800be3947c23352063d8c6d92b8a0cf36a36f16159bfbb80c88fe74b2ba4bab3

Analysis

max time kernel
126s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Undertale-Yellow-Demo.exe
Size

28.9MB
MD5

7b3a4e8b52e526f729863db391d14c1c
SHA1

9f307b3a8403bdb3a33635504054ffa0919465d5
SHA256

800be3947c23352063d8c6d92b8a0cf36a36f16159bfbb80c88fe74b2ba4bab3
SHA512

f8b13b2ce5ad58306a2a9f2e2a6d92621439634b227deeccbb2ce8f02b0b81461fe608fcf28e529419375b04f0336fba9a3fea323672b2ff152d214e13f65a4b
SSDEEP

786432:78vsIyfUzt6sCMKj9FdOYMSK5FnXiepPBjst:ksIyItXCTfdOo0XisZj2

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4836	Undertale Yellow.exe

Loads dropped DLL 1 IoCs

pid	Process
4836	Undertale Yellow.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Undertale-Yellow-Demo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Undertale-Yellow-Demo.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{D3977EE7-EA44-42BF-BE74-B063F7280E4F}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{2F585A8A-4A99-4774-B038-D8799DC9A515}	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4836	Undertale Yellow.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4428	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4836	Undertale Yellow.exe
3096	OpenWith.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4836	1212	Undertale-Yellow-Demo.exe	84
PID 1212 wrote to memory of 4836	1212	Undertale-Yellow-Demo.exe	84
PID 1212 wrote to memory of 4836	1212	Undertale-Yellow-Demo.exe	84

C:\Users\Admin\AppData\Local\Temp\Undertale-Yellow-Demo.exe
"C:\Users\Admin\AppData\Local\Temp\Undertale-Yellow-Demo.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Undertale Yellow.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Undertale Yellow.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D3DX9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Undertale Yellow.exe

Filesize
3.8MB

MD5
37f685eaf7a6a8d84585d63957d96ba0

SHA1
f62ef1fbb6cd860549c6f7e8efef73d281333d07

SHA256
864c02c6d99d9b807c94c56b898ff98176e2b9f9bfcfffbb51fd38321c37ea91

SHA512
25405823b88146865cec57d2f4c41737a290f0207a72236fad31c0ccf6300ee51a03c3c3ed87ed76850bba38f55e60a4ab5655fa5f948fe7e3a03b9349c13ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Undertale Yellow.exe

Filesize
3.8MB

MD5
37f685eaf7a6a8d84585d63957d96ba0

SHA1
f62ef1fbb6cd860549c6f7e8efef73d281333d07

SHA256
864c02c6d99d9b807c94c56b898ff98176e2b9f9bfcfffbb51fd38321c37ea91

SHA512
25405823b88146865cec57d2f4c41737a290f0207a72236fad31c0ccf6300ee51a03c3c3ed87ed76850bba38f55e60a4ab5655fa5f948fe7e3a03b9349c13ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win

Filesize
12.3MB

MD5
db9c078392a973f74f3ad8d24b596c33

SHA1
d73be6cd9b4b4c4d91bc7df4b0aba94382055d8f

SHA256
63cc5ae5686f4b6a6ec284207736c247ebceea1651be119204bf4317b09ef17f

SHA512
e9f1d4c70b5f0eb842a651cb27cc4fa09400ad75ec454d309928ab1669880315c7c8a279ed4907c2e72fcc62a0b1604dfa5e01ba5aad37afd3d93e3035e6bd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_cymbal.ogg

Filesize
37KB

MD5
4ec77415899abf25c543237075357ce7

SHA1
1113a000fed4b882a80d514fd6814eb303c7c9fe

SHA256
1aa235d4a0c74995e7ff270fb0adc3a8474a228d549177ace0d780e5f706fc30

SHA512
12ebc7031c1aa36308aa9751bf93270a35e4ef80bb9d3d745d706b4d8c7d35b09ed19123a2ad3438563ac82cb827d3f618754c57a3cae55e495516e0d910e6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_fallendownyellow.ogg

Filesize
869KB

MD5
1a3e8d93a255ed13d0d313ac7bd95258

SHA1
cc660f6e916a539cb02e908c90dc53ec888f104e

SHA256
8cbd5b1eb694ede1135bcfa184dcfc144cf711aedd64a45451390efaf338e934

SHA512
2bc04aef21ea31df36cddbca1675c1aa93a01c5378682d6b713e4bd8c210f4641a32ec84c28c9d469da76078b4166c641f0a609b350cbfdf4157733e3460e55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_intro.ogg

Filesize
1013KB

MD5
55a3419ff27354de69c8b7fddb3b7957

SHA1
c07d5c670bf86b1252c6fdf14d55334c688a64fb

SHA256
ba8560a81d1545d83bc55e8a9be2ddabd55f0c09dd8df8518382547b7a713dd5

SHA512
386bacd1c2a14eb9ae82191c6ced434a4b1adfad33bd9b81a0bd09715a744b3758c21fc4993327439f0e9204373f33b0a6d7887f1d1fb97d3627370cdd4e69c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_intronoise.ogg

Filesize
25KB

MD5
6c89a4eed6ec7963f3506bcbfcb5e55e

SHA1
faf66dd3df29d2c3422a5cfb1a08fccaa710377e

SHA256
d69d9024950d90e18d9ae84fae42a2249d20d7b991e093edc99436428c2fddc9

SHA512
efc6323e5a53cfdd7563757a3c89a018a554b86c514c6c14dd5292da012386dc7217b2d342cefd0273229e1517fde1723f33707b74e9395f18d3886426c600ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_prebattle1.ogg

Filesize
973KB

MD5
a607f6eb299ab96861234d8ed602b085

SHA1
66985c76f5b9fc9f40a84839a4fe411783d9aff0

SHA256
0437443917016636d54c288432bdd3b9a33ec39fb9896a7b1eaa2736614c08c8

SHA512
bb4209dde03bf6ca03115a8ec217d163e7005c45cac7f80d71e997362ec468521cc61684796fbca7bbf7ee7fc49dc0e2780bf6835bd2d63c0ced0d423eb4fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_startmenu.ogg

Filesize
835KB

MD5
0a425388e50961ebd8e5ce2a7d901b31

SHA1
5a849212c34b42df49e86eb378dab09f05afc739

SHA256
2a86d0985d155f28faba440b4f4839f7a8db7d22fa62c569afb753320fb0c741

SHA512
1ae0948ba58c97e3fbec627a00a48aebb33c60419a7f3f253344e247224595d24d99ab4bb544b7a6e6238696adb11565eb9a15c3a3174e131ce40460ae777cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini

Filesize
98B

MD5
71726296616ece00dc2783c89a451a96

SHA1
0084c7ec4dddf4edf8ebdbbf2c6dcae11e47ffe5

SHA256
2f86e5e199fa5effc4d5584bffb31ddb3e3b2f5d641fc12364ac3bb0ab82fbb1

SHA512
2f52b42d112457b6bfada9d135b21417a219f2a9e7cdd01eb0c595171abdd86d8d6812db408fd6cd2fb4093f3d2afb0c584b1a800f33be344bea936689bcae67

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit