7e91f09bc83a25007caf1338e87a39ac6116dde653b2326abf479089eb2d8ed3

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.5MB
MD5

98fd9df65b347689f7b9b500ccef1e4f
SHA1

c1d7bdbc6616d659364213aef124b71f26ad241c
SHA256

7e91f09bc83a25007caf1338e87a39ac6116dde653b2326abf479089eb2d8ed3
SHA512

fef905ba6e7ce512ee3cdcfd61bb787ad778b752eb4218d16ca5a3d4ab44f25bd364195f83d715b2b29dc6936de8dc3b69b6984d741891329eab54da0ac7331f
SSDEEP

24576:sMjh/JxOSFHdbA5JDtoyHaBIX2GG8kHQBiF3vwQsFwhpZY7Qp1y/PnqTyI:PdOS/oDto4aK7Jro9ovFw+7Q/qqGI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2292	setup.tmp
1376	unins000.exe
1856	_iu14D2N.tmp

Loads dropped DLL 11 IoCs

pid	Process
2724	setup.exe
2292	setup.tmp
2292	setup.tmp
2292	setup.tmp
2292	setup.tmp
2292	setup.tmp
2292	setup.tmp
2292	setup.tmp
1376	unins000.exe
1856	_iu14D2N.tmp
1856	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_iu14D2N.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	setup.tmp
2292	setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	setup.tmp
1856	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2724 wrote to memory of 2292	2724	setup.exe	30
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 2292 wrote to memory of 1376	2292	setup.tmp	31
PID 1376 wrote to memory of 1856	1376	unins000.exe	33
PID 1376 wrote to memory of 1856	1376	unins000.exe	33
PID 1376 wrote to memory of 1856	1376	unins000.exe	33
PID 1376 wrote to memory of 1856	1376	unins000.exe	33
PID 1376 wrote to memory of 1856	1376	unins000.exe	33
PID 1376 wrote to memory of 1856	1376	unins000.exe	33
PID 1376 wrote to memory of 1856	1376	unins000.exe	33

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\is-1Q3J6.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1Q3J6.tmp\setup.tmp" /SL5="$5014E,1047734,152064,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Lethal Company\unins000.exe
    "C:\Lethal Company\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Lethal Company\unins000.exe" /FIRSTPHASEWND=$4017A /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Lethal Company\FreeTP.Org.url

Filesize
45B

MD5
69a62507139452e5b5f1826996482a8e

SHA1
3ff9b7aa788ebfcebe743120692944b4eae7e274

SHA256
c7b1e51a4b8c5eccc5bc4f47d1fe0dd3bdff13afb34aed209754d7300025b00c

SHA512
ee2447d7a0c2c86cddfe24b362632a941025064c15d5263616f8499f3eb20d91911751ad3d96c7d8ce7f4b9cda202b4e4925afbf30fc23b57efb8783c5c5c627

Download Submit
C:\Lethal Company\ReadMe - Как играть по сети.url

Filesize
55B

MD5
35ce730f728fc1f32e14384abcf625e5

SHA1
cb9e92dcd4e2ae573fc18ca87204d0cd579cf9fd

SHA256
27a8bb6957b834a5a17f7ca9c8ac49896d0621f4fcee796d838cbb787e58a840

SHA512
f28b07d3bdb95e56bdae312537ebf113c7f741f1ee6fbda3221b3ebb99d2f93b7ac36375556ab7dfaf2e58f0005559937e85adb533e5220c290c1c24506b3337

Download Submit
C:\Lethal Company\favicon.ico

Filesize
15KB

MD5
b32f6c0c2f5f52faa59069d1c17844b3

SHA1
0906b72a709a2070c14ad20d2feb0fac864a830a

SHA256
0344024fa74bd58cabd5083066b79ff2fa9efee380f5c1fb456f07e1c86646c8

SHA512
5d7f26c43dd1f53e38d0127c3468929b8d6ca9bd4555a29bee2c891cfb97c143949a0e5d9763273b24fb71fe40bd91b783c26ad0d7616d4e2c59648f2b9e493c

