7936557f6516ac7f99ecd425973c8609a544208f0eff21bd3229ea8df0646c9f

Resubmissions

05/06/2023, 08:11 UTC

230605-j3m7aaga4t 7

Analysis

max time kernel
79s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 08:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Five NIghts At Freddys World (Halloween edition).exe
Size

18.2MB
MD5

f809483a3f4f5ff0777461b5cd5202e3
SHA1

b6605db9cad47189b91a080b9af3ba66290ddc13
SHA256

7936557f6516ac7f99ecd425973c8609a544208f0eff21bd3229ea8df0646c9f
SHA512

ae8830ebc18c3e645870d9af6c69e2e1eb2b7685e9d936428a768656fcc6cb88acd4d6877a3d6eb90f8c1b87c6ae93d1c7fad17c8fdc8a8c6514dd3d042d1c93
SSDEEP

393216:Uap6UOn+BdEpOJYuoB0c6ECRTEJD9HtqamJcCWoWNQhlMf1X9jHqOCmx1U4iHp:Uap6rnsQOuuouc6E1JBNqxwoW+hlQHqD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
640	stdrt.exe

Loads dropped DLL 4 IoCs

pid	Process
640	stdrt.exe
640	stdrt.exe
640	stdrt.exe
640	stdrt.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2275444769-3691835758-4097679484-1000\{37954120-16B6-4C02-8DBA-6108D83A59FA}	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
640	stdrt.exe
640	stdrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
640	stdrt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4092	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
640	stdrt.exe
3640	OpenWith.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 640	1356	Five NIghts At Freddys World (Halloween edition).exe	84
PID 1356 wrote to memory of 640	1356	Five NIghts At Freddys World (Halloween edition).exe	84
PID 1356 wrote to memory of 640	1356	Five NIghts At Freddys World (Halloween edition).exe	84

C:\Users\Admin\AppData\Local\Temp\Five NIghts At Freddys World (Halloween edition).exe
"C:\Users\Admin\AppData\Local\Temp\Five NIghts At Freddys World (Halloween edition).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\stdrt.exe
  "C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\stdrt.exe" /SF "C:\Users\Admin\AppData\Local\Temp\Five NIghts At Freddys World (Halloween edition).exe" /SO394240
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x430 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

Network

DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

14.103.197.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.103.197.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

233.141.123.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.141.123.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

2.36.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.159.162.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response

52.242.97.97:443

260 B
5
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
173.223.113.164:443

322 B
7
131.253.33.203:80

322 B
7

8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

14.103.197.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.103.197.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

233.141.123.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

233.141.123.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

2.36.159.162.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.36.159.162.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\MMFS2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\XNA.mfx

Filesize
24KB

MD5
705d339028b88613206c607d74f7286e

SHA1
4a1e306367c0bebc3c90f0b2e0dcc67a1432c515

SHA256
e3c2999e4b1ad036d0d905fc247328d202dc36079055a98c006b23d6d5e04d28

SHA512
c04a3be7dfbe6a0c9ef5cb62c7fad18c19b35b0a2ec7d90d06af6bdb37e81654425638fff172e15297818445d6f22aea88af57365747bfdcb5533df57d3337a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\XNA.mfx

Filesize
24KB

MD5
705d339028b88613206c607d74f7286e

SHA1
4a1e306367c0bebc3c90f0b2e0dcc67a1432c515

SHA256
e3c2999e4b1ad036d0d905fc247328d202dc36079055a98c006b23d6d5e04d28

SHA512
c04a3be7dfbe6a0c9ef5cb62c7fad18c19b35b0a2ec7d90d06af6bdb37e81654425638fff172e15297818445d6f22aea88af57365747bfdcb5533df57d3337a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\kcini.mfx

Filesize
28KB

MD5
5522465eba7c81f1fb67d6ad1a5df233

SHA1
0ec415bfaa9db6984cf922d5503d9fde67d0b3e2

SHA256
82c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e

SHA512
30d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\kcini.mfx

Filesize
28KB

MD5
5522465eba7c81f1fb67d6ad1a5df233

SHA1
0ec415bfaa9db6984cf922d5503d9fde67d0b3e2

SHA256
82c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e

SHA512
30d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\mmfs2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\stdrt.exe

Filesize
1018KB

MD5
e778bd82ca152e2a6fd78ea5ad0f17d4

SHA1
f893142032c90f9da713cd39a4ba6378665e7721

SHA256
edf1e6cb342d088a923235d93be1c73f913c21d16375e733bd1c364eb28c2178

SHA512
d7949de789b4d2cbf44eee379ca33970e974b34e6c6b15e30c3897bda68f4f6dd67469f8324e196994e386ad734c9f0fbfcce3e3c23c688d648c588e9b5261c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\stdrt.exe

Filesize
1018KB

MD5
e778bd82ca152e2a6fd78ea5ad0f17d4

SHA1
f893142032c90f9da713cd39a4ba6378665e7721

SHA256
edf1e6cb342d088a923235d93be1c73f913c21d16375e733bd1c364eb28c2178

SHA512
d7949de789b4d2cbf44eee379ca33970e974b34e6c6b15e30c3897bda68f4f6dd67469f8324e196994e386ad734c9f0fbfcce3e3c23c688d648c588e9b5261c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt8726.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.