a77c902baaecf691c4ecaa8bfca78e2e3a61605da8d1a991273e29073bfc76e8

Resubmissions

29-03-2024 00:18

240329-alyr1sda83 7

29-03-2024 00:17

29-03-2024 00:16

29-03-2024 00:16

29-03-2024 00:12

28-03-2024 23:41

Analysis

max time kernel
135s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nintendo.exe
Size

17.8MB
MD5

36742d167f78ac1d6d24e7d28a116aa5
SHA1

e3ab2f267e0556f9f5c9d2b0972960d466d20f07
SHA256

a77c902baaecf691c4ecaa8bfca78e2e3a61605da8d1a991273e29073bfc76e8
SHA512

40efb92fe6d5238044f9c9c80659da62ed78d88fa3783e4d8e273e428a734f670f1873abea1eaeff42262a0a0ef57f4d3794af08a7dc8f4ad56fcddd7dc31704
SSDEEP

393216:V0qdqQB7cpi7A1qIaE1Ow04FjNqrVZ7M4v/I7uNCNCD:bdBBeic1qIHOwRjN63o7dN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3076	Nintendoexe.exe

Loads dropped DLL 1 IoCs

pid	Process
3076	Nintendoexe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	nintendo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3076	Nintendoexe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3076	Nintendoexe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3076	4848	nintendo.exe	84
PID 4848 wrote to memory of 3076	4848	nintendo.exe	84
PID 4848 wrote to memory of 3076	4848	nintendo.exe	84

C:\Users\Admin\AppData\Local\Temp\nintendo.exe
"C:\Users\Admin\AppData\Local\Temp\nintendo.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nintendoexe.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nintendoexe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nintendoexe.exe

Filesize
4.0MB

MD5
da8b6089ecfe51d0a87151be06c722dd

SHA1
b1906627e1fdae925d1883b98cfd825a88509867

SHA256
7891baad5c2432370ca57a1a0e7d8071c8938b523bf942e42a69dccf0d36d6ac

SHA512
8e71de6a886770d364b35df8be5daa9207011f35c793fc256f4085f5f48fd774ffa2fff8ed0886d8295e00869986d856a94246bfd38915f6a367dc0af12cdf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win

Filesize
17.6MB

MD5
73d8f64e3738f681272d123a0e9c87c8

SHA1
77e3775536befe03af5a707e1319cfbc9ad5e90e

SHA256
637bf5e282410dd265a496f1abd3fe9eb4cea81287236bdcd190dfa56a8ae923

SHA512
9e05dcdba1aec3e4451d5417ecd0aee4babf152335fa09cdb2c89d93375fb2237cac9ff1a4dd991240372b69284d141706d5a349917e320e6d79d82eba8862d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini

Filesize
97B

MD5
396f73a1185a5642f5f1e2538b64396a

SHA1
d72d687a5a1258986f218bfccacc6118c39ec4f9

SHA256
e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58

SHA512
e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads