Overview
overview
7Static
static
3underversebattles.exe
windows7-x64
7underversebattles.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/vcre...15.exe
windows7-x64
7$TEMP/vcre...15.exe
windows10-2004-x64
7GMS-WinDev.dll
windows7-x64
1GMS-WinDev.dll
windows10-2004-x64
1NekoPresence_x64.dll
windows7-x64
1NekoPresence_x64.dll
windows10-2004-x64
1UnderverseBattles.exe
windows7-x64
1UnderverseBattles.exe
windows10-2004-x64
1Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3gamepad_fo...us.dll
windows7-x64
1gamepad_fo...us.dll
windows10-2004-x64
1netlog/netlog.exe
windows7-x64
1netlog/netlog.exe
windows10-2004-x64
1Analysis
-
max time kernel
78s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 23:47
Static task
static1
Behavioral task
behavioral1
Sample
underversebattles.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
underversebattles.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$TEMP/vcredist_x86_2015.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$TEMP/vcredist_x86_2015.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
GMS-WinDev.dll
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
GMS-WinDev.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
NekoPresence_x64.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
NekoPresence_x64.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
UnderverseBattles.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
UnderverseBattles.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
Uninstall.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Uninstall.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
gamepad_force_focus.dll
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
gamepad_force_focus.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
netlog/netlog.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
netlog/netlog.exe
Resource
win10v2004-20240709-en
General
-
Target
underversebattles.exe
-
Size
232.1MB
-
MD5
8f1b45fafe36e57782652523a563764f
-
SHA1
333d05376080eddc22aed18cc4fe20587e113127
-
SHA256
ff4bacc28cf6eb2e123bb9ef5fc818ace9f83c3c398d2d9ab78b80c224cdb7ba
-
SHA512
1cd0f0f5fdaaf3821063def6c724cb020bb0f27bf6ff71076618599c8dd58277f28a4e2a48b90aae753582b0c0828a0808f62e50f4d66a48669ae79adba9553b
-
SSDEEP
6291456:bGoPivGw61yf3wP4R2YJuclwDkAROad0+P7CwHcHC2:bbAwP40YJuclwgAROQ7e8cHC2
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2868 vcredist_x86_2015.exe 2884 vcredist_x86_2015.exe 2084 UnderverseBattles.exe 2308 UnderverseBattles.exe -
Loads dropped DLL 64 IoCs
pid Process 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe 1604 underversebattles.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 55 IoCs
description ioc Process File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_determination.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_determination.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\info.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_console_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\audiogroup2.dat underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_determination.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\info.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_console_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\netlog\netlog.n underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_determination.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_comic_sans.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_console_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\system\data.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_comic_sans.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\NekoPresence_x64.dll underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\translate.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\translate.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_comic_sans.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\license.txt underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\audiogroup3.dat underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_comic_sans.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_comic_sans.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_comic_sans.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_console_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\font_determination.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\audiogroup1.dat underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\options.ini underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\info.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_determination.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_determination.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\fonts\README.txt underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\GMS-WinDev.dll underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\info.