Analysis
-
max time kernel
329s -
max time network
332s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
12-11-2023 15:26
Static task
static1
Behavioral task
behavioral1
Sample
rpg-maker-vx-ace-1-0-21.exe
Resource
win10-20231020-en
General
-
Target
rpg-maker-vx-ace-1-0-21.exe
-
Size
222.5MB
-
MD5
8e3f9f266f8387d323b964427920fda8
-
SHA1
97a1ee6390b702519091130eecd6f6b806a77dcb
-
SHA256
8b0c547c863e0665a191b7d1d473d26b4aa29b0dbbe27081a765762a7b1fc271
-
SHA512
eefca3e36d936bcdb8f9340e068447d33d7c5a184e8318fa8567d538032891a7b8775a6ce2c1402b5bb85cf03d61be56fb2a13843726a8f0701c99440d5f3e22
-
SSDEEP
6291456:2rkf6CCvIRO1j0HvHgFGALNio+3uDk6m7cT3VPwM:mkf6Bb10HvUGAxRBDKQPwM
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RPGVXAce.exeRPGVXAce.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RPGVXAce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate RPGVXAce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RPGVXAce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate RPGVXAce.exe -
Executes dropped EXE 5 IoCs
Processes:
rpg-maker-vx-ace-1-0-21.tmpSetup.exeSetup.tmpRPGVXAce.exeRPGVXAce.exepid process 1200 rpg-maker-vx-ace-1-0-21.tmp 3476 Setup.exe 3172 Setup.tmp 356 RPGVXAce.exe 1188 RPGVXAce.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
rpg-maker-vx-ace-1-0-21.tmpSetup.tmpdescription ioc process File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Male\is-6MR9C.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Mini\Male\is-ELK3Q.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-VF6NH.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-O8HH4.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Mini\is-NFVLA.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-LSIVH.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Female\is-VGTTM.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\SampleMap\is-TJBRU.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\System\is-1FCMJ.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Male\is-8K9US.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Mini\Male\is-3LKSA.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-ML2OQ.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-IJE3Q.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-EBIOL.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-NFVEF.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-RGNPE.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Mini\is-1D8MV.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\SampleMap\is-817VJ.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-PSV27.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-I0HK8.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Male\is-1OEE4.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-A6P3M.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-7K1GG.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-BH1QU.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Female\is-4R4AU.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Mini\Male\is-4HF24.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-41OTQ.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-H29KO.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-J2RJJ.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Male\is-450O4.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\SampleMap\is-9S9M5.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-QBTG8.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Female\is-AI6NB.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-3UJ2D.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-C16HU.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-6G0GV.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\drm\is-AP7N9.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-3UEG4.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-SPJAB.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-QGNPR.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-4UPHH.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Faces\is-UHV1Q.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-0PC7G.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\is-3F2MQ.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Tilesets\is-TKABB.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles1\is-DBGCV.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\SampleMap\is-E65V1.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-TBP5D.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Female\is-88JUN.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\is-VADSO.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-RS1E7.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8S95O.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-K4B16.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles1\is-NN6MJ.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-GMORT.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-FHA3M.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-14L2J.tmp Setup.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-MDCFD.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\SampleMap\is-H00RQ.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\Male\is-LPAC2.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Mini\is-3JN5Q.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-3E4OF.tmp Setup.tmp File created C:\Program Files (x86)\Enterbrain\RPGVXAce\Generator\Face\is-N3F1N.tmp rpg-maker-vx-ace-1-0-21.tmp File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Tilesets\is-2PCNM.tmp Setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 52 IoCs
Processes:
rpg-maker-vx-ace-1-0-21.tmpRPGVXAce.exeRPGVXAce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\ = "RPGVXAce Project" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rgss3a\ = "RPGVXAce.Archive" rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGVXAce\\RPGVXAce.exe\",1" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGVXAce\\RPGVXAce.exe\" /n \"%1\"" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\erxihJX = "`sPET_\x7fBInhg|FQi_x@wR[ugi_kn\\}" RPGVXAce.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\oltIiakcz = "xkrbYA_^bxogbtHJVPnmXd_" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\shell\open\command rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\shell\open rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\shell\open rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\ = "RPGVXAce Data" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rvdata2\ = "RPGVXAce.Data" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\erxihJX = "`b[D@iea_ztOT\\{mo_Qk[^\\_lu|^XE" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\shell rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\shell\open\command rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGVXAce\\RPGVXAce.exe\" /n \"%1\"" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\iaxkuBruxsG = "grjQVoSJKAehbFgOJX@ygbAD^" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rvproj2 rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\DefaultIcon rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\shell\open rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\tUpnArvk = "_thVyBo_~|I{AJ^Rfqw" RPGVXAce.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\nptbdcFd = "@mxcHdOEOHIaC@StjxemnPp" RPGVXAce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rvproj2\ = "RPGVXAce.Project" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGVXAce\\RPGVXAce.exe\",2" rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\shell\open\command rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGVXAce\\RPGVXAce.exe\",3" rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375} RPGVXAce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\gmjb = "wFgIgYSlPiqddtede@_t}ivH\x7f~w" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\InProcServer32 RPGVXAce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\InProcServer32\ = "%SystemRoot%\\SysWow64\\twinui.dll" RPGVXAce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\InProcServer32\ThreadingModel = "Both" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data\DefaultIcon rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\nptbdcFd = "ia{~d[Eghg_Mmv`HIELcTE`" RPGVXAce.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\gmjb = "blytBf@GYwb\x7fzGAJk`ZGYu[`Hpi" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\shell rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rgss3a rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\ = "Immersive Window Message Service" RPGVXAce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\trPutaewdlMre = "g\\v~\\x~`tiPkZ|\x7flTm\x7f\x7fNOW" RPGVXAce.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\aoOgtlfval = "z^[NDUCVvpD{TncH" RPGVXAce.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649} RPGVXAce.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\tUpnArvk = "_zV[\\YHgMkjMMLdlvav" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\DefaultIcon rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Project\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGVXAce\\RPGVXAce.exe\" \"%1\"" rpg-maker-vx-ace-1-0-21.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\shell rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\oltIiakcz = "XSFZWjX{`GD_ICdY]APSqoL" RPGVXAce.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\trPutaewdlMre = "RbEGdCgcX[qnY^YQOiGmmJT" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rvdata2 rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Archive\ = "RGSS Encrypted Archive" rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61D912F0-2C8A-FC67-805C-EDB1D3C71375}\aoOgtlfval = "{ReEuXfFSrNfg\x7fuu" RPGVXAce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RPGVXAce.Data rpg-maker-vx-ace-1-0-21.tmp Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\{85343687-B3B3-13D1-B2E4-0060975B8649}\iaxkuBruxsG = "mDnmX\x7f][Jx@LXm^ux]k~e|lUt" RPGVXAce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rpg-maker-vx-ace-1-0-21.tmppid process 1200 rpg-maker-vx-ace-1-0-21.tmp 1200 rpg-maker-vx-ace-1-0-21.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rpg-maker-vx-ace-1-0-21.tmpSetup.tmppid process 1200 rpg-maker-vx-ace-1-0-21.tmp 3172 Setup.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
RPGVXAce.exeRPGVXAce.exepid process 356 RPGVXAce.exe 356 RPGVXAce.exe 1188 RPGVXAce.exe 1188 RPGVXAce.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rpg-maker-vx-ace-1-0-21.exerpg-maker-vx-ace-1-0-21.tmpSetup.exedescription pid process target process PID 4132 wrote to memory of 1200 4132 rpg-maker-vx-ace-1-0-21.exe rpg-maker-vx-ace-1-0-21.tmp PID 4132 wrote to memory of 1200 4132 rpg-maker-vx-ace-1-0-21.exe rpg-maker-vx-ace-1-0-21.tmp PID 4132 wrote to memory of 1200 4132 rpg-maker-vx-ace-1-0-21.exe rpg-maker-vx-ace-1-0-21.tmp PID 1200 wrote to memory of 3476 1200 rpg-maker-vx-ace-1-0-21.tmp Setup.exe PID 1200 wrote to memory of 3476 1200 rpg-maker-vx-ace-1-0-21.tmp Setup.exe PID 1200 wrote to memory of 3476 1200 rpg-maker-vx-ace-1-0-21.tmp Setup.exe PID 3476 wrote to memory of 3172 3476 Setup.exe Setup.tmp PID 3476 wrote to memory of 3172 3476 Setup.exe Setup.tmp PID 3476 wrote to memory of 3172 3476 Setup.exe Setup.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\rpg-maker-vx-ace-1-0-21.exe"C:\Users\Admin\AppData\Local\Temp\rpg-maker-vx-ace-1-0-21.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\is-J757F.tmp\rpg-maker-vx-ace-1-0-21.tmp"C:\Users\Admin\AppData\Local\Temp\is-J757F.tmp\rpg-maker-vx-ace-1-0-21.tmp" /SL5="$5021C,233070670,56832,C:\Users\Admin\AppData\Local\Temp\rpg-maker-vx-ace-1-0-21.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\is-BGHDJ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-BGHDJ.tmp\Setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\is-OJMEO.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OJMEO.tmp\Setup.tmp" /SL5="$20262,140800,0,C:\Users\Admin\AppData\Local\Temp\is-BGHDJ.tmp\Setup.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3172
-
C:\Program Files (x86)\Enterbrain\RPGVXAce\RPGVXAce.exe"C:\Program Files (x86)\Enterbrain\RPGVXAce\RPGVXAce.exe"1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:356
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\b2b2ceeeeee54033b401bb2c95169aa2 /t 4148 /p 3561⤵PID:2296
-
C:\Program Files (x86)\Enterbrain\RPGVXAce\RPGVXAce.exe"C:\Program Files (x86)\Enterbrain\RPGVXAce\RPGVXAce.exe"1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5af9db7d33b1e2e5c9f67e165d1840237
SHA1e663f552e255b005a81aa5568625950d780ff004
SHA256b4b1fe94ba267a4f592052065b6df2a858df6428505d397397d4de3f51b65c3b
SHA51296d8b58df9ab2652569649ff7da59591e68b75442d4bc3b7c72b09f071b24415c504c1d833532a77a7b4f509a63134dc3f0fcd7e34d25e72d2b41ac6389e7bb4
-
Filesize
25KB
MD519b83551223078fe186959d484179b6f
SHA187a630170ad67e874bc2aa00e15d36d7e04376af
SHA25677d2a8382a86dc9a1596c79f7b28492f6c378098a57f574363c012f403f1ffd5
SHA512bc739e66c715cfdd1f7ea8958b1375d0b76bda094e15de4fe83cf5bcd11b28ec4e57fd11639c19ec05d79267d9e5b805c35ac0133c40037b0fa296a61853b4ad
-
Filesize
59KB
MD5cc940e99358c11633c90ce062bcc6b1a
SHA10521ee566f8af821552a15f707a1f4fc8b25f95c
SHA256ca6edc9efe0d1e0e23f859b45aba8ff3c64e193cc446eb21641457c0cbfc2d0a
SHA5121b3dad721955d54092b47c4b9efe02686e655d6c31056ccffc17044bd2e5779dce3357b8162a9375ce8592763ff6e2728be5d2fc22da65ea1a4ed5759cda1ec6
-
Filesize
4.5MB
MD5389821e858a9485ed770aa1d572adc96
SHA1ef010c28466d6a31d3c99c4112f1ed43cf8d99f5
SHA2568c4a7a905d42814a26841157a59c3f4bb941fa417b993ee819255a9e3d97c5fa
SHA512c0ccec4f1b10845ffa80870bff5f47eaf5ceab8aa2491e938fa4114c3c5bbe12f2419d3c9670aabe669d621034cbc6f5a73a936bcfc7b93cf55f20ae6def38e2
-
Filesize
4.5MB
MD5389821e858a9485ed770aa1d572adc96
SHA1ef010c28466d6a31d3c99c4112f1ed43cf8d99f5
SHA2568c4a7a905d42814a26841157a59c3f4bb941fa417b993ee819255a9e3d97c5fa
SHA512c0ccec4f1b10845ffa80870bff5f47eaf5ceab8aa2491e938fa4114c3c5bbe12f2419d3c9670aabe669d621034cbc6f5a73a936bcfc7b93cf55f20ae6def38e2
-
Filesize
4.5MB
MD5389821e858a9485ed770aa1d572adc96
SHA1ef010c28466d6a31d3c99c4112f1ed43cf8d99f5
SHA2568c4a7a905d42814a26841157a59c3f4bb941fa417b993ee819255a9e3d97c5fa
SHA512c0ccec4f1b10845ffa80870bff5f47eaf5ceab8aa2491e938fa4114c3c5bbe12f2419d3c9670aabe669d621034cbc6f5a73a936bcfc7b93cf55f20ae6def38e2
-
Filesize
4.5MB
MD5389821e858a9485ed770aa1d572adc96
SHA1ef010c28466d6a31d3c99c4112f1ed43cf8d99f5
SHA2568c4a7a905d42814a26841157a59c3f4bb941fa417b993ee819255a9e3d97c5fa
SHA512c0ccec4f1b10845ffa80870bff5f47eaf5ceab8aa2491e938fa4114c3c5bbe12f2419d3c9670aabe669d621034cbc6f5a73a936bcfc7b93cf55f20ae6def38e2
-
Filesize
8KB
MD5592adc03e205672e8a4f790f685c658f
SHA170e40b322ad187e9860d3619edac25d30624d17f
SHA256aabb33a465c18dcba522190d57100cf3e07107651084275645785625f3f4ff7e
SHA512c21e1eaee0ced3e57e518bc72c87b9cfa615d84d44081e868dcaa4f5fcb95273028a1ebb7854d7feab098973e066a607d586b537b5ad2ac2a04f88e7048ec03e
-
Filesize
346KB
MD55396339fb9f3aca3050451e6a55120ec
SHA19f6c46bdce22f63c3676cf2c5681eb25b5f00bf2
SHA2567b3d5d2fbf0eb9141dd6101b9d78587b8de236bca918d351e324cd71a59b5597
SHA5129953438e1d9e275e0719d9c3f37d59138e3ec4b82e9902f1082e8358546dc836b0fff5c348fc802b27eff886c9157b136a7d150d9e9f0d31f2058b11093ae96f
-
Filesize
9KB
MD5ffffdaaf9f1c7c47a4761df64f4ee56b
SHA16a3fd89cf56f9341bd872fad778af56f39a418f2
SHA256c4c87ffce5df52d6acf28a94aa5414fd7305d44825394fe4cb809ca20e6bcf54
SHA512b19ddd75a6a6d1dc44e70c30a01c7474bed5eab02d366786ef063be756a4993896038f0a368a00b5e383d639005ecf1f2e0f1d4223133b0b40340f8d777d0c2d
-
Filesize
10KB
MD5ff708a85d46bc03f24dbf1e5119aadab
SHA139882cb9b2c82f8d1fbcefe1e0b0b41acbff5205
SHA256dba7d3497b93f4752169ea3b19ee9a2727aed3dc0f58f722908d77e315851497
SHA512f1869c1f5f46d8d906cbe142aa4f1b08e21ce388265e80622dbc099ecdc1987709a20546f8b33018cfc4806d8c4eda3e1b4ee1f362a77802bc0eb592e30c3fd4
-
Filesize
3KB
MD5eadb31339a5c394073a734e151ad0fed
SHA154132f04705eed3f109e8c0139a3e00c42345379
SHA2566ec62452f556a7f1fbe39855c719795064a7467af6ebf8b9428ff17ba6f2391c
SHA512d4b2a97aa17c395a3f206bb5245ea947aed11b1d3d53aecaa9aca731d570d23a718488dc674a2bb5f797c3804a9264980f19b724ca657eb97f19c7ccc2776efc
-
Filesize
4KB
MD5c8d4944a0627d473e62047bf90ec4e65
SHA18fbf6963b7e9c668b14e796be4d0832127d7e0f8
SHA2563abb532b3a4c6bad448c974a27b3f4a62a5175abc0cdf1868be94253ebec6d5d
SHA512d486d67608053176fc69306565b7db421c1f2a1b172e37f1664429551e5eba7fe25fa2de00735df6fc824c3ffb001fa5e21ecf46e245f1f2a8a474592dab9826
-
Filesize
185.2MB
MD5ea09acba289913f099ef98489af42ddb
SHA11c7baefae9fde53fb7503bb53f679cc4bb7dee1b
SHA25628a732b1e84201f829455ecc3e750f231d3d60761c8041769eb9016bed86bf0c
SHA51218fd5d4e6559c819de4c5f68dfbb2d5d298c60b447e3bf714b32a47c161df199567de541084ec6d00b5edcb870d17c76eee93e841fe3f946d5dc1583a9a63f70
-
Filesize
571KB
MD5f3a1050bac829eebf38a553db08c02e1
SHA18a6a2a4e825b1b9de88791c03d7404e181fb0241
SHA2563b178f718655dab3c444857b5e6fd755dc611de72dc229de486b3e06d8548fd2
SHA5129e52b8e46192f72eb06971ee06bad397304db7714df4fd0b8397e2bd9d23c1aacdb10667ec1dfeb3b03b600875656f2a60e3b8582ccb6e86aefcae4a38a895f7
-
Filesize
571KB
MD5f3a1050bac829eebf38a553db08c02e1
SHA18a6a2a4e825b1b9de88791c03d7404e181fb0241
SHA2563b178f718655dab3c444857b5e6fd755dc611de72dc229de486b3e06d8548fd2
SHA5129e52b8e46192f72eb06971ee06bad397304db7714df4fd0b8397e2bd9d23c1aacdb10667ec1dfeb3b03b600875656f2a60e3b8582ccb6e86aefcae4a38a895f7
-
Filesize
690KB
MD5a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
Filesize
690KB
MD5a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
Filesize
1.1MB
MD5394289faec0a43faea574588cb367018
SHA1b02982a816782c3c16ad5a321dce0a79cab124a2
SHA25689c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202
SHA512e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4
-
Filesize
1.1MB
MD5394289faec0a43faea574588cb367018
SHA1b02982a816782c3c16ad5a321dce0a79cab124a2
SHA25689c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202
SHA512e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3