4db65b59e92f19e54d336a19427230ec568cd8b26ea4601daa0681669ac3bc14

Analysis

max time kernel
120s
max time network
154s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Terraria_1.4.4.9.zip
Size

698.4MB
MD5

683d8b9fe8b812f03fb2c1c78302fab3
SHA1

8bb43b2adca832c158d63e73b466e36965ab0244
SHA256

4db65b59e92f19e54d336a19427230ec568cd8b26ea4601daa0681669ac3bc14
SHA512

285f1012361112324df61654340197cf4a8122fdf6a5484fc7b0a2aa9b711dad395ca85d4d905acb355e632a4f0a3f19bcb7ad9b51e740f9ab85a58621eb8834
SSDEEP

12582912:enGelPQtCmA2kLuPmcEuFXwpMAgbLDK7ZJDZA052ULP0nnZAF4Uk3xq:eGPkj2kem+9SMAgfDK/DZZ52UYZFxq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2608	setup_terraria_v1.4.4.9_v4_(60319).exe
576	setup_terraria_v1.4.4.9_v4_(60319).tmp

Loads dropped DLL 5 IoCs

pid	Process
2608	setup_terraria_v1.4.4.9_v4_(60319).exe
576	setup_terraria_v1.4.4.9_v4_(60319).tmp
576	setup_terraria_v1.4.4.9_v4_(60319).tmp
576	setup_terraria_v1.4.4.9_v4_(60319).tmp
576	setup_terraria_v1.4.4.9_v4_(60319).tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_terraria_v1.4.4.9_v4_(60319).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_terraria_v1.4.4.9_v4_(60319).tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1764	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1764	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1764	7zFM.exe
Token: 35	1764	7zFM.exe
Token: SeSecurityPrivilege	1764	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1764	7zFM.exe
1764	7zFM.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 1764 wrote to memory of 2608	1764	7zFM.exe	39
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40
PID 2608 wrote to memory of 576	2608	setup_terraria_v1.4.4.9_v4_(60319).exe	40

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Terraria_1.4.4.9.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\7zO4E613F67\setup_terraria_v1.4.4.9_v4_(60319).exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4E613F67\setup_terraria_v1.4.4.9_v4_(60319).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\is-BISI2.tmp\setup_terraria_v1.4.4.9_v4_(60319).tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BISI2.tmp\setup_terraria_v1.4.4.9_v4_(60319).tmp" /SL5="$401B8,608293720,192512,C:\Users\Admin\AppData\Local\Temp\7zO4E613F67\setup_terraria_v1.4.4.9_v4_(60319).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1280,i,8426883796963899728,6177502123035682136,131072 /prefetch:8
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\BigOK.png

Filesize
3KB

MD5
5b43a5d975a53f4fc1da67ce9f7784c1

SHA1
8543fa1e471030049942252b23cb22e0880c3af5

SHA256
59d8bb3e87a89ef523c0495addce38d69560af42aaa82f56dd41b12e6612c13a

SHA512
5dd5c4e9859a555a4a32da76f5231b44f7556274c6501da530b2cdd570bcb4675f710bee708322a40ed3ef9280c0d652b4e7ef0e9eaf128c08534f59291917f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\EULAAccepted.png

Filesize
2KB

MD5
461dfeb75927bdb39f9db5348612a611

SHA1
b7893b1fff6801e37ee7337d876962a09184941e

SHA256
0de278f5ca6d8570d9bda592268a14a28b87d3631fea2d25721947397aaab79c

SHA512
68528cf45c81c2c024a672f42c2cd6d4f72c015b443f103ca21deb8ee2bec4f4027490e7f33b5338a87537b5bf7f255f2828aed149f622155ec89cc81687651b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\EULAShow.png

Filesize
1KB

MD5
c596bc9111edc702bbbb29b70984254f

SHA1
d4712c7b91ff4f8994e7907d31357c42eb47c738

SHA256
6112851daea2aaa7174e8cfac4a0f61c968bc090342503804c476eff47cc2462

SHA512
db50d0a39ec644873a03d64552fff1776cc94f016e8dfc8918e65aee94f7529a6de4637567b5e65c4ea988f3775785c4b52c2d96fe8dbc52b1e21ff59c737c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\GOG_new.png

Filesize
3KB

MD5
d5b63bdfa47ef5954917c148bacf7b13

SHA1
5302c6715d9e9b5d2768b130f3e516e175684cc9

SHA256
0804b385c1736e009fe8c3b1b14085b9b9abb40ce487360002ab4a8f3505f4e0

SHA512
b5cde681be9ad1c1211559dc4b363003bf547e8dc965dbb9560fdddfc28ee1d8f27cc534dd00864d800fd351c48694d7dc8df55fc3d8d69acf8b702c7b421aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\background.jpg

Filesize
271KB

MD5
a85d4e72478cc68b07901bcddc1f1880

SHA1
461b11e80a28e00f1d4955ec7963c21217619bdd

SHA256
ffd737516815a7c2fbde52eec09dda98fd4da309263ecb66da5c1fa99b870a54

SHA512
800a36b726ff703b5fd37ebdfddcdd4a7050e48a926b561db4580a200aeee426a9dbe238115d254b58ad99220a726683f847e7a70898f9a73d67d9c1d8d012b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\btn_md5.png

Filesize
8KB

MD5
3befe9739354ee24a0b1ea8df05ce274

SHA1
ab0bda986a8c46aa19f57b75a2b7b22445a3c625

SHA256
b0193ab375f604fa4a25cabdea8f713babde1c07ab562ffc5679352c8e01db47

SHA512
ac016a59e0bfc9b22c376ae5d498c5660893a983d932b2bd502dabe032883c69e79ea8d93c2db49f95415c3cdb068e9f7d1d85527a4f9e68e065a989852d09dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\error.png

Filesize
726B

MD5
df10adc25b673e74e19971c17bee5a98

SHA1
ee16fb1cf9491f5e611282f0574b27d76fede412

SHA256
142b16dc6239421691fa6e619d1a61e61176d89fa018a88b46893c29a57aad8b

SHA512
dc3de10e0321966cbbfb2e57b3b41da6f26dff0c7233a47469da58775b5c471e6b5181e4d4ffc81ef8b83dbcad74ccc1aad7678518f99c9185a441d2a23e010f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\error_icon.png

Filesize
1KB

MD5
263720c4b8bb111567a2a49989b8f467

SHA1
cf346fa3c70164648e0eaf72a37c6f4920ab4792

SHA256
acdf96ee4261fae138e6350a0ad50b367022ed5b908fa168baad92644f566ee8

SHA512
94f06a81dc735cf264abde86e6169e5fd78d873d2e926fd48287d2ac5208fc930c3c432186e3510add002bd1b4ae32ad8d35270b17c3ce5f18c43764a8e9de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\ok.png

Filesize
1KB

MD5
103c1368e60806b1b7995a0894eacf87

SHA1
971392527f6e4b655044773132505c901a6b5469

SHA256
0d37d4421a39ca8852eb6760b8e914302bdc6cfcc7b170dc1b6c9bb9be148b7e

SHA512
652177e94438aff102f2ed873b26f0985ebed134763852b49b1ca2698463c1dbeb85152f19c8e18d397229ec5cb2cd1d17c61d454ab7c425a2cab540adc8228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\progress_center.png

Filesize
1KB

MD5
ad7fc1e37e40da38dd57adc446cc6c0e

SHA1
08033265deb9b45243cfa0065d98ffe13a039e26

SHA256
2b9dae87340e66b67ab1d8247d4a137628e324969f92fe1098f95a7c5bab2f43

SHA512
dd715d74f8e1ed6ab75b7b6530b383ac47040d8baa7728be160f6d230bf485a9cc54f15f7dc85b122ce56e54d63fa4890e510dfc89d9c9344e31f789ebac8756

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\progress_left.png

Filesize
1KB

MD5
290c7612ad7a077028cd3dc78ce99673

SHA1
18995fbe39d05e4a1cafc7cc2e0f6fb745442f77

SHA256
85e39d909a7300fa2043ec42818582867b981401264b14fc5408e477ae0b4668

SHA512
799841f5b8a1056e78a49c823009750e4b93af130a6c4ff9dc6d386c06b88614e53b46a6df62f5a217d5c99da01cf4e2fe8392c73d39e81000045291cf24205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\progress_right.png

Filesize
1KB

MD5
c25a41f022a74308d944d1e807d72f44

SHA1
83c6bbec3fb373fcc78ce0e737742100994cd6d4

SHA256
396a3351fe409328782ab138282cf9cec061a5a9540a3506700a620db1f54e7d

SHA512
d2f4449195f3e60c826cfabb52a083d829eb9d0509272977d8fdb33bc5214678949cd27d0594684594e0a3eda2351c39cec8d91923cb716ad144ccf2b966c8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\slideshow.ini

Filesize
484B

MD5
6093da47265500782f0ca74845d9608a

SHA1
608785c5fff7195d4b8f39c0e75c3e1ee9246808

SHA256
8a268de65b3089243aa7b7c9667314d97a5194ce0d6e139176e98c7b5068a17f

SHA512
dd0234df9faca63c74bfb92fa8d7e362efc19fc10ae99675306b718506d0984f3069a64661857d2d394b280852ae81fdc38dfba199f502fd1242d662b415f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\slideshow_01.png

Filesize
1.5MB

MD5
b399afa2fb7d5b793c1cddfee90c8829

SHA1
ca8e45034947e40c643f2cb18d16d75d438afc30

SHA256
139025852cb530b179c84c1748692be0f0ac21fc18d7f49dffc5f0a6b7aa85f1

SHA512
1fb6ddaf5e1985f5b430436cc3952eb92d9d5d04f9598ab67157430a95e28939fa9d600da45e5ad214d5f605d467f7f4cf7a28594f53ff7b6c55eee1108f536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\slideshow_02.png

Filesize
993KB

MD5
8a9a5b0f10a3860bdb642b519c9bc6d7

SHA1
c16c3cd4bdc323835eb2233f8604dc73e1f63b48

SHA256
35837dda843d8e4096e53673bfae754ee6048f9711de52eab1ec5040e380e4f2

SHA512
d5c7ff5e30f1184f15fd58c085e503b18da05b2d67bafdc2ae6fc01efc3fbfefa3778d56743596a05daf75f27c0f0ab2e5630d1bc79ac870ac392118ea3b47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\slideshow_03.png

Filesize
1.5MB

MD5
d8bf49cc82cdb244ed40f3af97a50201

SHA1
cf449a24e5142bc5bd89fb9a5b43decfe9162e3a

SHA256
2bfd016efdb5dc7ca839284ae136570d69b11f70ea35079ffd0007a012abaa3f

SHA512
a2fcaa118a62ab25210199fa0656ad933ef154b94597ae2abcf19eb6a26a8a4fbb533457b3a66d23b445c3b8d230bde8ed385ecd239de9a85606fcb339f3f03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\slideshow_04.png

Filesize
1.0MB

MD5
c433a99e4087f55542f328a7ec800629

SHA1
8c5650809b63fdf00cafe486f52f670227e14474

SHA256
cc745db5fec62bdb8cddf16b1f1607585e01a754e2e2b6b3fb2252f488e9c4a9

SHA512
5a2a4f9ce3bb763dfac382b31d04527e9e54aeddbabfac9f0784baaada33aa22afe90ee6795ebee0053d22f920ca57a342683904a33b33e4f03386e342eb7360

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\slideshow_05.png

Filesize
1.0MB

MD5
00f7d3a4a368d02b6e2485c50846a6a4

SHA1
ba664cdf040e9ac1f3164c4803b12ad74f725773

SHA256
87ed8fb6ff8068e482f64da02874a117ad278cb22e919ec2350ffb0dd006383a

SHA512
e84585b08afaca7396fad7e2f559f7bd32224c578ae6ad3baf1aabfeff2aecdc29d11a38bfe61ae6bedb3a8f1fe123234260c6476b634db21461df274b5ed73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\track_center.png