Download Submit
C:\Lethal Company\unins000.dat

Filesize
53KB

MD5
7c8950565add448c48c690e877bf738e

SHA1
d5454c758ee9ffeadb49eda2ecc6d30ad81146af

SHA256
8fafbe80f7a528b03e5f98a31bf805a60dab114a0d26e82fb818f99a7d349a40

SHA512
bf097ebe0279edeebbe1fd983961ab8f1a3c36b9c48d2f8239249b67cdcc7b2c1abd2926df21d420775205bf15d607c4bd8d2dd170963f67997eca7af52da0cb

Download Submit
C:\Users\Admin\Desktop\Lethal Company.lnk

Filesize
1KB

MD5
902c1948622e4aca16b029571bd4e0f6

SHA1
0b66e7ebc09e1b6e1fc41c0d0b9204f31090b888

SHA256
06f2a764a728fa99df45bb3d8cc8712e3ddc99ecc53cf6f6cacc86fef58df342

SHA512
e299e9d9273322479aaf9dc97155cc233f724ab431d94a6df95b47d0b69f17a8f22aa7194de3a80810ebc15bd964e6796e1924c2cd5740ceab5f1b70a4ee3483

Download Submit
C:\Users\Admin\Desktop\Игры по сети.lnk

Filesize
1KB

MD5
ae0e7c86d196a532e50915fdda02d736

SHA1
bbd3284620e8bfa3cc2fd5598353229b8eb8f2a3

SHA256
8ccb07f1dd620b1a55d90b1eb38aa7ca7de16217d88bbd0f86f89c5578191b69

SHA512
0a0a4e747c121ce3e504bd3531b61815656f63895cda8f17522158ef7be60276ef973a158ce21ff2b9816bd1d127d3485546219058972884ec0eac608660cd50

Download Submit
\Lethal Company\unins000.exe

Filesize
1.5MB

MD5
f13e0047af5b852c8a63bc0585fc84b9

SHA1
ff5c1668a50432c5fe609a83ef10ec9d152ad311

SHA256
0808400a88d8ba916895f4ad8cffbda9b4026fa71c5c916edb2ef3daaed16634

SHA512
282793b8208d114bb36ad396bb0c8d0147eb65ac082aa9bc733bdbf2cff6819eecf48589c44bcd0a051ac3f1333760397373f67232dedfd2247cfb7f0f54dfdd

Download Submit
\Users\Admin\AppData\Local\Temp\is-1Q3J6.tmp\setup.tmp

Filesize
1.4MB

MD5
7300211c571951be86be6c6f8cdfc09d

SHA1
5464e16689003406513c7677b3d970f673551d18

SHA256
e77c3184d90f6e7a1276bb8389aba06296be97deb2e8a3433ca9a537538696da

SHA512
9c340edcd63c87565a9de26892d2e83647798583cc942bf608b54e86b8fd36bc2ad64421241b88f0a0682e7c006a5af712e62d3231ca5a81264d8b1a1905ebb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHMBJ.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHMBJ.tmp\ISDone.dll

Filesize
446KB

MD5
dce6d68da86f44ba0cb70fa7718e2e84

SHA1
58cd39196abfc70b5b9bcc964f41a21024a61480

SHA256
b9bdc4a0309aa47613a7b5a680c55839aa7ba28e28f96e6b9316d4d5fe1dbe9d

SHA512
bd2f559640b63a46e15a2af90719c10e53e1c30020685163ed6b3bb669197d20d5dd76c7fd1052cf0841e3e1fdbd5a365a4bdb519d2f8fcad9122e77d923e8d6

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHMBJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHMBJ.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHMBJ.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
memory/1376-79-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1856-82-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-43-0x0000000073FE0000-0x0000000073FF1000-memory.dmp

Filesize
68KB

Download
memory/2292-20-0x00000000030A0000-0x0000000003116000-memory.dmp

Filesize
472KB

Download
memory/2292-30-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-41-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-42-0x00000000030A0000-0x0000000003116000-memory.dmp

Filesize
472KB

Download
memory/2292-28-0x0000000003250000-0x000000000325F000-memory.dmp

Filesize
60KB

Download
memory/2292-26-0x0000000073FE0000-0x0000000073FF1000-memory.dmp

Filesize
68KB

Download
memory/2292-99-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-85-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-44-0x0000000003250000-0x000000000325F000-memory.dmp

Filesize
60KB

Download
memory/2292-14-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-86-0x00000000030A0000-0x0000000003116000-memory.dmp

Filesize
472KB

Download
memory/2292-31-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2292-83-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/2724-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2724-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download