44d8ac4ce219133aae20906eab843d4d8ef67589b3b34b0e11dc65d80fd8c5bb

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

6.4MB
MD5

986c1d0d2956252e861cb2efbf5bfe0f
SHA1

eae61e066dec2b39bcc4f5a2ec41bf908d7a3f31
SHA256

44d8ac4ce219133aae20906eab843d4d8ef67589b3b34b0e11dc65d80fd8c5bb
SHA512

cc21afc3f120728eeb03d014f7db6a407671f96b09fb77a1cc08232dd11e3470c5a72fdd2d8528644d5e152509f1bd0ea837b2bd14505e7a27af2f7ac1c42fb0
SSDEEP

196608:ifpF7axXA+VdwZyCAKgkBAKf6AqZJjxx2Ww:axSDKfAAGNbWWw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	Setup.tmp

Loads dropped DLL 5 IoCs

pid	Process
2148	Setup.exe
2352	Setup.tmp
2352	Setup.tmp
2352	Setup.tmp
2352	Setup.tmp

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DODI-Repacks\Hollow Knight\Uninstall\botva2.dll	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\Hollow Knight\Uninstall\dark.png	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\Hollow Knight\Uninstall\light.png	Setup.tmp
File created	C:\Program Files (x86)\DODI-Repacks\Hollow Knight\Uninstall\Setup1.jpg	Setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2352	Setup.tmp
2352	Setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2352	Setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2352	Setup.tmp
2352	Setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2352	2148	Setup.exe	28
PID 2148 wrote to memory of 2352	2148	Setup.exe	28
PID 2148 wrote to memory of 2352	2148	Setup.exe	28
PID 2148 wrote to memory of 2352	2148	Setup.exe	28
PID 2148 wrote to memory of 2352	2148	Setup.exe	28
PID 2148 wrote to memory of 2352	2148	Setup.exe	28
PID 2148 wrote to memory of 2352	2148	Setup.exe	28

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\is-CHIRU.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CHIRU.tmp\Setup.tmp" /SL5="$70016,6154834,227840,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Autorun1.jpg

Filesize
86KB

MD5
0a225baf4293bbc4f94f1238afa84b9c

SHA1
c73859222ef6faf9765dffd20276379430192d4e

SHA256
d8b3c2fef7181c663cf1b66d3a5fc3074f9cca0bb454a6f4325a2e1c4a97e8c9

SHA512
7e793984aa00eef57c1859ea04663c32dcc39792b1b897e159063f97d9b4791345a484eaf7fa7ba51b2da22d75b587e7834911f592b896e3ccc31d6400cd8f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Dark.png

Filesize
65KB

MD5
185d31c702a861fd7026c693513eb3fb

SHA1
4857cba77bce860ee34df70d2ed06ac51958b53f

SHA256
56e1b926b344ef760fea6a4fd862e066ea5295f7e5671fc7c0d1f1bc148e2009

SHA512
9cabac5d73a9dada0d809fdfbbb552c105d0de975a545fef70322b8c86b001691af6e2dc58e980343342a953bed12d91553dc253928cd6357836b6aaf5efb8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Exit.png

Filesize
9KB

MD5
91f97aa4b051e7b2991e5456d2c8655b

SHA1
901dd406613f3e97d8d6141bb061b242a3b5fb4f

SHA256
0ff3fbfbb177d5ffc8b577f821a91f9d39f13f5f548f9570c12cb85ccef526e3

SHA512
b664f7aff75308d416c9e479bbd9a9b840816d41fb1dc218187c01636e443c4c7976a635459f626f971961c89d0b8e3c91bb0d61940e487a36179437fb0aa296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Install.png

Filesize
22KB

MD5
3a104b9ff4b59bba6dc3b30114c5b31b

SHA1
3a03ebe2b3ff5d4bac88355c82a86da3bb30cfde

SHA256
1a72008c2393b330c3a9e05bcba070e538d9d5078767adc49a86a05473226ced

SHA512
8d4d985d5003b2b7739c9f5549b8ea143adcfa78188fea45de49a73f82dd1e88709ef35a62bdcfdf360a1d3face0cb40fb8ff782d15f5081127dd6121a7e0289

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Lockscreen.jpg

Filesize
142KB

MD5
845b8ef88ffb349e9d79ad1c841200a7

SHA1
3448bce076396c8c94e98a22dd82081dac0acd5f

SHA256
7f1373f3f21708cfa57414fc02dc3425019a08a809ae0c40a828c257a7f62076

SHA512
83301f37dbbe916aa7ff574c0a48bcd2269f4f5694f2dcf302f79362d52f9f7ccd5c7a538685c251c087bfbe52a997b740959ad91d5ce2eb4e1b3c6bc7206be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Lockscreen_overlay.png

