-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3060-87-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing