130f0bab879ce028e5067a99529bb923c56e50b639e99f9c0d6a5d799a8bc84f

Analysis

max time kernel
19s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

five-nights-at-freddy-s-multiplayer.exe
Size

270.9MB
MD5

415a72f7b885987cdcc1468d0376d26a
SHA1

ac3410e1afa18d76e4dce1b1d0061d4dc425b639
SHA256

130f0bab879ce028e5067a99529bb923c56e50b639e99f9c0d6a5d799a8bc84f
SHA512

195e9e38639f2f51458d96e5168f33887a46bd0404314cd49b2214cb285c8f5f1347ae1df37c01f5ced679987b89bf667ab071e5c7e2f19543f645322d0ecd7d
SSDEEP

6291456:AacLm3RwixUVL3MQ2guKY90umYH4koqerA:Aa6mBwixUVL3MQfup90u9H4koqH

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	820	AUDIODG.EXE
Token: 33	820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	820	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
824	five-nights-at-freddy-s-multiplayer.exe
824	five-nights-at-freddy-s-multiplayer.exe

C:\Users\Admin\AppData\Local\Temp\five-nights-at-freddy-s-multiplayer.exe
"C:\Users\Admin\AppData\Local\Temp\five-nights-at-freddy-s-multiplayer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xd4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MMFApplications\FNAFMPsavenight.ini

Filesize
8B

MD5
ed1d132112d5d8831c83987f0f16b61d

SHA1
2ba30b601b532e91b3e23792efa6d8e2cdb99708

SHA256
2ef8b37ff2fde57495c5a7cd1dc4b467cf32f1f8f775c7b11b36c98b033ece4f

SHA512
42a924333c1c49151b5ecbb2ff6cd1f618279114886ab4390fead65ce3dfe7a346c295b4cada92248ac4737895ffc98cab2af04134eb1bd1a29bbf8af633b606

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\FNAFMPsettings.ini

Filesize
29B

MD5
a0a27e9ab641c50356c223500b445a36

SHA1
c2dc1a559726a499798e7b965f8ca62c0b5f6713

SHA256
5e792566e7b40ec69ef495650cf059d6970a9ee27a5f95dd37a3a8106e7dd28c

SHA512
5ece32859dfad23b342ae4868f35f343dde989b6eeebd6151555de309950edb6389f4f15f35ed2df16754893f6f299481e913a031c83434863a5f16da8b5a21f

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\FNAFMscripts2.ini

Filesize
8B

MD5
96ebe720d0e11da4e7e678ce09ac214a

SHA1
03db7d2926cc9ceb3e755e683df35da91fcdb83d

SHA256
fa786e9fec8cc731d4561d7f639ec184784d90e28fb6b7596e801489e2266170

SHA512
7b233ef99c5b7da9b6b334b58cd389f184972988fb07736664631d91f10e3aaf8d63d76d8bc44333a2098611d8e0df94f05817d0aa14aa4ac4e278e8064ba815

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\FnaFMultiplayernameroom.ini

Filesize
7B

MD5
c70a4341c7c2ad9bbc6ccafa4c03a75b

SHA1
500a61d27301f3cc5db1559a804231b55cc478da

SHA256
c00fe75b9340c974ae02f606c85adae80831a01dfe87e94c362b548c368f45db

SHA512
7dbe1544f6568c7b0700003423df2713c6aaf85416ff026e6735c1d541245d192905d9d5caab87bf1c9464371322907a37bfb19a4cb907b41d5173e8642d97f8

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\GetKillProcess.mfx

Filesize
115KB

MD5
04a09c12b382d41f3b1da9bc1f75f907

SHA1
a60dc990cfd9151c58f32939c164b8aebd924a2f

SHA256
8e117c43252228087aa48a4f37eac7ad8127adf17c65fade5ef3646679ad532e

SHA512
efbe77d73bae2c6496cb44470fd6b9ed81c029735e5facd050287f10bf1cb150bf50ae7fe110d200822a55ee43a69992773cedbbce5d7a9212c2a12cff2da032

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\OpenURLs.mfx

Filesize
81KB

MD5
213a3941e576daf3e6f6be616a6643c1

SHA1
55e31d2fb7084a130e4a27fbd433704e3e840b75

SHA256
6d33883fe9a8fcdff9aab0e886d505a38e21a461c713e5ac7b7e0c2a65e934ae

SHA512
310f951c93cb54131bce7e7cdd50225b55a9168ff922e320145f8517cda27d53de55a03ef16aba107cd968a4471d1702b9c3689f5a20f55b786df31d6ab82933

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\RedRelayClient.mfx

Filesize
416KB

MD5
46b8a621e8bc1e420fe746236e1ccb98

SHA1
962b1c151cd09623513223f587bb19c5692264f0

SHA256
01ed838d0c5c3ea578748f50c68b215832686e304527031bd232a16040b951ee

SHA512
68c7996a3bf15cfb7c9e37382733588610e8fbfecad4d9357822e0cc58473e81b01413588ebf7af2b01811028ee5c9533bf427c22d03c17403b9e75286e30051

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\StringTokenizer.mfx

Filesize
76KB

MD5
7e4c1a0c410de0f23f591e338a6bf243

SHA1
95da8e10b784374c030b591574d51fce970e7716

SHA256
d1a0edb43969a1c4621527dfaaf6bbe97e63e9cbb495e615c3292aeb2a5e9ce8

SHA512
08c40b71b97be88c8e9fb37265503cf6f36bc7248dfd603bb69833c0f104af2fa90f22d2a3026c3a850c4949e8669f8b2008698bd18039e59131af6cb143bcbc

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\cctrans.dll

Filesize
347KB

MD5
21e093d52a3afe8ed5532fcaa189c067

SHA1
8aa7bcb26e3064cd4d1172090ff00d083ee19cc4

SHA256
9b834b5d26983451ef3a11c8c2a715724daa188fbd28597081ecb1e9ed672f87

SHA512
b4c2205c234e8ed4973fca9c64c0ec11753eb200c1d2eb3c66b9f4509426c8774f14ae1271583e0eaff268eae9c8375c5993af107e4db8d7c87b817bd1ccd9e8

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\kcedit.mfx

Filesize
32KB

MD5
a00acf3af0958898345fca9893cb6f57

SHA1
561717e33e2877fd0db99411265186ca468041bd

SHA256
b38ad01ad8a22f3f553530b000d6d061356601d308e6a79284605c30cb0674ad

SHA512
9435f612a23864ac7e4d22cff927b4155463fdddd8d143b805d7233dd372e9a5975c9a4170de9bcfc3adce4ab9fffdab2937f053e48743d2791753d2dc727850

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\kcffunct.mfx

Filesize
8KB

MD5
1659ba7eb94ec1065ac6d2e0a96f0749

SHA1
ce8e78e3864ef7d256f58078a563e1458eecf5d6

SHA256
b8ac1750ec3f74b20c11a6b920868a034cd50619d3a7dfc9cb92faf328d1f4dd

SHA512
5d491c3d5235eebccdff32aca43ad1f8c8f1437f67c20fa48ee60eca14fcc9e0b891e04d5fb0cde63544288b328bb87f0be0e22384c6e0f7c633317e7ce859c3

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\kcini.mfx

Filesize
330KB

MD5
a6ad14845999c5aa7adf2911671a7c5b

SHA1
98dfd5a9584d1c1b330c2c104c1779bd55ded211

SHA256
5af175ffb932fb653873dad095dd40f2ab8d3fb56f287213c21bb68652ddad2d

SHA512
32bb59826b82d47ec420ac2532e1387a85422d2f0ce5370ad2c95b914a7615d3b122dbf4dd045105eb8ffea49324dac57659f0e5f2500b4d0eb75047cb36dfd8

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\kclist.mfx

Filesize
32KB

MD5
10a8ccacb046c0dc05adfc6964e99e95

SHA1
48acabc563a9c6d48eae3eda5254306127c00528

SHA256
57d8f859ecf57eed8f2fdc3271ec1d57c879899a527d77a80c9f45b1377742f5

SHA512
e972e0a6d4aa5c0cab99283c27038eb31f0adf2f581b4be9b58768d25a81f71e2aa5482500e4cb16bbc60d41f84ef926cd61a9cbe9fce1fce4adca564a6b147a

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\mmf2d3d11.dll

Filesize
541KB

MD5
839633898178f35f6de0b385b7de0ec7

SHA1
5396e52c45954f0953cc8cf2095b122f7353180e

SHA256
5f6563d6bf2f3ceab8b2ca2c15ba4f7fe882a82c1f72b10041b5692c6515a53a

SHA512
b0ed4fce2815dcb783e0b9a786178b337d215e6a4d16df1ddb3c28ccdba13081fee1976669d9f99505cf31b8f1e8d5584fd1aa9732e1add38217222726c76eb8

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\mmf2d3d9.dll

Filesize
1.5MB

MD5
c85bcc9f3049b57aa8ccbb290342ff14

SHA1
38f5b81a540f1c995ff8d949702440b70921acc5

SHA256
bddda991185a9e83b9855a109f2fcfa78cd2d5402e9db344c6ec77f6ce69a0c5

SHA512
5097f9d78ddc651aabf41f217f622ee656a1c6de6a9b339354525293102cf631cca2b7babaf991e99e49efe4d1bb6792c8a7a11f82e4ae2081c3961eb9b5afe7

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\mmfs2.dll

Filesize
768KB

MD5
200520e6e8b4d675b77971dfa9fb91b3

SHA1
0c583bf4c3eda9c955fd0d0d3ba7fdc62a43bf07

SHA256
763ef4484ba9b9e10e19268c045732515f0ac143cf075e6d1ea1f5adcc77633b

SHA512
8b7bb334b6bd83ae43e5a4fe32a92b38b1edd2c292c4a540a54c2ee16092eb30108524c1c363508f7c62617bb224d9b447f07cda97ab7de01688acbfbacec51b

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\mp3flt.sft

Filesize
24KB

MD5
5bebc3ae0122702b89f9262888d3a393

SHA1
064731c0f1d493b5b82921fa78f06e3d1db95284

SHA256
81c9a9459a8e124793addf142cd513945d6fe600e1d67f74897898d7570e56b2

SHA512
c10cb520c2c4a9fe7c371f17ce7f86f138db247468ab1e465dafd7abd294c2beb13cf3a2595b4c8c820d911d8b70842c8f4e45398693c4f0454f973bd58a10a1

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\oggflt.sft

Filesize
130KB

MD5
0c8c1ee3ba92189f4ce21d1b396a2765

SHA1
b7daa4a6e16416151dccbb0a89f304961b6cb627

SHA256
9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941

SHA512
0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc

Download Submit
\Users\Admin\AppData\Local\Temp\mrt4903.tmp\waveFlt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
memory/824-127-0x00000000FFF80000-0x00000000FFF90000-memory.dmp

Filesize
64KB

Download
memory/824-107-0x00000000021D0000-0x00000000021F4000-memory.dmp

Filesize
144KB

Download
memory/824-94-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/824-86-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/824-77-0x0000000000140000-0x0000000000158000-memory.dmp

Filesize
96KB

Download