ff4bacc28cf6eb2e123bb9ef5fc818ace9f83c3c398d2d9ab78b80c224cdb7ba

Analysis

max time kernel
78s
max time network
85s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

underversebattles.exe
Size

232.1MB
MD5

8f1b45fafe36e57782652523a563764f
SHA1

333d05376080eddc22aed18cc4fe20587e113127
SHA256

ff4bacc28cf6eb2e123bb9ef5fc818ace9f83c3c398d2d9ab78b80c224cdb7ba
SHA512

1cd0f0f5fdaaf3821063def6c724cb020bb0f27bf6ff71076618599c8dd58277f28a4e2a48b90aae753582b0c0828a0808f62e50f4d66a48669ae79adba9553b
SSDEEP

6291456:bGoPivGw61yf3wP4R2YJuclwDkAROad0+P7CwHcHC2:bbAwP40YJuclwgAROQ7e8cHC2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2868	vcredist_x86_2015.exe
2884	vcredist_x86_2015.exe
2084	UnderverseBattles.exe
2308	UnderverseBattles.exe

Loads dropped DLL 64 IoCs

pid	Process
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe
1604	underversebattles.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 55 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_determination.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_determination.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\info.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_console_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\audiogroup2.dat	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_determination.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\info.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_console_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\netlog\netlog.n	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_determination.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_comic_sans.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_console_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\system\data.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_comic_sans.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\NekoPresence_x64.dll	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\translate.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\translate.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_comic_sans.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\license.txt	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\audiogroup3.dat	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_comic_sans.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_comic_sans.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_comic_sans.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_console_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_determination.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\audiogroup1.dat	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\options.ini	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\info.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_determination.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_determination.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\README.txt	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\GMS-WinDev.dll	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\info.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_console_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\data.win	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_console_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_console_mini.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\Uninstall.exe	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\translate.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_comic_sans.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_console_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_comic_sans.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_determination.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\netlog\netlog.exe	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_mini.ttf	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\translate.json	underversebattles.exe
File created	C:\Program Files (x86)\UnderverseBattles\gamepad_force_focus.dll	underversebattles.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2084	UnderverseBattles.exe
2084	UnderverseBattles.exe
2308	UnderverseBattles.exe
2308	UnderverseBattles.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 1604 wrote to memory of 2868	1604	underversebattles.exe	31
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 2868 wrote to memory of 2884	2868	vcredist_x86_2015.exe	32
PID 1604 wrote to memory of 2084	1604	underversebattles.exe	34
PID 1604 wrote to memory of 2084	1604	underversebattles.exe	34
PID 1604 wrote to memory of 2084	1604	underversebattles.exe	34
PID 1604 wrote to memory of 2084	1604	underversebattles.exe	34

C:\Users\Admin\AppData\Local\Temp\underversebattles.exe
"C:\Users\Admin\AppData\Local\Temp\underversebattles.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
  "C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
    "C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart -burn.unelevated BurnPipe.{246A906E-B8AD-4CD0-A148-BBF95B1D03FE} {79EFA2AD-9C75-4401-9BC4-7F14C59BEADE} 2868
    3⤵
    - Executes dropped EXE
    PID:2884
- C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe
  "C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2084

C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe
"C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe

Filesize
11.8MB

MD5
99046feb2eaaacfc31797895bd3eaf00

SHA1
f39c66c46c2d506b01db36d3b9a0226418470906

SHA256
d8eb91a821585b3dc778222a7782515a5b404e59dd92a9988ccb1b1003f4e621

SHA512
de88ec355a37596488caefe6f6862743144b90ca9389118d52215d240e87e6452f8b317d125c7e9892e6e9f3ae8c5823e546fe6ca573358f6244e5182a021e81

Download Submit
C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_comic_sans.ttf

Filesize
25KB

MD5
53e3f42a94002ec4df11f5857d563a11

SHA1
0ffe54847b1973ab0d8888ac3c60874a6f323253

SHA256
d8663bf5c618a9f40d3bd2cc50f858e27e8c4de7bd5c4328a3f39fd498878783

SHA512
0f3d0bddd2985445b5c8e57a865497fb6f44b4ebcdf55cda403f24443448693f649a843eaf85bd84c2209a351074192dbc00012ae9da9760b48aa5f6ce1b66e7

Download Submit
C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_console_mini.ttf

Filesize
40KB

MD5
f4ef5cd6112a967e577eca75a306e34f

SHA1
565ae74944d0da553d2a8af0c5bf5dc617ccd63f

SHA256
22468549d3774cecec78c1ab0c40d4ce58d14cff6da4e2c4c8ffda5d0cf0b62c

SHA512
7c6da4b96c090e926afbef5de7c3deb011f72306a6c993e1cc9001d6a9a444c1068eb037a61914466d2604ecfe7c6cda6dd1ea0cb8b9e062de8bfb96438657f7

Download Submit
C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_mini.ttf

Filesize
27KB

MD5
5488476bafa26d8ab9a35e14a8501590

SHA1
46511b0bcc6d5a4ccaaf33d4144ec248623caecd

SHA256
fe272db84699b94c36882d2135e9e18909d61fc7080bade68f2570712d2173e3

SHA512
c92073bfd1a29c4751d91cca129b3d50eb5bf0ff5aae38fc698c239a5e4805c6c9b8c048d23159e2551f6202989a415983ba8071a7427d65dbb180c149a0829f

Download Submit
C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_mini.json

Filesize
139B

MD5
5e41f013bf1b11a7360a37bdfb874cbe

SHA1
c57c5168960aedb0f94d0d8d552c54d51f57252a

SHA256
90d287e89a072757b75304fdaf2ccd8c13172ca88db3efba40979b315800b04a

SHA512
95feadeea52abb78c300d589e9d45e45666ab61934140fbc176f8e5a16711589b4ced29c42ae1a75c112a830906720ca6f641a80ca2103f92c78af9601c74be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\ioSpecial.ini

Filesize
1KB

MD5
75e024a687ff1aa3f0c171e057a7d8d7

SHA1
887bc050c37b980591e4b72cda68f1d257a002c3

SHA256
888a1ba7ef78ecdf47b79c6cab836ad637e23cd862c0d6c76156360c45986fa0

SHA512
d8d4d844745f59bcb04c4723645cd1280e4ef9c931bbc5543f0dff88e9b279a0f415fd433af1b6dff0e59cf04549fb0cc4713e3189c4bc42e51e6e697deb9c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\ioSpecial.ini

Filesize
1KB

MD5
ae1b242f054d3f6a2b19b2db856dd86a

SHA1
cb2f358cf9149f31dfd1b8026af2d2ee3c20145f

SHA256
8948ddd35888d16d90fe765dcc2c6d2ecf5358aba4e0923de079826219025487

SHA512
489812a6f12bd40ac394449d6c47e897e3028f4002a7f38aff3d51f83b449d35adb7d1ba97d016de37a22f9b202ebd85a76b9c42f72ba599679c8b9f3b42b034

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\InstallOptions.dll

Filesize
15KB

MD5
6f3098fb5f3db26f3bb84f5481109e39

SHA1
9270793e404cc42c6f5be1eb1eb4305f166c656d

SHA256
f90a0893c0b0ce2ae3f8bb65f383bf656ce33381d6cbac2b25a7d82b34fde9bd

SHA512
0462beae0fbd882dc0b6a09547a7959c051928b828e28125b433794de0258f90f3dec8f1920290f114970d2540a113224b8ab372fcee4dfe87f139be4ac0c0d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAEB7.tmp\System.dll

Filesize
12KB

MD5
ea00e2678e4679ba28b0f560baec9776

SHA1
f9b647b1ab50cc2de981757ac914a5787bccd95a

SHA256
60d4a86f65e141d4b6b778e5f448a0c818bd2fa28db7b9dabc1395d354b19cc5

SHA512
2ee7a4a0af955ba376c66d13e626ca135b2afd13277a006f523eb2fdc1133a12ea35b065a8c119843fbe82f89190cdb2b769329af14e4313a2419b739b27337a

Download Submit
memory/2084-613-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download