Analysis
-
max time kernel
133s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 10:38
Static task
static1
Behavioral task
behavioral1
Sample
Fnf multi indev/FunkinMulti.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Fnf multi indev/FunkinMulti.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
Fnf multi indev/assets/music/Winter-Horrorland_Voices.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Fnf multi indev/assets/music/Winter-Horrorland_Voices.ps1
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
Fnf multi indev/lime.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
Fnf multi indev/lime.dll
Resource
win10v2004-20221111-en
General
-
Target
Fnf multi indev/FunkinMulti.exe
-
Size
15MB
-
MD5
2cf32f14cb000d1af1d0514450f3ff49
-
SHA1
adc575ed46e79dce4c6c47acd7e74d0d0548c2c0
-
SHA256
7bdc77e38f6b46af4b542fba305f96aa8024932eb4a0e5ab73a0a15d0af5b112
-
SHA512
5d12e2b8e0a464e3abe6a7af270b3cb676466dbd4990ae344a89fa408641dbc9ded364bea87692d0ba05856e39b2561b14f74f8116d065da6d06a8d516614524
-
SSDEEP
196608:0tjaaVveZ0plykebSrZeP8Lc2p0ufC1NZ9H:0tjaaVWZ0pUkebSleP8Lc2LCPZB
Malware Config
Signatures
-
Modifies registry class 9 IoCs
Processes:
FunkinMulti.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\DefaultIcon FunkinMulti.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fnf multi indev\\FunkinMulti.exe" FunkinMulti.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fnf multi indev\\FunkinMulti.exe" FunkinMulti.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell\open\command FunkinMulti.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell FunkinMulti.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell\open FunkinMulti.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414 FunkinMulti.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\ = "URL:Run game 825546135958585414 protocol" FunkinMulti.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\URL Protocol FunkinMulti.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 892 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 892 AUDIODG.EXE Token: 33 892 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 892 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
FunkinMulti.exepid process 940 FunkinMulti.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fnf multi indev\FunkinMulti.exe"C:\Users\Admin\AppData\Local\Temp\Fnf multi indev\FunkinMulti.exe"
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc8
- Suspicious use of AdjustPrivilegeToken