Triage | Behavioral Report

Analysis

max time kernel
133s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 10:38

Sharing

Report Analysis Logs

General

Target

Fnf multi indev/FunkinMulti.exe
Size

15MB
MD5

2cf32f14cb000d1af1d0514450f3ff49
SHA1

adc575ed46e79dce4c6c47acd7e74d0d0548c2c0
SHA256

7bdc77e38f6b46af4b542fba305f96aa8024932eb4a0e5ab73a0a15d0af5b112
SHA512

5d12e2b8e0a464e3abe6a7af270b3cb676466dbd4990ae344a89fa408641dbc9ded364bea87692d0ba05856e39b2561b14f74f8116d065da6d06a8d516614524
SSDEEP

196608:0tjaaVveZ0plykebSrZeP8Lc2p0ufC1NZ9H:0tjaaVWZ0pUkebSleP8Lc2LCPZB

Score

1^/10

Malware Config

Signatures

Modifies registry class 9 IoCs

Processes:

FunkinMulti.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\DefaultIcon	FunkinMulti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fnf multi indev\\FunkinMulti.exe"	FunkinMulti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fnf multi indev\\FunkinMulti.exe"	FunkinMulti.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell\open\command	FunkinMulti.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell	FunkinMulti.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\shell\open	FunkinMulti.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414	FunkinMulti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\ = "URL:Run game 825546135958585414 protocol"	FunkinMulti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\discord-825546135958585414\URL Protocol	FunkinMulti.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FunkinMulti.exe

pid process

940 FunkinMulti.exe

C:\Users\Admin\AppData\Local\Temp\Fnf multi indev\FunkinMulti.exe
"C:\Users\Admin\AppData\Local\Temp\Fnf multi indev\FunkinMulti.exe"
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
- Suspicious use of AdjustPrivilegeToken
PID:892

MITRE ATT&CK Matrix

Replay Monitor

00:00 00:00