40e87b453eee20b6c010483bd7dfb0372e5d1ed8baa196826c13f3bfab8276c9

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-es
resource tags

arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
submitted
07/09/2024, 18:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Tibia_Setup_Simple.exe
Size

7.9MB
MD5

8b702fbcc70c15ac482c8a352c8d6f66
SHA1

911b03be0c5b05efbb30cc43985e5990f589de9d
SHA256

40e87b453eee20b6c010483bd7dfb0372e5d1ed8baa196826c13f3bfab8276c9
SHA512

e5ebcaae0faef674599cc9a34b6ba1ee911ca4c016caeea64e0163571c3649b160773b89ca3939470900c52624a9943b2a6a89df4b52d6f2530b67c947e868e6
SSDEEP

196608:X3BmbNwNPsVWG1rmMrlfIx77D6F9vvCp57x4G+4ZR+v:obNoE/p5E6F4p/U4ZR+

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000017409-32.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000017409-32.dat	upx
behavioral1/memory/2840-33-0x0000000074CC0000-0x0000000074CCA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1176	Tibia.exe

Loads dropped DLL 21 IoCs

pid	Process
2840	Tibia_Setup_Simple.exe
2840	Tibia_Setup_Simple.exe
2840	Tibia_Setup_Simple.exe
2840	Tibia_Setup_Simple.exe
2840	Tibia_Setup_Simple.exe
2840	Tibia_Setup_Simple.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe
1176	Tibia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tibia_Setup_Simple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tibia.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016d3f-67.dat	nsis_installer_1
behavioral1/files/0x0006000000016d3f-67.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Tibia.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4\	Tibia.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5\	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5\~MHz	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6\	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6\~MHz	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\~MHz	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\~MHz	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4\~MHz	Tibia.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6\	Tibia.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7\	Tibia.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\	Tibia.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	Tibia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7\~MHz	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5\	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4\	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	Tibia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7\	Tibia.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	Tibia.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1176	Tibia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1176	2840	Tibia_Setup_Simple.exe	31
PID 2840 wrote to memory of 1176	2840	Tibia_Setup_Simple.exe	31
PID 2840 wrote to memory of 1176	2840	Tibia_Setup_Simple.exe	31
PID 2840 wrote to memory of 1176	2840	Tibia_Setup_Simple.exe	31

C:\Users\Admin\AppData\Local\Temp\Tibia_Setup_Simple.exe
"C:\Users\Admin\AppData\Local\Temp\Tibia_Setup_Simple.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Tibia\Tibia.exe
  "C:\Users\Admin\AppData\Local\Tibia\Tibia.exe" --first-launch
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tibia\Qt5Core.dll

Filesize
7.3MB

MD5
8923198a05d9233203e5dbe4b4f9947f

SHA1
8878aeaf14d75f326e2d53c57a366321705bc6da

SHA256
b9bb14b87cdcf9292f11948f35e0079bc3b1294b70a1d7f7beea0cd05a3c4cb9

SHA512
9629fbae2675d9efb3e14d70c2fa8682f41527ea60a79467a323a185346b023ba7280bf4c6b2fa2ceee1b38ccdfd0060c68fdd911e82970d66f3a6acd4e69966

Download Submit
C:\Users\Admin\AppData\Local\Tibia\Qt5Gui.dll

Filesize
5.8MB

MD5
9ff2a60082ec4801a1d996eb81b74317

SHA1
f6e6301a95717377f0ba7af3c55f81e4567dee73

SHA256
4a758347a63fe37770dc397c2947331839dbd51bbec52015cd5cbef6a25755fe

SHA512
6f8aad10b7585b248bfb3c79679c5db10678a4ae928b529b924bd5595362910fd6879286b387847002ceea6f80901a32770693edd3542526c984d81aa9f7fcdd

Download Submit
C:\Users\Admin\AppData\Local\Tibia\Qt5Network.dll

Filesize
1.0MB

MD5
68f3cc58a16f5e2706909fb54004d9cc

SHA1
be3778a446b4bb294955a8ce10f2064c51652d3b

SHA256
6d544be49f026e26c1b766f3beb39e0e167e4da7fdcc6c1106ef1e2d21b8c318

SHA512
5d371464e0e04db180f1f809073cef3e4b00cff0d80e015506067ede74d59a4126a5cad921704dc14cd90acf55206744ca31a14512ea67f1736699f802d8d2e2

Download Submit
C:\Users\Admin\AppData\Local\Tibia\Qt5Widgets.dll

Filesize
4.4MB

MD5
97d16dfa4188d32bf903ccde151bce11

SHA1
1aeaeed2ed5fc2511cc667e6aec99823387f40a2

SHA256
7c9bf02af7c9d901f8e33f6a286d1282fa8eec8b3630f35de461fdd638a2bcfc

SHA512
f021d42a1eaede7b1cfe409c0d57a7504e76a426faa645c8702d09b75f1a21605fc346188c72baab348066c8564403159e5ddc09c9a2a55acd18162ed5ce1b34

Download Submit
C:\Users\Admin\AppData\Local\Tibia\VCRUNTIME140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Tibia\imageformats\qgif.dll

Filesize
36KB

MD5
d46a94990ef205ce91720924e9825498

SHA1
709016f760fbff9e49cb4236487397a702be09b8

SHA256
081299a41cf833ee10db061357b0c061b67fc15aec925b403e931b7fc1ecc330

SHA512
a2155617bb2c12f43a0f04d08ab5380694185f7b1b459fb974b7c1a8702972089b1cb0b0a978c670028fac2c5ad36fe47ad0d547baecd2b81aa25e4f8e5f81eb

Download Submit
C:\Users\Admin\AppData\Local\Tibia\imageformats\qjpeg.dll

Filesize
376KB

MD5
b120d7be4eef3c363d51c8edaa943583

SHA1
bbbe0707efe4d9d723c86fb1f078fae3d5f317ea

SHA256
2ec569b087f6218b9fbdc19315660b9c7e3cff4a11f72ec9b1c0cd5f3344e71a

SHA512
e0db54fe5ac9b6b525c86d93e85d96d0cf16cc4d348f6971d3af83fd85d134b6ac69785ca6a39fafe55bab9637c09da73f898cb2880889e8b5f769b303faabe8

Download Submit
C:\Users\Admin\AppData\Local\Tibia\qt.conf

Filesize
69B

MD5
96ed3f7cd448b79056031714f72e67a6

SHA1
09a62796a2d657fe2669da81d413572b1d198d96

SHA256
7a14fe122d0903f3bbfc1359241cffc456b0355b61036e7dc7a837942934203f

SHA512
8d3590618b54b0e977218f865659dc2d1f40923d22f6aa89c5cb51e04c36d93381c9963974b122d90cae4e8d502849dce34221134cec6813032044d58cb3a4e0

Download Submit
C:\Users\Admin\AppData\Local\Tibia\uninst.exe

Filesize
123KB

MD5
b2df6b0a77d1d9a6a462fdc5c07160ab

SHA1
042f545259fc752337bd841c2a6e543480780bf1

SHA256
06f9764eb7de3d2066a5205e86578db84b38948744eaadf715e5d43afe05216f

SHA512
47be8f6443b3bd46d4943b4c4163246230c41e0812a6018181e9e8d850a889128220191fa033135b331aa4e256a7c7fdd2875cd88db672a201b4394f5231a976

Download Submit
\Users\Admin\AppData\Local\Temp\nso62EA.tmp\AccessControl.dll

Filesize
8KB

MD5
9f1a88b953fd2a2c23b09703b253186c

SHA1
29d5a5a24e7f782a07e9f5d2ec1d1a6218fec737

SHA256
8a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d

SHA512
10b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018

Download Submit
\Users\Admin\AppData\Local\Temp\nso62EA.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Tibia\Qt5Concurrent.dll

Filesize
32KB

MD5
1448b511e992ec0566a5ff1621d9feea

SHA1
3527a082a262325a7d5209fe21456ba31e015aaa

SHA256
9db7db876d8f82a76e7a738b06436d5f8d1cf8a8d2444722ba69d9d8fac830ee

SHA512
034e03753a6b8b8f3340a44e5d9b22bb6ebe90c2fd72637461eb897f3a19b45b4e03fd88b744ded4e71b6cd2de72c40fd83db6a330e5a2b9ffdcaa819b372187

Download Submit
\Users\Admin\AppData\Local\Tibia\Tibia.exe

Filesize
1.1MB

MD5
fb8153cbd14cd6cfb0ed21f7977b67d1

SHA1
62610d29dcc5fe15182cc856dc0d193fb24ecbd9

SHA256
8948564045b6b087c1accc950f08f15067f730bf4935761e62746148286641c5

SHA512
322dda1f587de85846920c972cfaf76af1900d4a6ffff63036a2e3feccdc8c171f1ccaa885f5f3af7672fdde293be07212edba7f2224d2b061292bb223ed7ed6

