Overview

overview

3

Static

static

1

Undertale ...xdelta

windows7-x64

3

Undertale ...xdelta

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31/03/2023, 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Undertale All Weapons.xdelta

  • Size

    513KB

  • MD5

    8ff0dc95c6c1bd9eae17f7b5db0d4934

  • SHA1

    626f1c8c9523f32474a9155d804f65473a39281d

  • SHA256

    442584a4f6016837a165995a920af67355dc2df73a577a684cd2a3ebfa29aa50

  • SHA512

    98bd62ef36dc5a481235f4f99a27220f3abdc0dfc67491147dc96747779048a458a16398cab40f7c87c9b255d02ca9f723e077c43ca60b8e60cfe8ac789e2bfc

  • SSDEEP

    12288:Y1APdDAnM4Ujj580EwWgzPrgrbWfecngCajB79hPIvZM2dkTuSorP9KA+tnk2Gxf:Y1APd0nyP7EgzsX+xajFPIxM2dkTuSoz

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Undertale All Weapons.xdelta"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Undertale All Weapons.xdelta
      2⤵
      • Modifies registry class
      PID:2036
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.0.1314273235\267079232" -parentBuildID 20221007134813 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6803d67f-3e9a-484b-9fff-309ab9c5d1ef} 368 "\\.\pipe\gecko-crash-server-pipe.368" 1244 13fabe58 gpu
        3⤵
          PID:2044
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.1.1607458218\1478986967" -parentBuildID 20221007134813 -prefsHandle 1440 -prefMapHandle 1436 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8998ae60-d699-4566-a31e-405690f885e2} 368 "\\.\pipe\gecko-crash-server-pipe.368" 1452 f71c58 socket
          3⤵
            PID:1096
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.2.463764756\897506596" -childID 1 -isForBrowser -prefsHandle 2040 -prefMapHandle 2036 -prefsLen 21054 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56cbdebd-568b-4d00-b701-22ba0de36ed5} 368 "\\.\pipe\gecko-crash-server-pipe.368" 2056 1a3cf258 tab
            3⤵
              PID:2004
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.3.276440317\574227594" -childID 2 -isForBrowser -prefsHandle 840 -prefMapHandle 1596 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {353a5072-efd3-43fd-b912-4f4132b13057} 368 "\\.\pipe\gecko-crash-server-pipe.368" 576 f71058 tab
              3⤵
                PID:2036
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.4.1103021615\1983022338" -childID 3 -isForBrowser -prefsHandle 2840 -prefMapHandle 2836 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42fb1838-89dd-4045-bdbd-6b67fc9bf1d9} 368 "\\.\pipe\gecko-crash-server-pipe.368" 2852 1b9e7058 tab
                3⤵
                  PID:844
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.6.1458744170\463878351" -childID 5 -isForBrowser -prefsHandle 3804 -prefMapHandle 3808 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efade550-052c-427c-99d5-b15ea4dfa7ec} 368 "\\.\pipe\gecko-crash-server-pipe.368" 3792 1dc0e058 tab
                  3⤵
                    PID:2384
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.5.2145089120\1301933567" -childID 4 -isForBrowser -prefsHandle 3656 -prefMapHandle 3692 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43b5bfeb-821e-4f9f-be4b-c8d711dd2782} 368 "\\.\pipe\gecko-crash-server-pipe.368" 3696 1dc0e958 tab
                    3⤵
                      PID:2376
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.7.85550219\760934292" -childID 6 -isForBrowser -prefsHandle 3840 -prefMapHandle 3844 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cf4bbde-8e37-4783-a043-2a9da6023d2d} 368 "\\.\pipe\gecko-crash-server-pipe.368" 3828 f66e58 tab
                      3⤵
                        PID:2588
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="368.8.1501676352\1992565931" -childID 7 -isForBrowser -prefsHandle 1768 -prefMapHandle 1676 -prefsLen 26721 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a24240b9-a3ed-4d3f-b6c1-6c1442a2c6da} 368 "\\.\pipe\gecko-crash-server-pipe.368" 2608 1dc7de58 tab
                        3⤵
                          PID:1816

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0fuzji1n.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      151KB

                      MD5

                      b463e0aa0fec868d42ad9ff9919ac755

                      SHA1

                      9f944eb5f764826f8c469092745df7782c4ada77

                      SHA256

                      926d371921405a5353693bda900eb62475429a9e198250ce7592c61dd2df87cd

                      SHA512

                      64319fb984521574c8e1c264297a1db135510d47069909bf0b3b401e61e45b22da458761b9e5f7a4223e3d8146cc515f918dd9e79d0f5e420f898b542608a50f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      024c6fe18df82522164511c697474338

                      SHA1

                      152f2037990159375f4846bec398c223ac5e6ba0

                      SHA256

                      2bf01fd3c6c1e12236d23ad9d41fc04528bd1af72be08efb6ea097f4c8f64bb2

                      SHA512

                      071602ab881eef19d5369f88a8aaf0194f931c8a013088466c5b493f600a7ab914693899e37dd84e30e380b25c4faf674616ea09b76f89465cec406b5ffde225

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      029b3dc32f8bb6aba9a4ab2afd538418

                      SHA1

                      7664acb497ead71d95aa3e62d80a88efcb7e1602

                      SHA256

                      ac8c460dacfe5d8cda15d594b973c184356a834d5eff9448062e22d299e9d5e7

                      SHA512

                      fc2399182ea7a8e8602f48bf5c0c17ddd188c8a3fea0d1db9b9ac26fab0018c84d8a6383cae4b41802c1265d004f7566d387bc530e21f39cfd2dffd8b78014fb

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      50d95689dfe2a73d5e8902f9bbd4301a

                      SHA1

                      b7fba68659f983ef93c074b44ff1fdf1c0fc1dff

                      SHA256

                      171ef89739b9ecc01432f81eb82e7330f78f6172414239bbf30a39255fe9fa65

                      SHA512

                      f20704e9b65a900161fcc929c1ea25804886949f5334f332f486500808e0adbc6a8b1ce6d9f0113a8f31a8ad987f0b4b035ac0860dd4eb151883944d4bd23803

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      00f20a55d1314e02befab0f1d3a7878f

                      SHA1

                      6200c26dcecd027db26b29719c0d790fe5d39179

                      SHA256

                      9cd343f928600deda6a80d875d2895137b6813ba61e736a8cdefbe9ef21960b5

                      SHA512

                      da33384089eacfd058bee38e687a55e926ed1ddf5813f3337c25b9406e015da4bde716bf457ac3d5b904abef0be0c7a4d8766aaf5457d6cc0b96cff84dee7c7c

                      Download Submit