88f33da3c76245f6b28fb534a73eb0e71f722dcef834713443021129c0079655

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiveNightsatFreddys.exe
Size

220.4MB
MD5

e942cdc6064176fb97108f215569d1ea
SHA1

9a183ce0eb4b28ba417aaae53545cbf440fcb17b
SHA256

88f33da3c76245f6b28fb534a73eb0e71f722dcef834713443021129c0079655
SHA512

ec5e66264079ba082087634763c0ff8030cb36a3f5e13accf68b78c308e682917b45d85e4252aa05f898ccfcdb831c7f0d3f1d90fcfd14cd7abbfdeea2a0730a
SSDEEP

6291456:2/uBRk9d1kRH8X+TaR9ryLlss8IHO3NV1WKWkxgk4W53o6mjxL:2/uM9d1kN8uqryLanNV1TWLk4W53o6kL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe
2636	FiveNightsatFreddys.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-984744499-3605095035-265325720-1000\{4B4497E8-53CF-419B-87C7-9D9E8D4A253E}	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	FiveNightsatFreddys.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2984	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2636	FiveNightsatFreddys.exe
3476	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\FiveNightsatFreddys.exe
"C:\Users\Admin\AppData\Local\Temp\FiveNightsatFreddys.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:2404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\cctrans.dll

Filesize
64KB

MD5
b1bce28b7dd711f299785f35b5d30d9e

SHA1
54948c118fd5866c7b6c3efada3ae4b87548e392

SHA256
1a2e6bd6ce00288a3fcfa6d1544e32b00543559ac8ffcddc17aa2e19bd3a71aa

SHA512
4d22e9dfef85869502f7f9372c918c006575dfa405daebe075a9618907b0139ada75465e8ea1694c07dcd1b0c5f6d26411a6cdfb6603f9ee5643d04b8de5dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\cctrans.dll

Filesize
64KB

MD5
b1bce28b7dd711f299785f35b5d30d9e

SHA1
54948c118fd5866c7b6c3efada3ae4b87548e392

SHA256
1a2e6bd6ce00288a3fcfa6d1544e32b00543559ac8ffcddc17aa2e19bd3a71aa

SHA512
4d22e9dfef85869502f7f9372c918c006575dfa405daebe075a9618907b0139ada75465e8ea1694c07dcd1b0c5f6d26411a6cdfb6603f9ee5643d04b8de5dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\kcini.mfx

Filesize
28KB

MD5
8d086569a8b80fb85db3c9c93af299b5

SHA1
143ec5000967c64b994b4ff7eab9e429bff2d109

SHA256
a5618b90999455b6f8abe3b2849c96175427d27680a46c4386c94bebfb7727cc

SHA512
3eeff9e820a8f87493b7748c48197655be9a4a0fef1854dd2dba2cf04427bd15e927efb79a6dd2c9c9eb665c1e716d85c1fcd5b032aab17a175d8da601fda1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
216edca5011d2de83e3ab5e01bbbdbda

SHA1
49291814036dd68c81cb3479f6fd1b976b1ca30d

SHA256
1c0ec3ce3eacdcff742ed0fa88f8f942acec23383f13e5a049d83bd54a30cd07

SHA512
649905476ac60ebc29466d95a2835313afc708a0fec1715b62e1fc9fd643c8dc6d8a1c5bc44e74e546be7cf28547c0e03f4364ef780c546f04b8cd71fcd55335

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\mmfs2.dll

Filesize
459KB

MD5
3d377182bf625d57d50df332db8a09fa

SHA1
0fdb0f6c3c5d90e395ecd65f204e39a5a98ab19e

SHA256
0ce3a723492b37f10d3e142feff4b10396c8955b5365a3afbafd75a473a6af35

SHA512
625b43ba5f96fd31e387a2dedd67599ef340da9b77279f18ae0a0fbf9aa9640f428fd442c0fe9edc465b2310b004d7015953e762405e54a354224d4f5f35cc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtA558.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/2636-37-0x0000000008450000-0x0000000008460000-memory.dmp

Filesize
64KB

Download