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_console_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\data.win underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_console_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_console_mini.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\Uninstall.exe underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\translate.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_comic_sans.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_console_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_comic_sans.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\ru_ru\fonts\font_determination.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\uk_ua\fonts\font_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\netlog\netlog.exe underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\en_us\fonts\font_mini.ttf underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\translate\zn_ch\translate.json underversebattles.exe File created C:\Program Files (x86)\UnderverseBattles\gamepad_force_focus.dll underversebattles.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2084 UnderverseBattles.exe 2084 UnderverseBattles.exe 2308 UnderverseBattles.exe 2308 UnderverseBattles.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 1604 wrote to memory of 2868 1604 underversebattles.exe 31 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 2868 wrote to memory of 2884 2868 vcredist_x86_2015.exe 32 PID 1604 wrote to memory of 2084 1604 underversebattles.exe 34 PID 1604 wrote to memory of 2084 1604 underversebattles.exe 34 PID 1604 wrote to memory of 2084 1604 underversebattles.exe 34 PID 1604 wrote to memory of 2084 1604 underversebattles.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\underversebattles.exe"C:\Users\Admin\AppData\Local\Temp\underversebattles.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe"C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe"C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart -burn.unelevated BurnPipe.{246A906E-B8AD-4CD0-A148-BBF95B1D03FE} {79EFA2AD-9C75-4401-9BC4-7F14C59BEADE} 28683⤵
- Executes dropped EXE
PID:2884
-
-
-
C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"C:\Program Files (x86)\UnderverseBattles\UnderverseBattles.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.8MB
MD599046feb2eaaacfc31797895bd3eaf00
SHA1f39c66c46c2d506b01db36d3b9a0226418470906
SHA256d8eb91a821585b3dc778222a7782515a5b404e59dd92a9988ccb1b1003f4e621
SHA512de88ec355a37596488caefe6f6862743144b90ca9389118d52215d240e87e6452f8b317d125c7e9892e6e9f3ae8c5823e546fe6ca573358f6244e5182a021e81
-
Filesize
25KB
MD553e3f42a94002ec4df11f5857d563a11
SHA10ffe54847b1973ab0d8888ac3c60874a6f323253
SHA256d8663bf5c618a9f40d3bd2cc50f858e27e8c4de7bd5c4328a3f39fd498878783
SHA5120f3d0bddd2985445b5c8e57a865497fb6f44b4ebcdf55cda403f24443448693f649a843eaf85bd84c2209a351074192dbc00012ae9da9760b48aa5f6ce1b66e7
-
Filesize
40KB
MD5f4ef5cd6112a967e577eca75a306e34f
SHA1565ae74944d0da553d2a8af0c5bf5dc617ccd63f
SHA25622468549d3774cecec78c1ab0c40d4ce58d14cff6da4e2c4c8ffda5d0cf0b62c
SHA5127c6da4b96c090e926afbef5de7c3deb011f72306a6c993e1cc9001d6a9a444c1068eb037a61914466d2604ecfe7c6cda6dd1ea0cb8b9e062de8bfb96438657f7
-
Filesize
27KB
MD55488476bafa26d8ab9a35e14a8501590
SHA146511b0bcc6d5a4ccaaf33d4144ec248623caecd
SHA256fe272db84699b94c36882d2135e9e18909d61fc7080bade68f2570712d2173e3
SHA512c92073bfd1a29c4751d91cca129b3d50eb5bf0ff5aae38fc698c239a5e4805c6c9b8c048d23159e2551f6202989a415983ba8071a7427d65dbb180c149a0829f
-
Filesize
139B
MD55e41f013bf1b11a7360a37bdfb874cbe
SHA1c57c5168960aedb0f94d0d8d552c54d51f57252a
SHA25690d287e89a072757b75304fdaf2ccd8c13172ca88db3efba40979b315800b04a
SHA51295feadeea52abb78c300d589e9d45e45666ab61934140fbc176f8e5a16711589b4ced29c42ae1a75c112a830906720ca6f641a80ca2103f92c78af9601c74be6
-
Filesize
1KB
MD575e024a687ff1aa3f0c171e057a7d8d7
SHA1887bc050c37b980591e4b72cda68f1d257a002c3
SHA256888a1ba7ef78ecdf47b79c6cab836ad637e23cd862c0d6c76156360c45986fa0
SHA512d8d4d844745f59bcb04c4723645cd1280e4ef9c931bbc5543f0dff88e9b279a0f415fd433af1b6dff0e59cf04549fb0cc4713e3189c4bc42e51e6e697deb9c9f
-
Filesize
1KB
MD5ae1b242f054d3f6a2b19b2db856dd86a
SHA1cb2f358cf9149f31dfd1b8026af2d2ee3c20145f
SHA2568948ddd35888d16d90fe765dcc2c6d2ecf5358aba4e0923de079826219025487
SHA512489812a6f12bd40ac394449d6c47e897e3028f4002a7f38aff3d51f83b449d35adb7d1ba97d016de37a22f9b202ebd85a76b9c42f72ba599679c8b9f3b42b034
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
15KB
MD56f3098fb5f3db26f3bb84f5481109e39
SHA19270793e404cc42c6f5be1eb1eb4305f166c656d
SHA256f90a0893c0b0ce2ae3f8bb65f383bf656ce33381d6cbac2b25a7d82b34fde9bd
SHA5120462beae0fbd882dc0b6a09547a7959c051928b828e28125b433794de0258f90f3dec8f1920290f114970d2540a113224b8ab372fcee4dfe87f139be4ac0c0d1
-
Filesize
12KB
MD5ea00e2678e4679ba28b0f560baec9776
SHA1f9b647b1ab50cc2de981757ac914a5787bccd95a
SHA25660d4a86f65e141d4b6b778e5f448a0c818bd2fa28db7b9dabc1395d354b19cc5
SHA5122ee7a4a0af955ba376c66d13e626ca135b2afd13277a006f523eb2fdc1133a12ea35b065a8c119843fbe82f89190cdb2b769329af14e4313a2419b739b27337a