4cbca7c948e2ed31a820b859897651e34ad50444177a9f70525ac6dedfdece53

Analysis

max time kernel
108s
max time network
37s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Five Nights at Freddys 2.exe
Size

207.4MB
MD5

27188dbd07f38a63250e5315c178c333
SHA1

0867a0a27b3c4deb76a892774281b8d9291c022d
SHA256

4cbca7c948e2ed31a820b859897651e34ad50444177a9f70525ac6dedfdece53
SHA512

ccb99fd1e79a084cdc5890dcc738273e387da124e00a985cab33fe2d8ae45749f8e4e9c900eed6f948c53c42f2f35c0e5705f414d9c703f41eb25c1ee75261b3
SSDEEP

6291456:s3O+IWb5ACzpe5finrPbtGVWxqj8CdfB9Sb2M:s3O+IyHLnrPbfgzfeb

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
816	Five Nights at Freddys 2.exe
816	Five Nights at Freddys 2.exe
816	Five Nights at Freddys 2.exe
816	Five Nights at Freddys 2.exe
816	Five Nights at Freddys 2.exe
816	Five Nights at Freddys 2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
816	Five Nights at Freddys 2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	748	AUDIODG.EXE
Token: 33	748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	748	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
816	Five Nights at Freddys 2.exe

C:\Users\Admin\AppData\Local\Temp\Five Nights at Freddys 2.exe
"C:\Users\Admin\AppData\Local\Temp\Five Nights at Freddys 2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MMFApplications\freddy2

Filesize
28B

MD5
3aeb57bf8fe246e9bb6c2f817bbacfb5

SHA1
b7732c3774058f466eca34278b3aa2699e3af19f

SHA256
0cde4416d10dfa177182109ea755eb267ba84c84689a81de41821d851b516256

SHA512
da955e97ce57f3f3f424cb61921dbee7ca1c48db8fdf3364fcda0521cd5428730822ee757bef6bc40af13ae496b55cf6b43fc80ef6b76b194361034f844b12fa

Download Submit
\Users\Admin\AppData\Local\Temp\mrt6A87.tmp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
\Users\Admin\AppData\Local\Temp\mrt6A87.tmp\cctrans.dll

Filesize
64KB

MD5
b1bce28b7dd711f299785f35b5d30d9e

SHA1
54948c118fd5866c7b6c3efada3ae4b87548e392

SHA256
1a2e6bd6ce00288a3fcfa6d1544e32b00543559ac8ffcddc17aa2e19bd3a71aa

SHA512
4d22e9dfef85869502f7f9372c918c006575dfa405daebe075a9618907b0139ada75465e8ea1694c07dcd1b0c5f6d26411a6cdfb6603f9ee5643d04b8de5dd7a

Download Submit
\Users\Admin\AppData\Local\Temp\mrt6A87.tmp\kcini.mfx

Filesize
28KB

MD5
8d086569a8b80fb85db3c9c93af299b5

SHA1
143ec5000967c64b994b4ff7eab9e429bff2d109

SHA256
a5618b90999455b6f8abe3b2849c96175427d27680a46c4386c94bebfb7727cc

SHA512
3eeff9e820a8f87493b7748c48197655be9a4a0fef1854dd2dba2cf04427bd15e927efb79a6dd2c9c9eb665c1e716d85c1fcd5b032aab17a175d8da601fda1e9

Download Submit
\Users\Admin\AppData\Local\Temp\mrt6A87.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
216edca5011d2de83e3ab5e01bbbdbda

SHA1
49291814036dd68c81cb3479f6fd1b976b1ca30d

SHA256
1c0ec3ce3eacdcff742ed0fa88f8f942acec23383f13e5a049d83bd54a30cd07

SHA512
649905476ac60ebc29466d95a2835313afc708a0fec1715b62e1fc9fd643c8dc6d8a1c5bc44e74e546be7cf28547c0e03f4364ef780c546f04b8cd71fcd55335

Download Submit
\Users\Admin\AppData\Local\Temp\mrt6A87.tmp\mmfs2.dll

Filesize
459KB

MD5
3d377182bf625d57d50df332db8a09fa

SHA1
0fdb0f6c3c5d90e395ecd65f204e39a5a98ab19e

SHA256
0ce3a723492b37f10d3e142feff4b10396c8955b5365a3afbafd75a473a6af35

SHA512
625b43ba5f96fd31e387a2dedd67599ef340da9b77279f18ae0a0fbf9aa9640f428fd442c0fe9edc465b2310b004d7015953e762405e54a354224d4f5f35cc8e

Download Submit
\Users\Admin\AppData\Local\Temp\mrt6A87.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
memory/816-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download