380a67eb089437d2adae635c034d90782b114daee41ee40cc24c1efd3bc7bc9a

Analysis

max time kernel
122s
max time network
141s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Undertale_v1.08c/Undertale_v1.08c_setup.exe
Size

118.9MB
MD5

e1e154b4199750eceb00748e9d866d75
SHA1

dd4daa7eddbedaa595c660a395b4c7a5d1b2adb2
SHA256

96e274b11eaeec810977e9274c32b68f7aad586fe7b0555e3e9dd6505b3d7f40
SHA512

09ae7654d5fe0a92f0fd84e812f0187f6d1e15ec0d10589f02ad198e7454f17ef52a87221b0bb0be9a688366fbac8e32baed885a1d80799910ac4c2e271ac1b2
SSDEEP

3145728:unbUhqe2SsDAvqZCc0VpuRd2akoazYXsdc/V6/mS+A2Svqf0tKhygA:gUhDVKAvqgcFPkDzY8dc/V6ZPifEshA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Undertale_v1.08c_setup.tmp

pid process

1708 Undertale_v1.08c_setup.tmp
Loads dropped DLL 5 IoCs

Processes:

Undertale_v1.08c_setup.exeUndertale_v1.08c_setup.tmp

pid process

3048 Undertale_v1.08c_setup.exe
1708 Undertale_v1.08c_setup.tmp
1708 Undertale_v1.08c_setup.tmp
1708 Undertale_v1.08c_setup.tmp
1708 Undertale_v1.08c_setup.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

Undertale_v1.08c_setup.tmp

description ioc process

File opened for modification C:\Windows\WrpYGF74DrEm.ini Undertale_v1.08c_setup.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1708	Undertale_v1.08c_setup.tmp

pid	process
3048	Undertale_v1.08c_setup.exe
1708	Undertale_v1.08c_setup.tmp
1708	Undertale_v1.08c_setup.tmp
1708	Undertale_v1.08c_setup.tmp
1708	Undertale_v1.08c_setup.tmp

description	ioc	process
File opened for modification	C:\Windows\WrpYGF74DrEm.ini	Undertale_v1.08c_setup.tmp

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dc3dec4e5d27442b3f5a3379445ed6e00000000020000000000106600000001000020000000ef946075c6448c6fee502d30d1730dfa22eacb45145209299b14ed8c0cb90b8c000000000e8000000002000020000000a05c9f87236bb7eb4e816a4898b3d398ca83e5f71fe35e366436ab7ec37d9ad52000000002e7b18166de5d75e22367deb2cc17a1b76bb852ba413921df78c23da4e6318f4000000058423aa43d7ff4e20294d4cab62b668eb948ff4cb436594ffc2bbea9abf8e3b45d08bdbc55c386720fa51e4684210094426c9fee017a769535353b025534f1ee	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dc3dec4e5d27442b3f5a3379445ed6e0000000002000000000010660000000100002000000030e456b3ae31603b37d4f6259ba0df573d8f8a86e00ff9469135ed871b77045e000000000e8000000002000020000000501fbeb25b7ec12ed0781468f9ec6bcb4e74c1fff56239c5f87e4e3848752037900000009aa35fa0a7f37cf066f1b12be77ce8fda6d232bcef765629e1e7f2572515bb033858443d9699c7ed283e7e6c4591996735e6585a321d5c2a5c78ab343f47a1ca3e0c7390a14a1b3351750272ababf884288066272f7fcc3e015d15903446ea9608c4b44571c53db83d232ff0f78069da37cb595716bd514bbb3bf519eff43adeca94a6ab9aea60a75dede2de486609b3400000006929578d5cda4d38712fe288af8fd5be9412a1012c9caddc1dff1e2744ba2162a8a1add0daa6c56cdaa46c74a60068c9e9c3d05519083a007c07352e04d3eda9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{943D2D71-3763-11EF-8221-D669B05BD432} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4041de6970cbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Undertale_v1.08c_setup.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Undertale_v1.08c_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Undertale_v1.08c_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Undertale_v1.08c_setup.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Undertale_v1.08c_setup.tmp

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Undertale_v1.08c_setup.tmp

pid process

1708 Undertale_v1.08c_setup.tmp
1708 Undertale_v1.08c_setup.tmp
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Undertale_v1.08c_setup.tmpiexplore.exe

pid process

1708 Undertale_v1.08c_setup.tmp
3056 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3056 iexplore.exe
3056 iexplore.exe
1692 IEXPLORE.EXE
1692 IEXPLORE.EXE
3056 iexplore.exe

pid	process
1708	Undertale_v1.08c_setup.tmp
1708	Undertale_v1.08c_setup.tmp

pid	process
1708	Undertale_v1.08c_setup.tmp
3056	iexplore.exe

pid	process
3056	iexplore.exe
3056	iexplore.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
3056	iexplore.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Undertale_v1.08c_setup.exeUndertale_v1.08c_setup.tmpiexplore.exe

description	pid	process	target process
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 3048 wrote to memory of 1708	3048	Undertale_v1.08c_setup.exe	Undertale_v1.08c_setup.tmp
PID 1708 wrote to memory of 3056	1708	Undertale_v1.08c_setup.tmp	iexplore.exe
PID 1708 wrote to memory of 3056	1708	Undertale_v1.08c_setup.tmp	iexplore.exe
PID 1708 wrote to memory of 3056	1708	Undertale_v1.08c_setup.tmp	iexplore.exe
PID 1708 wrote to memory of 3056	1708	Undertale_v1.08c_setup.tmp	iexplore.exe
PID 3056 wrote to memory of 1692	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 1692	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 1692	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 1692	3056	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Undertale_v1.08c\Undertale_v1.08c_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Undertale_v1.08c\Undertale_v1.08c_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\is-G0CRN.tmp\Undertale_v1.08c_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G0CRN.tmp\Undertale_v1.08c_setup.tmp" /SL5="$80126,124152676,116736,C:\Users\Admin\AppData\Local\Temp\Undertale_v1.08c\Undertale_v1.08c_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://tuttop.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_5AF4A202BBC43FDC0CCC038EAC137D1A
Filesize
471B

MD5
f3b34caa4e4b0997a1a4060c5988cbd7

SHA1
6780b1c02e751a1dd3a1c1064641dab95c837d21

SHA256
6d8b14cbf3e8f12649c95ef47a9e66fa8a5270690d059472804f15b96f1faea2

SHA512
ccf1b8682a08336c5781d17a1bb06ed30bc93fb4dd8a1abb6a0d0984c388e1da198ad848c7e1d9b9fe339eba1014830ab9e5a45e720aff66ebc5bedc88b256c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
1cd819600ee77d437687e2694a055bae

SHA1
be3e2395a78bfe220d252c304b67052e2a63727a

SHA256
21f01b43e80069fc18956ffb6cd0c620402ab293918401a7fc5b11970b24ef43

SHA512
784aec79e22579a491820284b48aae40d5879432165dc180f2a44b350f428578ffe230c2f9ab32ec4e0ab14627d0386188c00228afdc0573e6cd07974ee94087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_5AF4A202BBC43FDC0CCC038EAC137D1A
Filesize
410B

MD5
ee5360d261b62131b29af07236d2f4e9

SHA1
5611ab85b4326f538ee385f4ce93567ea69fb04d

SHA256
064e79f8a1a1b263a0d55ca8f866d4aee6490195f503f1558f53f2263454e356

SHA512
67407c5daf6ee84c90c3f2beecda0d3a05c22b9dc4e8241e4f4b4039fd42d02d1367e00064311cfebd43979da144b37e88a9a09f91f9205e8cf6cf7c8d03bcdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4aec26a40352ebfb0e56018584399b18

SHA1
7df417aef7524f7923c7f37094d83fa7b19180c7

SHA256
7f317879313f7198df378e06927e915f91985d544e8e9e4e5b993447d52689ac

SHA512
9a9ad93760b5b6973168d8789bc44254d76d2518e6b5f6ebaed5069fb44c660d632d8f1dd0efa064d55cccaf8e7f3990bff4bd61f1fd0ef2a01eb3b55f1a3702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ca4a4104a6f7d3d48a2ff396a29e2020

SHA1
34b668076b47940235c22ca37966cbbd847bc221

SHA256
07556d4e0d984c5c57c720d15aedcc1cab8e4e87c3695742672ce583f5cf599d

SHA512
b55a2e1a0efa729fc577aca156650c3b33aec308a2bf5274c9ce0ed40d83b98f72dfc722e65a42bbe7a3488f328e667749f799f5cbaeab0442eff693524da87f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c33b49069071fdf035291cf2c052c2b5

SHA1
791474724a6f41fd01f12a6d6fb4508de4f63216

SHA256
914203bb5df126079ee49849105cca8bea3fdb3c7a3ee35d83e1e542d48d99aa

SHA512
9ed1d51b22bc549c292842f51ac89c7c17b602b642961af87c5cba0ed4bec1ffa75603ea865064b75ddc68074ac91a9ab54fab7ba0e8520adba5c67623f5237c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9d41891c640b92f507ab15fef1362e1f

SHA1
18b88bd2c8274f60c1b90789920eb23b2755cb96

SHA256
1a32c2bb64f8708fe084921f1168c8af8bc3243f029dfd529c59928abc8fb62f

SHA512
6ac3414be51059ee0b549c0a1a1edcc0e13ab71adca2eb80705bc3fa3ff7b2f08b9222f040c45011e9545e0a93d1b03c8f9e7576246150f03a8cd203ace26a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
599b85097408d93d2a5f6dd6ceee816b

SHA1
f5002ee01e2309a963692d2814a018200d38b8f7

SHA256
fe7bcda6943ee5b3bd31aac8baaaf9743a09b4fd9c372bc458b4d8cede242eed

SHA512
16382f5e4a425404339f32ca058a0ab6e446620b85d42527188262711db8432d9aced45ba3e50a204100797f3f198d0920d9e922193d77c31ce08570ee26ee4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ea2d75515a56707c550fef65c432fcf3

SHA1
3f784f179137a795ed643004c9f733a9499819dc

SHA256
dd31968035636470a8250366a8e1dd5f9e7188d6b7172c3b7bc8d88b3f638438

SHA512
fe8566b3d6880da516284d993723a45f726a88ff99e2a8ea31462845a7ca8eaa29c62fe8c35f0c80ed25cefa985f00644548cc66899cc1e70ddb498e5fab9e50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5984edaa4af61663a5880f84ac2e44ed

SHA1
5ba2bd1b5ed462d5ea208f1da106ce311dde5e64

SHA256
ff1f8367d7f75392690470b1e79bb932ea9aed7439f78a87195c76668ec90d52

SHA512
a6b38ead3cc773454994c07f397744cb09b67e56139bd32360bb496eec574e8f3a479c2eb97e3b3adbbe19d4083430e0fb20db3b10b4d569d8be19b84c79dd13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9f7286b3e190ea7b056b9dfeab00d7b4

SHA1
fd6c2d18f786a8089bb01684e3ee3dddd5084d9c

SHA256
cffbb65833cbfb888e3ec5b0c06c5ff559c863b2eba5bb5ad25415445fd39858

SHA512
d0f5f13037530036f1ba581ecd3c18fc627b4b2dfe9fd8fe112ddf67cfa8ab9a8eacdda822797782e9567746da7bc696be790c2315d8595f72a231c962616e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f0817938687c6c78db9352e7ff1f28b8

SHA1
bc516e17bd01de956c3c07c4eacea5fe3298e6e8

SHA256
c982c90e13db9e0ee678a9f425c61ea529b05b43fc21afa597c7aa698ed23778

SHA512
20460181ca5300d0f1eb0606fe133fa12bd0b12d0cab02e03c63dcd720c8740b2997290c562c35f6e402bc5901b661b1c9ce8d69a4b69c77298c078af7faf1f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bdd4cdbbd7c68cd202bfe2ab4806f2bd

SHA1
6530acf4008e11fa838e4f37432d98e8827d73ba

SHA256
1ba4e5f69a1f21a36aa4efc0a04611649af6123d03947fe4ae068e4670d96c7f

SHA512
7dad6ecc7ff2398f6e7a3b996592025d2ee0dc6238ec8331eea0a72a048187dca112cb10786858061e308656f14aedd360a9ba06c3f263f1091457898c135739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fd3c3f4d07ee757c74ae86f005a34a8d

SHA1
c9b5fd1c38d4aca819985148ed300d00b029e653

SHA256
4ab8055f0c9595b47487b4eb8f27a45f2de256275cacb2efa3244787b5d5cb88

SHA512
3a4877158e531cadc3965d712ab967e9e35e2de18cbe40d02fa7f9a2eb2ac148096912f5862774307fc32474112fc2d87455cca3d7a61c2c0e995f79223ff1d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
964d9656f70359ecc5d8ff3d068d54fc

SHA1
8b920addbf365cd8a2a41b28e98346ed27dc1105

SHA256
07e714b1fd554cc71004af9a500890d39fab3748497e62c81aa02110898d53af

SHA512
321226b73258a0060790028f2ebd125f23248a020f1d9f8b9b97921a5b4fcebbef1f91833d721a5ed543047ba12713f3e26c33939fc3364b6f30a6548ba5056e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat
Filesize
1KB

MD5
41f617f7153342ea29b18c4d2fea18e1

SHA1
07fe240b51ad52f9dc29aef850361687e072f1ca

SHA256
e289fec36d47a0a23a06601a4ad0e961aacfba26f0123b7a2b298c8654d18658

SHA512
fd6b93abb35201862be2e7601c31a62d935393c9a11d8ede5e8d13ea7e3f863cf995d287f1b8cecef01a766c5dc7860e527c3228c348458bcd9630aefc4466a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9TY254DD\favicon-32x32[1].png
Filesize
1KB

MD5
9292c9b9ca7d082e0fe94d8a01692f1b

SHA1
4c9fd298b6e277cd1b41b80f8bf28818d2a4a868

SHA256
b6688e7fca656bb9ebe103f0c4ab71f2c02ca995897f0a53349b434f5777d24c

SHA512
621ce406e6f5d89bd1de05f6d1f9f834b16c5eab0e1171dbf41db1c5222212eb8a77809e0e52a23cac00ebe59c9ebee4ee26fc556df29d9d20d11578acd242f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9TY254DD\style[1].css
Filesize
173KB

MD5
7a9d116767adbdc4204e9509996f99a5

SHA1
6a2345e4af2c233bab7c01cfe7ab69ebb5ea93f2

SHA256
a07dd9839767950223848999f09f7c97cd07f92eb981bf1b4765a735780fb543

SHA512
f22ec0a227d1531b066c402c8a787ea05b9184216966279d17764c1e7851c405a722571b0c8cce4b536a253c733a5f5ff30b2207727db802ee3b5f2cebb230bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF65.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AE2.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P9U4O.tmp\yandex_100.png
Filesize
31KB

MD5
a9f6b5d49f632df311713f427eb5867a

SHA1
e6e12756bd4fd4950acdf1edd7f79a9330472a94

SHA256
a23c7bc0e48b90ed586d57dfeb1938ec8e0802492c6aaab92dde30dc39693884

SHA512
203dc92831a9cbdd0218d4ee8875c5cbd0e35e5f258f579a75c80b64342a937b2462fdb54fe6368307bc534245e5e7d273f9519c381013640cb9eda2f42d47e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P9U4O.tmp\yandex_chk4s_100.png
Filesize
4KB

MD5
09eb161a9dd933c90684cfc669a2a599

SHA1
5f0ccc872ce8c8df3e2e4c28938cc061c2300664

SHA256
75d6eee452f8f120b0fa922e8bea6fa8dd6a8fbd9e73d48262117f0cacc6c133

SHA512
df9135bb74f199eb9b911abf4ec7a93ad5b082ce3943c5d9822d3ebd829c1456d1fa0a24ed26657a270622d524fd54091da0f8bdeb03b164b3cee78e7715d9a1

Download Submit
\Games\Undertale v1.08c\UNDERTALE.exe
Filesize
3.9MB

MD5
8741fe2075cfbb8070ff1ccb7468981a

SHA1
9ff96c296cc555a6a000133e07fb3f4ab92811c4

SHA256
c8c4191026bf5587a6fad120855b8b82ffb4fa0c3eaf10515be472ad84248e58

SHA512
c5e424cece81a4dad5f4e66e6e00b19d0ce014853f4dcd1a45d16e8d4321ba33f6333e2ebaf2dba3152e0fb22f942749664f231e6df5982e4511788a30d7e655

Download Submit
\Users\Admin\AppData\Local\Temp\is-G0CRN.tmp\Undertale_v1.08c_setup.tmp
Filesize
1.1MB

MD5
569a7f855c49d3a2f8922179f3dda3b7

SHA1
f5c232197cdb470f9f67d1784d19177beea72c4e

SHA256
f3f3a74ea5d386c473998c44d0a6f79ca1bc76c01fbb46ce3100fc397ac73b07

SHA512
d499be32234355f0f7dbc07a5bddef7c8ee6d041a024c83f8df4ee73f89c93799c5e4051985477c03762f47a9f05600f0e85a4574bb4d033f1b289b7d3dfa126

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9U4O.tmp\CallbackCtrl.dll
Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9U4O.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9U4O.tmp\idp.dll
Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/1708-385-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1708-52-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/1708-51-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1708-57-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1708-34-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/1708-564-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1708-8-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3048-50-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3048-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3048-565-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3048-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download