Malware Analysis Report

2025-08-05 09:28

Sample ID 240223-qnd4dsha95
Target Rm2k3_RPG (1).zip
SHA256 f75e37f5f72402dd9d0f1541511741134c21f4b74587c944bb871ecc8a69f1e3
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f75e37f5f72402dd9d0f1541511741134c21f4b74587c944bb871ecc8a69f1e3

Threat Level: Shows suspicious behavior

The file Rm2k3_RPG (1).zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 13:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 13:24

Reported

2024-02-23 13:28

Platform

win7-20240215-en

Max time kernel

204s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
N/A N/A C:\Program Files (x86)\rpg2003\RPG2003.EXE N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-8269L.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-V2DPB.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\System2\is-DI4IU.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-T4I8A.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-A0I2B.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-1R1KH.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\BattleCharSet\is-DCDIL.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Battle\is-5B1RB.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-Q0SL9.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-6LRTK.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-PQQEC.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-4JR4N.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-BON2U.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-2FDJE.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-85N18.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-KJU59.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Backdrop\is-NCOJR.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\BattleCharSet\is-NCN8E.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-U495A.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-J1F3K.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Backdrop\is-NLSHU.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-9GFB2.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-0JL9G.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-5PJNL.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Battle\is-EFJBU.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-PC0QO.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-J9RCP.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\System\is-EKF2P.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-AB4TT.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-H5AGH.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-80EG0.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-M9593.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Backdrop\is-LI69F.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Backdrop\is-8P5MI.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-SPM96.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\FaceSet\is-7KHCH.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-2RRB9.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-UR34E.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-F7EUN.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-7TJNB.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-15URG.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-L89LO.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-9B0LP.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-UGGRI.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-HA5F3.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-9H0SP.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-G06NQ.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-NHACV.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-85KEA.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-RA7HF.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-GVB9M.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-0M3J2.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-78Q0A.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Music\is-5B6TU.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-F6E91.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-0OCJA.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\is-8N29N.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Monster\is-IH3VO.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-U1NT5.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-B4TN9.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\Sound\is-3MRMS.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\RTP\System\is-VKTBI.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File opened for modification C:\Program Files (x86)\rpg2003\unins000.dat C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
File created C:\Program Files (x86)\rpg2003\Fantasy Picture Book\is-ITRD8.tmp C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rpg2003\RPG2003.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\INS258A.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\rpg2003\RPG2003.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe

"C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe"

C:\Users\Admin\AppData\Local\Temp\INS258A.tmp

C:\Users\Admin\AppData\Local\Temp\INS258A.tmp /SL3 $6014E C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe 30583964 30587378 61952

C:\Program Files (x86)\rpg2003\RPG2003.EXE

"C:\Program Files (x86)\rpg2003\RPG2003.EXE"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\INS258A.tmp

MD5 ef80f42a048f92263f758f14b09fa30d
SHA1 e250058636dee689d6a935d71c0f462e10457239
SHA256 a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e
SHA512 933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed

\Users\Admin\AppData\Local\Temp\is-FMTGC.tmp\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2944-11-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3040-12-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3040-14-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3040-17-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Program Files (x86)\rpg2003\RPG2003.EXE

MD5 98eb6c534d0d793cfac89a22e473176e
SHA1 46994490ecf8053c314700aada173a9613507ec4
SHA256 e84909a31a7d850b085a8284d7bd55ef99f763e5174a5dd7cc4238af0c8c5a88
SHA512 3baeff7263ff791e938f21d1316a1bca3a5669e3d03606b771bf5cdd3c9ee100ad9367f695d2f9cb1b0178c7393c6d8fcd412462fb781001271088c54938abc5

memory/3040-1874-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3040-1876-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2944-1877-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2716-1881-0x0000000000220000-0x0000000000221000-memory.dmp

\Program Files (x86)\rpg2003\UNLHA32.DLL

MD5 26a33bcbcb4b3b9230e3374d066c5186
SHA1 e1f338ef9ae2e0d289f61956ece608ee56b16358
SHA256 1fda9015acbf708a170f3f0c6b5c5888832c5b9125da0803e598b237b5cbe424
SHA512 ba2323c1036039c2f6052382e017d492aa13c6f5cfe3019a7545e64395dce34ceceb224dad70cb3f223d0c631662ca652d3f7d46521c5e97c3b25ee9eb3d1f03

C:\Program Files (x86)\rpg2003\RPG_RT.exe.dat

MD5 ff0fb3b085047f93646832a762d2a883
SHA1 02339f3d1ea87f4842e880054456e5ee6d38ca23
SHA256 3cd29b2ab246f2b5376619c41e32fd8b5fdf0af9f4970e1ccc6bfa147dec9e1d
SHA512 762a74ee29431462e6289c603eb99d2ede03066737de148949a44a87d6bc02180eac27a2bc7a0e136c5c751527a3593e5e33c5fae725f756ea066fca035d588f

C:\Program Files (x86)\rpg2003\RPG_RT.ldb.dat

MD5 2e7f4f4656180c28f1a493191fe2fc84
SHA1 a9068f2d0ee2d9f02ddb03d9d51684110826e670
SHA256 581a44cfaa0087681e535909006aad185ee06f38439637b73f37430701e87bc0
SHA512 c6ca1f13de6e79f7d51fab5e4bc6949632b238025e78d7e684e9c26bb3c0c25ab06ddd61168528b5ddc3005080ba35f8becd5609b63532702e3a1da8c87e0049

C:\Program Files (x86)\rpg2003\RTP\ChipSet\main.png

MD5 78d87317afa786ff410fc3abfe96d503
SHA1 e18eeca9674378978b392a2743d660ba9a88182a
SHA256 785dcb89fbfc5f864d9a466fd48dfd5273cac27d988723203ec7581b90a95d15
SHA512 b49f86289b3c03e74fd84dd41b8efb04b01f938ab1885bec77c3182aea788a28ce71c34b2cb8637b0b9bdcecc95265db9920f313304e6a83d193a0775a0e0716

memory/2716-1901-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2716-1902-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2716-1903-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2716-1904-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2716-1905-0x0000000000400000-0x00000000006F6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 13:24

Reported

2024-02-23 13:27

Platform

win10v2004-20240221-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INS4873.tmp N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe

"C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe"

C:\Users\Admin\AppData\Local\Temp\INS4873.tmp

C:\Users\Admin\AppData\Local\Temp\INS4873.tmp /SL3 $801DE C:\Users\Admin\AppData\Local\Temp\rm2k3-install.exe 30583964 30587378 61952

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\INS4873.tmp

MD5 ef80f42a048f92263f758f14b09fa30d
SHA1 e250058636dee689d6a935d71c0f462e10457239
SHA256 a44707ed7ababc6ca81355e9a6afe0e5095d01f1c72ef7b37681447036da518e
SHA512 933b43e14cbb734ff48d9b0b06671f15e458633a4e4d52420dd2eda258fc477ae17183a5d83d47da78272d1d6c7f9ba547729cd846ebec5eaf9963b2fce605ed

memory/2988-7-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4252-8-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2988-9-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2988-13-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2988-24-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2988-27-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4252-28-0x0000000000400000-0x0000000000417000-memory.dmp