16e5c5d4271c78542e244da68903c3f6f88903130f8828cb53b7700310fd24b0

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PSeMu3_Setup.exe
Size

7.8MB
MD5

093f121bc18675daa271f1e523423dfe
SHA1

f0689527f1c50518508e1867f2f6c54f24b486a5
SHA256

1031d051994a8ea3629cb0056039cb54fc25ff56b9cef59c441f92f8bb7c37ea
SHA512

08d9c489a51746abe988988b14ca07768930981b056e19b44fbea25b017ce4e638dfd5e297dcc98635af0863e8df1ddb2829f224e65933b4eeb89f8c2b449da5
SSDEEP

196608:wMx1dCpfJPUYQaWL8m3V8TkI3xXs2iTc73tadqEURuzoLmI2kg0xVH:wAGpfI38ml8ocX04zt/EyMoL52kg0h

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016dff-22.dat	acprotect
behavioral1/memory/2396-24-0x0000000000510000-0x0000000000519000-memory.dmp	acprotect
behavioral1/memory/2396-84-0x0000000000510000-0x0000000000519000-memory.dmp	acprotect

Loads dropped DLL 8 IoCs

pid	Process
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe
2396	PSeMu3_Setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016dff-22.dat	upx
behavioral1/memory/2396-24-0x0000000000510000-0x0000000000519000-memory.dmp	upx
behavioral1/memory/2396-84-0x0000000000510000-0x0000000000519000-memory.dmp	upx

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PSeMu3\w32pthreadswinsock.v3.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\misc.dat	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\ps3rom.bin	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Plugins\PA12.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\BIOS MAP GOES HERE	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\w32pthreads.v4socks.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\effects.dat	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Plugins\PUB2220.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Plugins\SSX.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\join.img	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\particles.emu	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Plugins\nullDPO.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\PSeMu3.exe	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\SDLP.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Instuctions READ.txt	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\MSCOMCTL.OCX	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\MSWinSck.ocx	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Cheats\tables.emu	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\effects.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\data.dat\font.dat	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Plugins\MSDOS.dll	PSeMu3_Setup.exe
File created	C:\Program Files (x86)\PSeMu3\Plugins\ps3controller.dll	PSeMu3_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PSeMu3_Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	PSeMu3_Setup.exe

C:\Users\Admin\AppData\Local\Temp\PSeMu3_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\PSeMu3_Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\binsischeck654.xml

Filesize
40KB

MD5
df407684b36ba88a647624323bb015e8

SHA1
92c7bda28f48d09d308ebb910b62e927e88263c0

SHA256
43d72a1ae24ac52c83f8c2052fef0144de6c3a44cca01d24f0f390e63508b28c

SHA512
673bb656f696e5175d5c97da1d65b76d8ffa3071f32b31ac6310f657c0385d4dc16cdbf026186f09c43ff908d7e35bbddff7f8a3e86c38e2e1d1102c1461d25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\modern-wizard.bmp

Filesize
150KB

MD5
b61c9993b4d0097d7631e3b286e53955

SHA1
6ef73bbd6db923a3c4b475e5ac83819802cb0dae

SHA256
69c1b9e8d76e663b20665e2929a279355e8adc691f3222c3e1f2f0056a23adc9

SHA512
75dfcd9958b934f0b4fd15a660f307ee2c33e2845eb7dbcbef0cdc95dacabcc4aef488bf5a1c1df1e584182734096d567989500d54130810c6e378a2e72f0e9a

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\Banner.dll

Filesize
4KB

MD5
0116a50101c4107a138a588d1e46fca5

SHA1
b781dce23e828cf2b97306661c7dad250a6aaf77

SHA256
ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b

SHA512
55de6aeaad05b01a25828553d3ea9f1b32a8b0c35c42dc6106bed244320e3421ec6a6f5359b15f9d18dd1e9692ca5572b2736d9d48cceb07b9443601d00a5988

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\inetc.dll

Filesize
20KB

MD5
e541458cfe66ef95ffbea40eaaa07289

SHA1
caec1233f841ee72004231a3027b13cdeb13274c

SHA256
3bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420

SHA512
0bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEFF.tmp\xml.dll

Filesize
118KB

MD5
42df1fbaa87567adf2b4050805a1a545

SHA1
b892a6efbb39b7144248e0c0d79e53da474a9373

SHA256
e900fcb9d598643eb0ee3e4005da925e73e70dbaa010edc4473e99ea0638b845

SHA512
4537d408e2f54d07b018907c787da6c7340f909a1789416de33d090055eda8918f338d8571bc3b438dd89e5e03e0ded70c86702666f12adb98523a91cbb1de1d

Download Submit
memory/2396-60-0x0000000003680000-0x00000000036A1000-memory.dmp

Filesize
132KB

Download
memory/2396-24-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/2396-84-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/2396-17-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download