7936557f6516ac7f99ecd425973c8609a544208f0eff21bd3229ea8df0646c9f

Resubmissions

05/06/2023, 08:11

230605-j3m7aaga4t 7

Analysis

max time kernel
30s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Five NIghts At Freddys World (Halloween edition).exe
Size

18.2MB
MD5

f809483a3f4f5ff0777461b5cd5202e3
SHA1

b6605db9cad47189b91a080b9af3ba66290ddc13
SHA256

7936557f6516ac7f99ecd425973c8609a544208f0eff21bd3229ea8df0646c9f
SHA512

ae8830ebc18c3e645870d9af6c69e2e1eb2b7685e9d936428a768656fcc6cb88acd4d6877a3d6eb90f8c1b87c6ae93d1c7fad17c8fdc8a8c6514dd3d042d1c93
SSDEEP

393216:Uap6UOn+BdEpOJYuoB0c6ECRTEJD9HtqamJcCWoWNQhlMf1X9jHqOCmx1U4iHp:Uap6rnsQOuuouc6E1JBNqxwoW+hlQHqD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1728	stdrt.exe

Loads dropped DLL 5 IoCs

pid	Process
1980	Five NIghts At Freddys World (Halloween edition).exe
1728	stdrt.exe
1728	stdrt.exe
1728	stdrt.exe
1728	stdrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1416	AUDIODG.EXE
Token: 33	1416	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1416	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1728	stdrt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1728	1980	Five NIghts At Freddys World (Halloween edition).exe	27
PID 1980 wrote to memory of 1728	1980	Five NIghts At Freddys World (Halloween edition).exe	27
PID 1980 wrote to memory of 1728	1980	Five NIghts At Freddys World (Halloween edition).exe	27
PID 1980 wrote to memory of 1728	1980	Five NIghts At Freddys World (Halloween edition).exe	27

C:\Users\Admin\AppData\Local\Temp\Five NIghts At Freddys World (Halloween edition).exe
"C:\Users\Admin\AppData\Local\Temp\Five NIghts At Freddys World (Halloween edition).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\stdrt.exe
  "C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\stdrt.exe" /SF "C:\Users\Admin\AppData\Local\Temp\Five NIghts At Freddys World (Halloween edition).exe" /SO394240
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\MMFS2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\XNA.mfx

Filesize
24KB

MD5
705d339028b88613206c607d74f7286e

SHA1
4a1e306367c0bebc3c90f0b2e0dcc67a1432c515

SHA256
e3c2999e4b1ad036d0d905fc247328d202dc36079055a98c006b23d6d5e04d28

SHA512
c04a3be7dfbe6a0c9ef5cb62c7fad18c19b35b0a2ec7d90d06af6bdb37e81654425638fff172e15297818445d6f22aea88af57365747bfdcb5533df57d3337a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\kcini.mfx

Filesize
28KB

MD5
5522465eba7c81f1fb67d6ad1a5df233

SHA1
0ec415bfaa9db6984cf922d5503d9fde67d0b3e2

SHA256
82c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e

SHA512
30d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\stdrt.exe

Filesize
1018KB

MD5
e778bd82ca152e2a6fd78ea5ad0f17d4

SHA1
f893142032c90f9da713cd39a4ba6378665e7721

SHA256
edf1e6cb342d088a923235d93be1c73f913c21d16375e733bd1c364eb28c2178

SHA512
d7949de789b4d2cbf44eee379ca33970e974b34e6c6b15e30c3897bda68f4f6dd67469f8324e196994e386ad734c9f0fbfcce3e3c23c688d648c588e9b5261c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\stdrt.exe

Filesize
1018KB

MD5
e778bd82ca152e2a6fd78ea5ad0f17d4

SHA1
f893142032c90f9da713cd39a4ba6378665e7721

SHA256
edf1e6cb342d088a923235d93be1c73f913c21d16375e733bd1c364eb28c2178

SHA512
d7949de789b4d2cbf44eee379ca33970e974b34e6c6b15e30c3897bda68f4f6dd67469f8324e196994e386ad734c9f0fbfcce3e3c23c688d648c588e9b5261c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt169D.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
\Users\Admin\AppData\Local\Temp\mrt169D.tmp\XNA.mfx

Filesize
24KB

MD5
705d339028b88613206c607d74f7286e

SHA1
4a1e306367c0bebc3c90f0b2e0dcc67a1432c515

SHA256
e3c2999e4b1ad036d0d905fc247328d202dc36079055a98c006b23d6d5e04d28

SHA512
c04a3be7dfbe6a0c9ef5cb62c7fad18c19b35b0a2ec7d90d06af6bdb37e81654425638fff172e15297818445d6f22aea88af57365747bfdcb5533df57d3337a9

Download Submit
\Users\Admin\AppData\Local\Temp\mrt169D.tmp\kcini.mfx

Filesize
28KB

MD5
5522465eba7c81f1fb67d6ad1a5df233

SHA1
0ec415bfaa9db6984cf922d5503d9fde67d0b3e2

SHA256
82c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e

SHA512
30d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a

Download Submit
\Users\Admin\AppData\Local\Temp\mrt169D.tmp\mmfs2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
\Users\Admin\AppData\Local\Temp\mrt169D.tmp\stdrt.exe

Filesize
1018KB

MD5
e778bd82ca152e2a6fd78ea5ad0f17d4

SHA1
f893142032c90f9da713cd39a4ba6378665e7721

SHA256
edf1e6cb342d088a923235d93be1c73f913c21d16375e733bd1c364eb28c2178

SHA512
d7949de789b4d2cbf44eee379ca33970e974b34e6c6b15e30c3897bda68f4f6dd67469f8324e196994e386ad734c9f0fbfcce3e3c23c688d648c588e9b5261c7

Download Submit
\Users\Admin\AppData\Local\Temp\mrt169D.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit