4fe42f5cf7ad06a58a501e2027434aff671d543f67bbea71a33730c6a438ad5d

Analysis

max time kernel
22s
max time network
18s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
01/03/2023, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mario.exe
Size

2.0MB
MD5

bd19279df38bbba28e20f55d5c43aa55
SHA1

cbad3580f8c119b394b44efd0c06a61ffe486427
SHA256

4fe42f5cf7ad06a58a501e2027434aff671d543f67bbea71a33730c6a438ad5d
SHA512

b52e27b01dad0fb241be992cadc9ddd6460a0f0146aea3f8a9590f7266f2db20c2724edc0447995241524325f23dd39507c380d41c1d6f1006731b0c0816d2ae
SSDEEP

24576:dUWqistETqjxNAgFWduAo9BqHJkVP07s7Srw6i5+3NPRzhtXSnKCOtga+gKEp5mW:dUUcV9g+36SV0AtO3zhtX8BEptAk

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4152	SNES.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001af12-137.dat	upx
behavioral1/files/0x000a00000001af12-138.dat	upx
behavioral1/memory/4152-143-0x0000000000400000-0x00000000008E3000-memory.dmp	upx
behavioral1/memory/4152-169-0x0000000000400000-0x00000000008E3000-memory.dmp	upx
behavioral1/memory/4152-170-0x0000000000400000-0x00000000008E3000-memory.dmp	upx
behavioral1/memory/4152-171-0x0000000000400000-0x00000000008E3000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	GamePanel.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4152	SNES.EXE
4152	SNES.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3112	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4152	SNES.EXE
4152	SNES.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2420	2036	Mario.exe	66
PID 2036 wrote to memory of 2420	2036	Mario.exe	66
PID 2036 wrote to memory of 2420	2036	Mario.exe	66
PID 2420 wrote to memory of 4152	2420	cmd.exe	68
PID 2420 wrote to memory of 4152	2420	cmd.exe	68
PID 2420 wrote to memory of 4152	2420	cmd.exe	68

C:\Users\Admin\AppData\Local\Temp\Mario.exe
"C:\Users\Admin\AppData\Local\Temp\Mario.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\launch.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\SNES.EXE
    SNES.EXE GAME.smc
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4152

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000020190 /startuptips
1⤵
- Checks SCSI registry key(s)
PID:4744

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:4772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x370
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GAME.smc

Filesize
3.0MB

MD5
0b3d6f7a051a09e65170eb7959afc3bf

SHA1
406edeffd2e3932503ee458003ae256b4d33d78d

SHA256
438c23dc91f87642fe7ffb8d00814c81f9f665a4aca16a700a4ceff5a976f1c7

SHA512
7eab74066e795e78e230c4b15d6bedcacd0ed3f7b674b451eade1b5af618e65d2d6f193e7b2bf419171a54fc29979344aebd8f2800017744f1041fd566649062

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GAME.srm

Filesize
8KB

MD5
337018fc2065abbfe9ff872782330129

SHA1
42bfe5c45f8aa5aecadab428bf967298df10ceba

SHA256
0f6a4eb64648fd3f970279e246d221a9fa118b6e82148da5e4973b3888346775

SHA512
ce1898f9ae9341da82183418ed890fd67019e9f103161077eb8c86ad2939c8741194e32ecbec02af548f7000133152b1077517b2c35ab7b28bf9cfa052d59b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launch.bat

Filesize
29B

MD5
de0c38a5e58ab0c648469d46d46b8876

SHA1
84327c0d28e459db39aca852fef38831788a7993

SHA256
90ee9e059eb56a9389747e5650e6740eace66e2aa9008513e0d943bc7d14d2c1

SHA512
ff988955f04b7bc6058b0cd7851e07bc8407b2236074f148fcaa649f636dc0d71019fe8d9d5feaccf0aa5b709681a04c377e3351f8972cae817e8a3a5215adb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SNES.EXE

Filesize
433KB

MD5
82ea3bed688682f862a70932c20cf830

SHA1
0d863cd325e78b6ee26dcfa05f648a3aa8cdc7e5

SHA256
536707128509b91332fa304b72340ebe3ba4fd3f7818572fdcf53815c2152651

SHA512
23eb834467081f177e8ef08dc5e455817396696666d3f9ba440fb9508466a5d0bb70fce658319b7088409a7862e76fee5352717d710e91ccee533be0f11c2302

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SNES.EXE

Filesize
433KB

MD5
82ea3bed688682f862a70932c20cf830

SHA1
0d863cd325e78b6ee26dcfa05f648a3aa8cdc7e5

SHA256
536707128509b91332fa304b72340ebe3ba4fd3f7818572fdcf53815c2152651

SHA512
23eb834467081f177e8ef08dc5e455817396696666d3f9ba440fb9508466a5d0bb70fce658319b7088409a7862e76fee5352717d710e91ccee533be0f11c2302

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zguicfgw.dat

Filesize
12KB

MD5
d4c4497181d2251a436e2fc90ca6c7df

SHA1
ad4790cfe29bc160fab2d323890831649d62691c

SHA256
1907e365c02fb74b21dcd7a8d4316c2ffbae90d417fab23862b69d2ccdea42ac

SHA512
6e0f04dd99d4192ad077f12955c17dbb20bac9c5decae26bd08e29c0c79a4f845737d68278f914c266b1e830197e0e28d9681b5df68603c6fbe25d10712ba9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zsnesw.cfg

Filesize
3KB

MD5
f6db8477d213eafcb8667ce23a23aeb7

SHA1
4b1500a5444d201a371282257aef588839a19251

SHA256
6f69df3e60dc800018e02053642043ba5dd723b51881aebdb53351526b15238e

SHA512
f7d2b6a16dd8972ae39c9286f157d18013cb98ac975b019866ad7d3e7cf7236b89bf1f11c75b9bf2565ba3147e39f4f2638335c6d6ba0ae67e6bf6364b836ea2

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/4152-143-0x0000000000400000-0x00000000008E3000-memory.dmp

Filesize
4.9MB

Download
memory/4152-169-0x0000000000400000-0x00000000008E3000-memory.dmp

Filesize
4.9MB

Download
memory/4152-170-0x0000000000400000-0x00000000008E3000-memory.dmp

Filesize
4.9MB

Download
memory/4152-171-0x0000000000400000-0x00000000008E3000-memory.dmp

Filesize
4.9MB

Download