9868381ad9859763dd85efff51f7f19990e57f77b183a4d6b131e451c3e33985

Analysis

max time kernel
144s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Fnaf 4.exe
Size

444.8MB
MD5

280356aed3f11bbf739eaec48bb03ef4
SHA1

7cb32668f9c6cdf0c2b67a2830e01fe3b7a591ab
SHA256

9868381ad9859763dd85efff51f7f19990e57f77b183a4d6b131e451c3e33985
SHA512

413fb40f804d91fc2c8c149a8df47152e8b7925f5c39101884c0e15400c54eff5074eed355498d0e80a23c3c668dd2ff7556dbbb3908c57660995fa4a422b9ef
SSDEEP

12582912:NNP4AWpzVMs+IAku/y86xOpCV5YkC+auFZgnHTSeJa00ZJ1D3Mz8AC++yeqz4ko2:N57OVMNIAkWy8cF5YkC/uFf100ZJ1D8B

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2208	Fnaf 4.exe
2208	Fnaf 4.exe
2208	Fnaf 4.exe
2208	Fnaf 4.exe
2208	Fnaf 4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2208	Fnaf 4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1684	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	Fnaf 4.exe

C:\Users\Admin\AppData\Local\Temp\Fnaf 4.exe
"C:\Users\Admin\AppData\Local\Temp\Fnaf 4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrt558D.tmp\cctrans.dll

Filesize
64KB

MD5
a20165b7e7dfee46a59e48c175523af0

SHA1
6ed627806753d11e1a121689369668294d15be74

SHA256
cba1c0fa69bc6b106408d06878390a5699cd2b25adfed1a2610ee01ae2524cbe

SHA512
a9295b814fe77aa4ba4dec5cbed790858852f775799fe9da01bf07d67fa294d4ca1c5a68c9255c3fb716d0dbeb8b5a5ea38b8ec72263f40957beafe7bf323cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt558D.tmp\cctrans.dll

Filesize
64KB

MD5
a20165b7e7dfee46a59e48c175523af0

SHA1
6ed627806753d11e1a121689369668294d15be74

SHA256
cba1c0fa69bc6b106408d06878390a5699cd2b25adfed1a2610ee01ae2524cbe

SHA512
a9295b814fe77aa4ba4dec5cbed790858852f775799fe9da01bf07d67fa294d4ca1c5a68c9255c3fb716d0dbeb8b5a5ea38b8ec72263f40957beafe7bf323cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt558D.tmp\kcini.mfx

Filesize
28KB

MD5
5522465eba7c81f1fb67d6ad1a5df233

SHA1
0ec415bfaa9db6984cf922d5503d9fde67d0b3e2

SHA256
82c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e

SHA512
30d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt558D.tmp\mmfs2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt558D.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\fn4

Filesize
15B

MD5
d68cf3d262f0a667c37b6bbb417d8721

SHA1
1fd83fff6a059d4fd6b035f5ffdd0b944afc9fed

SHA256
b2a9897eb07fd35b2c5b9d2adf1864f476d55171cbdf895a4818c41b508c8442

SHA512
4f314fdc58a47a2f0a84ab6ffd036cced1a05a0ab1db2fe69d1ef0d6d975d4f51d9bca700ff2658a2cdc85373e14cc0f8e2ff7e94bccfbd125cc1125181aa347

Download Submit
memory/2208-150-0x0000000004500000-0x0000000004510000-memory.dmp

Filesize
64KB

Download