Analysis

  • max time kernel
    78s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 23:47

General

  • Target

    underversebattles.exe

  • Size

    232.1MB

  • MD5

    8f1b45fafe36e57782652523a563764f

  • SHA1

    333d05376080eddc22aed18cc4fe20587e113127

  • SHA256

    ff4bacc28cf6eb2e123bb9ef5fc818ace9f83c3c398d2d9ab78b80c224cdb7ba

  • SHA512

    1cd0f0f5fdaaf3821063def6c724cb020bb0f27bf6ff71076618599c8dd58277f28a4e2a48b90aae753582b0c0828a0808f62e50f4d66a48669ae79adba9553b

  • SSDEEP

    6291456:bGoPivGw61yf3wP4R2YJuclwDkAROad0+P7CwHcHC2:bbAwP40YJuclwgAROQ7e8cHC2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 64 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\underversebattles.exe
    "C:\Users\Admin\AppData\Local\Temp\underversebattles.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
      "C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
        "C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart -burn.unelevated BurnPipe.{246A906E-B8AD-4CD0-A148-BBF95B1D03FE} {79EFA2AD-9C75-4401-9BC4-7F14C59BEADE} 2868
        3⤵
        • Executes dropped EXE
        PID:2884
    • C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe
      "C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2084
  • C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe
    "C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe

    Filesize

    11.8MB

    MD5

    99046feb2eaaacfc31797895bd3eaf00

    SHA1

    f39c66c46c2d506b01db36d3b9a0226418470906

    SHA256

    d8eb91a821585b3dc778222a7782515a5b404e59dd92a9988ccb1b1003f4e621

    SHA512

    de88ec355a37596488caefe6f6862743144b90ca9389118d52215d240e87e6452f8b317d125c7e9892e6e9f3ae8c5823e546fe6ca573358f6244e5182a021e81

  • C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_comic_sans.ttf

    Filesize

    25KB

    MD5

    53e3f42a94002ec4df11f5857d563a11

    SHA1

    0ffe54847b1973ab0d8888ac3c60874a6f323253

    SHA256

    d8663bf5c618a9f40d3bd2cc50f858e27e8c4de7bd5c4328a3f39fd498878783

    SHA512

    0f3d0bddd2985445b5c8e57a865497fb6f44b4ebcdf55cda403f24443448693f649a843eaf85bd84c2209a351074192dbc00012ae9da9760b48aa5f6ce1b66e7

  • C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_console_mini.ttf

    Filesize

    40KB

    MD5

    f4ef5cd6112a967e577eca75a306e34f

    SHA1

    565ae74944d0da553d2a8af0c5bf5dc617ccd63f

    SHA256

    22468549d3774cecec78c1ab0c40d4ce58d14cff6da4e2c4c8ffda5d0cf0b62c

    SHA512

    7c6da4b96c090e926afbef5de7c3deb011f72306a6c993e1cc9001d6a9a444c1068eb037a61914466d2604ecfe7c6cda6dd1ea0cb8b9e062de8bfb96438657f7

  • C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_mini.ttf

    Filesize

    27KB

    MD5

    5488476bafa26d8ab9a35e14a8501590

    SHA1

    46511b0bcc6d5a4ccaaf33d4144ec248623caecd

    SHA256

    fe272db84699b94c36882d2135e9e18909d61fc7080bade68f2570712d2173e3

    SHA512

    c92073bfd1a29c4751d91cca129b3d50eb5bf0ff5aae38fc698c239a5e4805c6c9b8c048d23159e2551f6202989a415983ba8071a7427d65dbb180c149a0829f

  • C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_mini.json

    Filesize

    139B

    MD5

    5e41f013bf1b11a7360a37bdfb874cbe

    SHA1

    c57c5168960aedb0f94d0d8d552c54d51f57252a

    SHA256

    90d287e89a072757b75304fdaf2ccd8c13172ca88db3efba40979b315800b04a

    SHA512

    95feadeea52abb78c300d589e9d45e45666ab61934140fbc176f8e5a16711589b4ced29c42ae1a75c112a830906720ca6f641a80ca2103f92c78af9601c74be6

  • C:\Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\ioSpecial.ini

    Filesize

    1KB

    MD5

    75e024a687ff1aa3f0c171e057a7d8d7

    SHA1

    887bc050c37b980591e4b72cda68f1d257a002c3

    SHA256

    888a1ba7ef78ecdf47b79c6cab836ad637e23cd862c0d6c76156360c45986fa0

    SHA512

    d8d4d844745f59bcb04c4723645cd1280e4ef9c931bbc5543f0dff88e9b279a0f415fd433af1b6dff0e59cf04549fb0cc4713e3189c4bc42e51e6e697deb9c9f

  • C:\Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\ioSpecial.ini

    Filesize

    1KB

    MD5

    ae1b242f054d3f6a2b19b2db856dd86a

    SHA1

    cb2f358cf9149f31dfd1b8026af2d2ee3c20145f

    SHA256

    8948ddd35888d16d90fe765dcc2c6d2ecf5358aba4e0923de079826219025487

    SHA512

    489812a6f12bd40ac394449d6c47e897e3028f4002a7f38aff3d51f83b449d35adb7d1ba97d016de37a22f9b202ebd85a76b9c42f72ba599679c8b9f3b42b034

  • C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

  • \Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\InstallOptions.dll

    Filesize

    15KB

    MD5

    6f3098fb5f3db26f3bb84f5481109e39

    SHA1

    9270793e404cc42c6f5be1eb1eb4305f166c656d

    SHA256

    f90a0893c0b0ce2ae3f8bb65f383bf656ce33381d6cbac2b25a7d82b34fde9bd

    SHA512

    0462beae0fbd882dc0b6a09547a7959c051928b828e28125b433794de0258f90f3dec8f1920290f114970d2540a113224b8ab372fcee4dfe87f139be4ac0c0d1

  • \Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\System.dll

    Filesize

    12KB

    MD5

    ea00e2678e4679ba28b0f560baec9776

    SHA1

    f9b647b1ab50cc2de981757ac914a5787bccd95a

    SHA256

    60d4a86f65e141d4b6b778e5f448a0c818bd2fa28db7b9dabc1395d354b19cc5

    SHA512

    2ee7a4a0af955ba376c66d13e626ca135b2afd13277a006f523eb2fdc1133a12ea35b065a8c119843fbe82f89190cdb2b769329af14e4313a2419b739b27337a

  • memory/2084-613-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

    Filesize

    64KB