026d681fb89031b74ca874bac275cd435534ae066b43c8e51b04d9b82558339c

Analysis

max time kernel
291s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.6MB
MD5

b3d10c2ff044dbca8f0d15f03925b105
SHA1

2259255c190241f5a8e6e18c74bf2bb4724f7aa9
SHA256

3adecd3e1dc942ffefe7a429cceb774030b89b40a9c1556fdd20d54e7e9996d3
SHA512

7aff9b263f7b73e831ce3a6771f7cdd69cab96ea9b8304a0ee8362e1c2b737bdc0acc07b202bb84449d0160bbab9f628b7e1e24097babd09bfb52f4789323049
SSDEEP

49152:w73UUTfHju2BuppUDms0fOjKODCrWurHXqVbhu8gJ+7WmA7R:o3tazUFrKODCrWur6lI1mK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3164	setup.tmp
4352	lzma2.exe

Loads dropped DLL 10 IoCs

pid	Process
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
3164	setup.tmp
4352	lzma2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\referencedatagroup_assets_all.bundle	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets4.assets.resS	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\level0	setup.tmp
File created	C:\Program Files (x86)\Among Us\UnityPlayer.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets9.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Reflection.Metadata.dll-resources.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\2.0\settings.map	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\Resources	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.0	setup.tmp
File created	C:\Program Files (x86)\Among Us\is-GDC00.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Memory.dll-resources.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\RuntimeInitializeOnLoads.json	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.5\settings.map	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets1.assets.resS	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\level3	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\level6	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Text.Encodings.Web.dll-resources.dat	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\Plugins\x86\steam_api.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\2024_birthday_beans_assets_all.bundle	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\2.0\web.config	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Numerics.Vectors.dll-resources.dat	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\ScriptingAssemblies.json	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets5.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets6.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets2.resource	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Reflection.Metadata.dll-resources.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\browscap.ini	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\2.0\Browsers	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\2.0\Browsers\Compat.browser	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Text.Json.dll-resources.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us.exe	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\0e13d00f4e855a64ab6bfe6989b0ff98_unitybuiltinshaders.bundle	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\UnityServicesProjectConfiguration.json	setup.tmp
File created	C:\Program Files (x86)\Among Us\is-4LVRU.tmp	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\CustomAssetPacksData.json	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.5\DefaultWsdlHelpGenerator.aspx	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets7.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Text.Encodings.Web.dll-resources.dat	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\Plugins\x86\discord_game_sdk.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\level0	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\level9	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\aa\settings.json	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets4.resource	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.5\settings.map	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\Plugins\x86\EOSSDK-Win32-Shipping.dll	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets8.assets.resS	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets5.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\referencedatagroup_assets_all.bundle	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\System.Data.dll-resources.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\Plugins\x86\discord_game_sdk.dll	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\Resources\Sentry.System.Numerics.Vectors.dll-resources.dat	setup.tmp
File created	C:\Program Files (x86)\Among Us\UnityCrashHandler32.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets6.resource	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets4.assets.resS	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\resources.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets3.assets	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\initialcosmetics_assets_all.bundle	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\2.0\machine.config	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\2.0\DefaultWsdlHelpGenerator.aspx	setup.tmp
File created	C:\Program Files (x86)\Among Us\Among Us_Data\boot.config	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.0\settings.map	setup.tmp
File opened for modification	C:\Program Files (x86)\Among Us\Among Us_Data\sharedassets4.assets	setup.tmp
File created	C:\Program Files (x86)\Among Us\GameAssembly.dll	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzma2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	setup.tmp
3164	setup.tmp

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4352	lzma2.exe
Token: 35	4352	lzma2.exe
Token: SeSecurityPrivilege	4352	lzma2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3164	setup.tmp
3164	setup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3164	3540	setup.exe	86
PID 3540 wrote to memory of 3164	3540	setup.exe	86
PID 3540 wrote to memory of 3164	3540	setup.exe	86
PID 3164 wrote to memory of 4352	3164	setup.tmp	94
PID 3164 wrote to memory of 4352	3164	setup.tmp	94
PID 3164 wrote to memory of 4352	3164	setup.tmp	94

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\is-FS25U.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FS25U.tmp\setup.tmp" /SL5="$802CA,2164130,699392,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\lzma2.exe
    lzma2 x -txz -mmt=6 -an -y -si -so
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Among Us\Among Us.exe

Filesize
626KB

MD5
254321c6fdf0b1de79aff77fa6ad825e

SHA1
1b48f9688e4703dba7b127c2bf4f40cabf341247

SHA256
2587aa207e251d7e35937e11e2cf3426ba933a0a36c4cc8b7289933678bd26df

SHA512
7625fc3b6a47d31abcb3142bbb7d03d21d5d52fbc71db337f5f29c137b3a5d20dd708c66b89ff930edf03bd290680c3b7ffe99e0496498236bfe0747ecdcdc90

Download Submit
C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.5\Browsers\Compat.browser

Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\Program Files (x86)\Among Us\Among Us_Data\il2cpp_data\etc\mono\4.5\DefaultWsdlHelpGenerator.aspx

Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FS25U.tmp\setup.tmp

Filesize
2.0MB

MD5
f3859c35c8f976a387f8e93888e84bb8

SHA1
f9e499077b1e0850137723029a916e3b7d9f3bea

SHA256
b11dc9cedb88693a8fe5d5cb9893f4826f2a9a7d908c7be53dd71d829cdec3fe

SHA512
dc64d004592240ae2c4ec399498ea212241f5a5e35646f60bcfaa5e515559933fa7d70acbb4f898d05a831a2abf9c639976c0a146e1f52cab650d2501fa5c1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\7z.dll

Filesize
1.1MB

MD5
2b9774bab8d55d15b5ec3ca8144eb0ef

SHA1
eba7a2b35cbcf4fae45374c579ad6a7e1786c1d7

SHA256
aeaaf45f0233ecd10a32b8f4d9326f87dff13b57cccc4a3e461b56c15a322c59

SHA512
e1ead8caae090f9411cf6119a1c6572ac9e89200ba78d305f25cf105dc935710d52bb91a77b8a1157f9f023ad4056bd68792592eccf3d7ac1d9f0bd9d5034ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\CLS-srep.dll

Filesize
90KB

MD5
e68c32297a0b144d13c0b5870ca8c8d8

SHA1
c58efb877ee8691900702faaf1e90e35d7b90cbb

SHA256
6954112104ba041d18760de5eb7e6825cc14cec98ff49939a587cc6b27908bd2

SHA512
2f7c36451ffd6ae7af29c003c6e03e954e478c44fa2ca13b6080b9ffbd44bb45a7e17149f9f72e2f18488d9cfeedff3c501bab24a336d6a62f43938b54dbc035

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\WinTB.dll

Filesize
75KB

MD5
a2eee508e6a51c6335650532e05ac550

SHA1
8703fb138bb8443f17c0c24da7edd69b1f2660b1

SHA256
75fb2984e1b06f4278fb7b3c77e9fec84e02a3b4bf82d35120f8cbe7bdbc76bf

SHA512
14e1abea3109c17f1fbe6ec455593bf91ba1b811ea302806a83a97a96bf582f1c46e8fe635e1d8739c5c007298eabd41311e07e50961ec2084cf97bde0595370

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\lzma2.exe

Filesize
296KB

MD5
5d520f61acf01ad5224a9d376ebef66d

SHA1
b3a956cee1421717d890c74fc44fafe7802b4268

SHA256
df773d36e15fffe4aacedddd765a716ddf477e2f6989f413e1a629ceba1a8666

SHA512
7f78ee8ca0f5019d6e5057271872490eb44f25839cdf76de46bd23d74576c79a1c66e7b3344c6862ade808b37195997c000b1133b46d24808fede93a50e94f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HATML.tmp\unarc.dll

Filesize
317KB

MD5
c8600ee0bad1cb2a899b792cb6c1869b

SHA1
2aab7be28ae6535eb9b0982ee44467751cc42cf3

SHA256
b670f7e828aeff88bbe6351bf3b0775af39adc1bfac3b84af4061a4c78ed174a

SHA512
ebc03d7ffec0ea3751e4e5a31dce1fd212f1ba31134712b022f15bba7d610f77fab02e7590a28528ff6219c0e3753b80ad6e985605b37fb70b56a7de243c4d11

Download Submit
memory/3164-44-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-16-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/3164-42-0x00000000063A0000-0x00000000063AF000-memory.dmp

Filesize
60KB

Download
memory/3164-41-0x00000000734F0000-0x0000000073501000-memory.dmp

Filesize
68KB

Download
memory/3164-43-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-291-0x0000000061080000-0x0000000061112000-memory.dmp

Filesize
584KB

Download
memory/3164-288-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/3164-37-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-26-0x00000000734F0000-0x0000000073501000-memory.dmp

Filesize
68KB

Download
memory/3164-33-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-69-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-30-0x00000000063A0000-0x00000000063AF000-memory.dmp

Filesize
60KB

Download
memory/3164-73-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-76-0x00000000063A0000-0x00000000063AF000-memory.dmp

Filesize
60KB

Download
memory/3164-74-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/3164-77-0x0000000061080000-0x0000000061112000-memory.dmp

Filesize
584KB

Download
memory/3164-40-0x0000000003400000-0x0000000003477000-memory.dmp

Filesize
476KB

Download
memory/3164-7-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-285-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3164-284-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/3540-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3540-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3540-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download