Overview

overview

7

Static

static

3

SM64Plus.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$TEMP/vcre...15.exe

windows10-2004-x64

7

Super Mari...us.exe

windows10-2004-x64

1

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

build.sh

windows10-2004-x64

3

lib64Plus.dll

windows10-2004-x64

1

lib64Plus_arm64.so

windows10-2004-x64

3

lib64Plus_x64.so

windows10-2004-x64

3

rebuild.sh

windows10-2004-x64

3

rebuild_clean.sh

windows10-2004-x64

3

uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 19:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SM64Plus.exe

  • Size

    16.2MB

  • MD5

    7590e973dab0640c3fdcd9a2a1577c99

  • SHA1

    95a2403f8b02fa83e0963078cba8c4028eefb79b

  • SHA256

    312575ab6ccbd049e30b38bb914cf3ec3abfa47d2415f2d6ca6c640d9ea05d7a

  • SHA512

    8f5d4307cf4884ab574e63bc782a383e956d33fc58dff7080b810d54e3467ba3bd4e1be3e35a9ba8613de608d37055483177bf0e38ceae39fc260f3006e1e822

  • SSDEEP

    393216:b351NOsenD12zS7SEOegn4j7BgNE9O+wcDGFdClu8ZLzzA:bNOnnD1kS7249O3cDGvClnk

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 17 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SM64Plus.exe
    "C:\Users\Admin\AppData\Local\Temp\SM64Plus.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
      "C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
        "C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe" /quiet /norestart -burn.unelevated BurnPipe.{E2E3258E-1C92-4F04-A5E7-A605FD7E52FA} {CBD06012-D3B9-43CF-B5A3-0A8FB0BCD7B2} 4000
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1028
    • C:\Program Files (x86)\Super Mario 64 Plus\Super Mario 64 Plus.exe
      "C:\Program Files (x86)\Super Mario 64 Plus\Super Mario 64 Plus.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2728
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2fc 0x154
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1780
  • C:\Windows\system32\sethc.exe
    sethc.exe 211
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\system32\EaseOfAccessDialog.exe
      "C:\Windows\system32\EaseOfAccessDialog.exe" 211
      2⤵
        PID:1844

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Super Mario 64 Plus\Super Mario 64 Plus.exe
            Filesize

            6.9MB

            MD5

            6137428e578b25a60f754788072feaf0

            SHA1

            7d74367fe0972a8267ffe42a11a03affabf8f594

            SHA256

            f5116daf3771f9f4cb216745ceaea2f087f61dbd3ead76094692e11f0b06bf60

            SHA512

            87d41a08e7f8ab01d0e884c2555346be6323717075f18a6932e4cf9b020e156130d35c0b1984f6ad6bce7dfe6a849ece9559a040691bab8ca4e8ea1aae16017e

            Download Submit

          • C:\Program Files (x86)\Super Mario 64 Plus\data.win
            Filesize

            2.0MB

            MD5

            0f7fa16456de57bd3f9d69307fb51cf8

            SHA1

            23f7ff3def6fe375877b970785474eb866754141

            SHA256

            23ffcd45e53984afd65531b3ee20070f8930746b77aaa8581d935c5d796ea05c

            SHA512

            58b7edb7d1099f80db01ef41d4849efb24d9ff86c46a67cd962ca1e09fffabb4d2740542c599e40d100458c61d67df98f7d88a987345629c089ceedc9425fea3

            Download Submit

          • C:\Program Files (x86)\Super Mario 64 Plus\lib64Plus.dll
            Filesize

            224KB

            MD5

            36be8df46c3ca20360e9fe65ee112ef6

            SHA1

            92bfb8a9137932e7db8e9dfb84b273479e618373

            SHA256

            f97a2e89f33fb28d058b3a60e3e2b50778dab2d38cfcc5546fd085fb73036668

            SHA512

            4e48a680fc397a4ba3a018c0f9d38cca15bac0f1b13af081065d1a9e7349aeec4a09029b49ac0d3ef2294f6b364a5209adec0ba26985ba3bc5578863e671c50b

            Download Submit

          • C:\Program Files (x86)\Super Mario 64 Plus\options.ini
            Filesize

            156B

            MD5

            5cabcee1eb050c169db3b89154f912ce

            SHA1

            691b5f13c28612e87e65e8608bf290fd19e9e371

            SHA256

            aa72cf7612ee1c5f61bcf9722f7b40dd21d40fab93ba9c3ccbd22f0bb88502c7

            SHA512

            9be66df5d7f5578b5a11455a4d7c666f04449134e6b4f6af31600d83cc54a592247b5d15995007ab1e593c95b96da33bf29b84536c4d916a8a07aa0bd8cfe7a9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nss72EF.tmp\System.dll
            Filesize

            12KB

            MD5

            ea00e2678e4679ba28b0f560baec9776

            SHA1

            f9b647b1ab50cc2de981757ac914a5787bccd95a

            SHA256

            60d4a86f65e141d4b6b778e5f448a0c818bd2fa28db7b9dabc1395d354b19cc5

            SHA512

            2ee7a4a0af955ba376c66d13e626ca135b2afd13277a006f523eb2fdc1133a12ea35b065a8c119843fbe82f89190cdb2b769329af14e4313a2419b739b27337a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nss72EF.tmp\UserInfo.dll
            Filesize

            3KB

            MD5

            fe3ee87108ce3e17ea6698e4cc042c14

            SHA1

            e3cf6cd95a4791efff2e80bdc8cf3e03263a63ae

            SHA256

            b9c539e660aec3e9fb6437d66d1cb5df963414a7b686623e44cf1abdb2267cc2

            SHA512

            cb1ada56abae8675932a5202bc5e688683de6ca18ce48ccabbed2a99080e786c47b3fe0880baf8a0dace61fc52246bbb2bab0b4eaac2b6aea59f2fd17b516c18

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nss72EF.tmp\nsDialogs.dll
            Filesize

            9KB

            MD5

            940e349c4d672436816e31d816ccdfbd

            SHA1

            ac25298f9fe271f59a0bd0cc6ec4640097d5e9ad

            SHA256

            edf47cfe918669f95b3aade7335ef8b33ae9d36eaf2be2f364d0d94637117d10

            SHA512

            5711fc585cc36138891d02c466c09ada345003e910d89a34fa0b54b67432bec4b6fec549ad8d2a9c4a17bf3723f1a60219a424a237bc24a0912c6bec886f14d7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\vcredist_x86_2015.exe
            Filesize

            13.1MB

            MD5

            1a15e6606bac9647e7ad3caa543377cf

            SHA1

            bfb74e498c44d3a103ca3aa2831763fb417134d1

            SHA256

            fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14

            SHA512

            e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png
            Filesize

            1KB

            MD5

            d6bd210f227442b3362493d046cea233

            SHA1

            ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

            SHA256

            335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

            SHA512

            464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll
            Filesize

            118KB

            MD5

            4d20a950a3571d11236482754b4a8e76

            SHA1

            e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

            SHA256

            a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

            SHA512

            8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

            Download Submit

          • memory/2728-182-0x00007FFC2D5E0000-0x00007FFC2D61D000-memory.dmp

            Filesize

            244KB

            Download