Filesize
1KB

MD5
3f2b0c22f8ea28dcbb82b39a16a039aa

SHA1
b3f4dfc2ea86fbdad05877b4c356b7fa8016731d

SHA256
794f9eeca7fd99846968376b76a296c927532cef1271325cbf555caa0d0d5860

SHA512
b4bf65d751717e85418947662d315ae3bcb177f60914832fefeeb95da9eddb75eb5531c62e5a5a70ff03c8a025b5a03e61ffbdecc9f483bea9684454ca9362d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\track_left.png

Filesize
1KB

MD5
55dacb00cbe2825a8540236c5777a205

SHA1
18a52ac6c741b558500fbc1716d46b4fe4471982

SHA256
a8340fb5380c922b60ea40043590dba067dcfed6e22636851691df38156a3aa8

SHA512
2ea444cc1080f20761c8d71d96fcd04ef48254cdc1dc41d1d139f459ea5613fe12f6e4bd026bf33a5c01ff038e72e05dae2f8fba33ff517dd395e1911f10ff10

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\track_right.png

Filesize
1KB

MD5
ddec70b6c49be3e8c3a7d01c2f6ff1c5

SHA1
5383271999f787c36b1dc8f3cc13c8407b195439

SHA256
f54cd6e42f2b2bc5cb8a15f6a28f1499abf094a519ebdf39f4c4e167312c9c16

SHA512
f43f94b194b5a7eafcec9e831f61042859c30e1af2e2447195bdd06b12c90982181161a1c1be5aa5223ff664f88e4891bd71cfffb7ef672d6fe4f614030e0e01

Download Submit
\Users\Admin\AppData\Local\Temp\is-BISI2.tmp\setup_terraria_v1.4.4.9_v4_(60319).tmp

Filesize
1.3MB

MD5
fe658f106f397ed8d42bbe6af686346b

SHA1
952b7ba6347d0f61b8a79ebc6b9d23176ed6fa34

SHA256
8f11de253ed5b6bd5741f75dab089d05128add485d0ef57ac94a2bf86219420e

SHA512
61ff6a122437c3f4df86a1b3fc6990271fa5159b330321ab4024f658f5fdea7b444b5f3b259b3ff88765664d7261d340be48d87252944dcfc00789778e3862ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\crcdll.dll

Filesize
69KB

MD5
1d51fac9e2384eeb674199cfd5281d7d

SHA1
861dfdc121357d605d0cc3793266713788109eb2

SHA256
23e90ce5a1f2d634a7bf5d5d0522fafeea6df9e536e16f5ce91035d5197128ec

SHA512
921b00adfe43b883200960e8d0958d4e6b97f6d5cfc096ee277766a3e44cc7805a20877a4edf8bd4d9102bb71a20ac218a9a512f4f76bd751d3ef14f4e0a6eda

Download Submit
\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-FPVO1.tmp\uninstall.dll

Filesize
691KB

MD5
7db706c324cc9b6fda497d081eed6e26

SHA1
ca97392e573af0cf61bfa3301801a85f2beea44c

SHA256
cc685dbcf798549ad1a51c1dde45462e2a451ec59f48ee91219182a3871cd5b0

SHA512
8edf1494d57d5e708faaff4170f21f435658be897a6fe0acf243ced0701a7fd574b3c973c5bc5e8d92815e966c98977e69ac1e3083ab00c11b072115527ffa19

Download Submit
memory/576-69-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/576-26-0x0000000000CB0000-0x0000000000D67000-memory.dmp

Filesize
732KB

Download
memory/576-22-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/576-242-0x0000000000D80000-0x0000000000ED2000-memory.dmp

Filesize
1.3MB

Download
memory/2608-11-0x0000000001270000-0x00000000012A9000-memory.dmp

Filesize
228KB

Download
memory/2608-244-0x0000000001270000-0x00000000012A9000-memory.dmp

Filesize
228KB

Download