b8a04e8753fd4d04e9a5c348eea8285dea86287840ffd52963341c44fd2ef61b

Analysis

max time kernel
41s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2023, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Five Nights At Candy's/FiveNightsAtCandys.exe
Size

106.4MB
MD5

6f18b6bbcbebbc68b620ce770884dc74
SHA1

b23281b5d18e5f02350dd6efd5ee5abe3fe9ae64
SHA256

7a2870a2eba6bee4a335826934230d48cf40c9fbeed25e83f6adc99686bf9dc1
SHA512

afb5cd66999710258cb8b5c85ff1cd167ca71b804ee12bfe444fe2ff25b9708470239b517c720750cbee2ff46a24c92c501059c0ec922fad2852486fef7f64f0
SSDEEP

3145728:52eNARAOWFLcSBhBOaTW3P0C4bMWgnz/pu4ibVS:5ra+cABOaTWsfTgnz/3yo

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe
4172	FiveNightsAtCandys.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{CC9D65EC-1098-4D58-93D7-408938D02C42}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{D92113B7-5804-4A1B-8CF7-D978D04BCA81}	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4140	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4172	FiveNightsAtCandys.exe
216	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\Five Nights At Candy's\FiveNightsAtCandys.exe
"C:\Users\Admin\AppData\Local\Temp\Five Nights At Candy's\FiveNightsAtCandys.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4 0x3bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\cctrans.dll

Filesize
64KB

MD5
b1bce28b7dd711f299785f35b5d30d9e

SHA1
54948c118fd5866c7b6c3efada3ae4b87548e392

SHA256
1a2e6bd6ce00288a3fcfa6d1544e32b00543559ac8ffcddc17aa2e19bd3a71aa

SHA512
4d22e9dfef85869502f7f9372c918c006575dfa405daebe075a9618907b0139ada75465e8ea1694c07dcd1b0c5f6d26411a6cdfb6603f9ee5643d04b8de5dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\cctrans.dll

Filesize
64KB

MD5
b1bce28b7dd711f299785f35b5d30d9e

SHA1
54948c118fd5866c7b6c3efada3ae4b87548e392

SHA256
1a2e6bd6ce00288a3fcfa6d1544e32b00543559ac8ffcddc17aa2e19bd3a71aa

SHA512
4d22e9dfef85869502f7f9372c918c006575dfa405daebe075a9618907b0139ada75465e8ea1694c07dcd1b0c5f6d26411a6cdfb6603f9ee5643d04b8de5dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\kcini.mfx

Filesize
28KB

MD5
6464b32ef16f0026334fbd2a8f2b6b62

SHA1
efd9199bdf6e056d446efa32700fc00f27782d31

SHA256
a0bc50d0fc19e83a7ce7892c29540818a47a2085ae512bf102d2891ee59a81d3

SHA512
11d9c94c3bbf9d659f82d06492216f150025c4cd9129f887b19cf1cac4e9fbb779c48e4405a6821ac559bcad167e415243d043d52e492453d2f507d1c1a61c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
280eccc6206500938ac9daa5baadbf1a

SHA1
19217ffbfa924b795a90fddfc3c5a1e4e0e88301

SHA256
ca8b234eb31dae750b33f89aab906362c898074e32e9042ea8fdf50cec2d5766

SHA512
913fff38b373dc37dbca9eec8d3b164c2613a02ba34abcbbd5de06c67407e0a2fa7fac5e1d1a6adaa772138a21343594fdcb08ddea67431081f81ea6f13da58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\mmfs2.dll

Filesize
459KB

MD5
4c240ac059ebca98706100798ab42133

SHA1
28fbb81a59fc892c58ea9c0b9277a0181de0c523

SHA256
3d81578a59699b82d812c59db7ef03b141da1700dc2ef20c5728feb83af08e4b

SHA512
5869f161de4df77c53631b82b6ebfca8cf71749592c0c83a6a1f3683c52c0e6ac5c764df3bc2d19db7fb84f9635abfd235d0c57ca7c6827930bb48eeb4dc7a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\oggflt.sft

Filesize
130KB

MD5
e925b7e0be07bc86cb8042168077bb04

SHA1
233c160b5264e1fa4f3b3ad6464207c09f698d26

SHA256
848d266c7676a5f59e66386d76679b97d2934166a8d829d5d000b217ab7a34cf

SHA512
0063b350116bfa478ecda081ae364e08c84cb97a337ff0b6e0d442653976c2663b8b2b430cca694f1a75fd93414d264b46da1331e7aadc2cdd424d69db27c31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\oggflt.sft

Filesize
130KB

MD5
e925b7e0be07bc86cb8042168077bb04

SHA1
233c160b5264e1fa4f3b3ad6464207c09f698d26

SHA256
848d266c7676a5f59e66386d76679b97d2934166a8d829d5d000b217ab7a34cf

SHA512
0063b350116bfa478ecda081ae364e08c84cb97a337ff0b6e0d442653976c2663b8b2b430cca694f1a75fd93414d264b46da1331e7aadc2cdd424d69db27c31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt9A60.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\fivecandys

Filesize
23B

MD5
ac5fe05c30d9109331e49d861e27d2d0

SHA1
0a45162a5b5c52adef45888807dcb2c8a6decfab

SHA256
a29524c39fab348f5df04f83495c654aa90fb3f30be2c4ecb9ff24e55a6fcc7b

SHA512
b64f43169f578b6f122dbd82ae3ddf87a094ec280284417cd12b5d55454eb829f501a906816029a54f98aea02ff8132daa62fac20763fd529c3169f9e9e0932c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/4172-173-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/4172-162-0x0000000000F50000-0x0000000000F74000-memory.dmp

Filesize
144KB

Download