Download Submit
\Users\Admin\AppData\Local\Tibia\libcrypto-1_1.dll

Filesize
2.4MB

MD5
5edf3d7bfc0330faf3d342ee76acd11b

SHA1
58d571f94fb7932b38bbad7e95ce5f830bcc3b4a

SHA256
f670ae0edf0df35696158c19bd21041950f27ad349ad08699735c288a930e2aa

SHA512
f453413675a4d683096c4202f390bfe88b41eb855cc7f8662bbc6341263c8d0d614d19c3106d5231f78943673ec606ed9e3d6076c39d95ee533c8fd96f542fc3

Download Submit
\Users\Admin\AppData\Local\Tibia\libssl-1_1.dll

Filesize
532KB

MD5
5e8c9a9bf8ed5c13c14908a94cb03217

SHA1
8c33b376c266f3b11c12c7d561bf989ec7eb0cc1

SHA256
092ee1480768a92eaacd920bc7dd0cd2f0a11619ecf8867869545f3a4dff3d09

SHA512
24695e0d669736053d5916071ab3d3e2850b8ff27151ca00cfdacd594eff3c3ebce91e4e37d1db280a42f7feff52d9e90508c014325d2ea6008f1cbadcd458d0

Download Submit
\Users\Admin\AppData\Local\Tibia\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Tibia\msvcp140_1.dll

Filesize
20KB

MD5
c946a9e4170f6b16d25c822da616dc6a

SHA1
f602d23db756f9c3a058d3b7186d24480e05790f

SHA256
65bdadb5562b9473471740b1dcd8b064459a40d71a1a11fc5aedaa855fe7635a

SHA512
916cad8b1e38b2b15ab836844c5cc9d36b212831b2f553198054fe9cb5cd77aecd544cac8040000337cefda9b15bf95e8903f36a9c1beb7d579cfff670445617

Download Submit
\Users\Admin\AppData\Local\Tibia\platforms\qwindows.dll

Filesize
1.2MB

MD5
a263b96ef59045a05fcd7005e1ba6021

SHA1
4176840616d1975e2333e79b9c6ab2e4370e5d0c

SHA256
26743f97a6a79a3f05d3b68455a8be02be16280ce39396ae6b192eb7cc5f3d60

SHA512
cfb78561dd98d29ed214007c8abdcb2d3fd2e94a567fda57949cf89602aa9c6ecd70aa463aa85b3e962d859b296e96c2513aeb5cb8cf1ea52f145c1ff9b2341e

Download Submit
\Users\Admin\AppData\Local\Tibia\styles\qwindowsvistastyle.dll

Filesize
133KB

MD5
c51d89dd9410cde25dc17112b169cd85

SHA1
685d202312a697c99acae369cdaa5b817de281ea

SHA256
a9d4c1f60d03439c17db00eaf5f011385f4581359af38139386e51b96fd61f1e

SHA512
02660a8dcdd864b9b735bc05297064ebf32fcc3461e8b637a22b04f260dd7fa6e579ce9ae4229112f3867cbfd224bafc5ff3505dae688a3b43b3bd94073ea57b

Download Submit
memory/1176-119-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/1176-120-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/1176-360-0x0000000001F00000-0x0000000001F0A000-memory.dmp

Filesize
40KB

Download
memory/1176-116-0x0000000001EB0000-0x0000000001EBA000-memory.dmp

Filesize
40KB

Download
memory/1176-117-0x0000000001EB0000-0x0000000001EBA000-memory.dmp

Filesize
40KB

Download
memory/1176-122-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/1176-121-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/1176-280-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/1176-103-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/1176-123-0x0000000001F00000-0x0000000001F0A000-memory.dmp

Filesize
40KB

Download
memory/1176-168-0x0000000001EB0000-0x0000000001EBA000-memory.dmp

Filesize
40KB

Download
memory/1176-169-0x0000000001EB0000-0x0000000001EBA000-memory.dmp

Filesize
40KB

Download
memory/2840-86-0x0000000074CC0000-0x0000000074CC9000-memory.dmp

Filesize
36KB

Download
memory/2840-33-0x0000000074CC0000-0x0000000074CCA000-memory.dmp

Filesize
40KB

Download