Filesize
77KB

MD5
f5f4fe2b811e5a07ae1184579cf36557

SHA1
9ae1594e259f1aa06734c8653796596113f2d08b

SHA256
d66bbf3a8d5f5890c3dbc95e77068abb10f3db4ebd0c71ae5dbf15d99174889c

SHA512
eded97ed79f84916e5727f83e170f3999478df537bebe39767c49a3bedf4c86cd5bc3dcfd5d767559b9333ce9e06bddeceb96469e5a70eaae47145a838438f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Setup1.jpg

Filesize
86KB

MD5
0e3a7ab52051a8d21b46a9eb3633671f

SHA1
824cc0b81a1f8bfe36d244eb8f45fa09a5f5612d

SHA256
e5f2e94d13a9008dfc22d1403632ff380f4102eab54768cc38cd7bf2c862d3d1

SHA512
ba2b9f54c102276ca2e7c32e4d4ca8abb6bbb69b6358c6ef728d72d545e1a4447c691c810dca36e2640dda2858b761562fce4dd93a8d47b1298cb2275fa1a42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Tile1_Background.jpg

Filesize
142KB

MD5
958e54799b66f6d96ae418e382c286d8

SHA1
9db4e8b810f826764244dce47c46d0693e3f5b99

SHA256
54217f19fa737754030cd21301647dc5f762994eea1ee872a3d7e38552720081

SHA512
78685cd7f13049c3d91f181944373cbbd3d42711d41782a3281c7b4ace47196df9e8e1346c1a10b6ee536d06febfafa1e808862b9bbc5a74c6eb305e4dfa17d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Tile1_Icon1.png

Filesize
12KB

MD5
688231d073c8260004d860b29726e589

SHA1
33ef340a8671fe0b74cab319e7c3f2a197eb6c3e

SHA256
81ddf630398427b4d81e15b6feb595669d06923a5e95954cb36a442d7f0e26c3

SHA512
94aa5fbede7d9da05b8216c2cf451e927edbcc0f8808f89fb3ce612870e849836d2df477c9630358b92bead596d2a900fe1879b3c99fdd630a4c8cecbf5f6a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\Uninstall.png

Filesize
9KB

MD5
1dbec7e15bb3fe912ea362c7f5305cb8

SHA1
8ee2dca3f834cd7809dd50681bb432fa17f982f6

SHA256
43bfe50a575e87237abe4f65eee18b23e667c0a6c9fa1fd6fc2176948edfa527

SHA512
dc46536df17a17410a4aa2b6afaee9a620612e23498d009e766411bf2d17c87da0ac3b3f5a950375c34f4355f6b2924dfdc99c52102e1e702fd55f29333fc55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\logo.png

Filesize
253B

MD5
5b97ed539eefa61a38c5d8bd75ba431e

SHA1
fddf8d18f7c9db64c85f5d7570fc3dbaac03bfe6

SHA256
b0034f812ff8f9a71d5e2b21ed1630ace13fe24d70cf558573a4204fb7ed96d3

SHA512
9ae322311d28d09e46c92b1ed4bf91c2f11e7d22dc6c2c16498c5e6e960d0e3062169876da4fddb3ef2cca5384b22f213c4380ec85d83ff4d29717e59bb31f08

Download Submit
\Users\Admin\AppData\Local\Temp\is-CHIRU.tmp\Setup.tmp

Filesize
1.5MB

MD5
6e4e83302159ec46e10280abe1d62ce1

SHA1
eb439d7b73e64605eb9f37b9b057722861ada267

SHA256
bb22238b9de45d10013cdf18b66d13646137bf5ddc075c781a160ef8739b2fd7

SHA512
22331088377154be8b11825c95c1a2a8765d71c3394714faed00a6185ab84afac63ae95103f20f1a9e4fe447259976734e1bd905e4a45bbe0567cee5241f1033

Download Submit
\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NO2HG.tmp\botva2.dll

Filesize
37KB

MD5
619bf9ddcb5fe39ee9e5b0167e7f4f0d

SHA1
6da8c0d2407d5221172765b00452efa0f361902f

SHA256
609661a14733f6e9c2c2f2ff9c274f8a4cbedaff4dd32049aa5161f8d7083d6a

SHA512
a89fc731805e83f889f408fe3fea769d0e44faf1e1dd37d3569bbf57a6086b1ffc8783778e0be8236447c7661c44051b2d4b1d3a643f7ebc35f6ef0625c6897a

Download Submit
memory/2148-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2148-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-33-0x0000000001D80000-0x0000000001D8F000-memory.dmp

Filesize
60KB

Download
memory/2352-17-0x0000000002220000-0x0000000002297000-memory.dmp

Filesize
476KB

Download
memory/2352-82-0x0000000001D80000-0x0000000001D8F000-memory.dmp

Filesize
60KB

Download
memory/2352-81-0x0000000002220000-0x0000000002297000-memory.dmp

Filesize
476KB

Download
memory/2352-80-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-84-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-88-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-92-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-96-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-8-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-138-0x0000000001D80000-0x0000000001D8F000-memory.dmp

Filesize
60KB

Download
memory/2352-136-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-140-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-179-0x0000000002220000-0x0000000002297000-memory.dmp

Filesize
476KB

Download
memory/2352-178-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-182-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download