a33c889b1929e9442a2a49de188e05a8ddbddcb32a7231b7c362f6833a45d720

Analysis

max time kernel
131s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe
Size

12.3MB
MD5

a1e5c187755b1d1f6ecd92de6a1ee13d
SHA1

b809713035e9e0451f7ab7e7b8f29b2c8e44dff5
SHA256

8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a
SHA512

c6e484d4668cd78d67b5ba5f65ab4639c2c03906e8585388aba521ec0ec062f9ea24109f174e9c4805c33230b5162a40ffcc65095f68d6baa14ef6b69490ecf0
SSDEEP

196608:tUSP+yQZ55mfaEsVpxlTCUmT3p84YcgYp6OfPe1VyW4PTPJetC93t:tFw/41sVpTTC89PYgmPe1VSrPoC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Five_Nights_at_Sonic_s.exe

pid process

976 Five_Nights_at_Sonic_s.exe
Loads dropped DLL 3 IoCs

Processes:

Five_Nights_at_Sonic_s.exe

pid process

976 Five_Nights_at_Sonic_s.exe
976 Five_Nights_at_Sonic_s.exe
976 Five_Nights_at_Sonic_s.exe

pid	process
976	Five_Nights_at_Sonic_s.exe

pid	process
976	Five_Nights_at_Sonic_s.exe
976	Five_Nights_at_Sonic_s.exe
976	Five_Nights_at_Sonic_s.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Five_Nights_at_Sonic_s.exe

pid process

976 Five_Nights_at_Sonic_s.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 5108 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5108 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Five_Nights_at_Sonic_s.exe

pid process

976 Five_Nights_at_Sonic_s.exe

pid	process
976	Five_Nights_at_Sonic_s.exe

description	pid	process
Token: 33	5108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5108	AUDIODG.EXE

pid	process
976	Five_Nights_at_Sonic_s.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe

description	pid	process	target process
PID 3644 wrote to memory of 976	3644	8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe	Five_Nights_at_Sonic_s.exe
PID 3644 wrote to memory of 976	3644	8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe	Five_Nights_at_Sonic_s.exe
PID 3644 wrote to memory of 976	3644	8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe	Five_Nights_at_Sonic_s.exe

C:\Users\Admin\AppData\Local\Temp\8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe
"C:\Users\Admin\AppData\Local\Temp\8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Five_Nights_at_Sonic_s.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Five_Nights_at_Sonic_s.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Five_Nights_at_Sonic_s\sonic.ini
Filesize
116B

MD5
e8c0279160405830ca73dca4a4271135

SHA1
1d8e18776974906104e92dcdcb8ee3ca5085edd8

SHA256
0e4d2e3203c4131f78cfda913ba96b8708a31df2801552f6203ab4a311b5e35b

SHA512
49673e57429aa8e2e45277a8e131fe68a0984b8230a9347fb437aa01ea2f4f12da91e85ede29bfd725af3b0a348fca0254e8c0ce82d1b979bfa6d292a0b6011d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Five_Nights_at_Sonic_s.exe
Filesize
16.6MB

MD5
6a3914ec3fad2d6f1e3ffbc064b7bc76

SHA1
189239dce9541cd9d841e8da51b01b21d139a48e

SHA256
9a0ee5df414ad34b4671c34b200c82666ee4fcc37b4274417f103628fab0cb91

SHA512
29cd9ee42917c30464f69fad1e9a3da9beaf69f81dde7c857b7b0f87774253da899cbfbcf7e813a5dbdff236c104f15ce1633e393f4e22de99db08040444aff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZFile.dll
Filesize
57KB

MD5
75f466753767c33e59f218d82660312b

SHA1
181da454addc1413f2eb0cf0bb8eeed860ff296d

SHA256
50bf531db3fae6dbe88f166b8aff11da18ef5a0ed6918bd23cb353068e56e2d4

SHA512
9203e932c46d5a6782a42c3ead5a61ae55774cab9f2ea2ba2d2c5d17baf4b782e45d50140303fc4d8f84c98e7ecdf7c8d0801abc565de46c5676c2cf9748d626

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll
Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini
Filesize
237B

MD5
277a235426b5526cf6c57dfcab0fb833

SHA1
a727a52d5a992a216567597a62085b296b8d47f1

SHA256
7d296b234411bffd6ef6c9cf008ef28af44410bb9b5dc3e50948dcb5a58fae62

SHA512
a46395b66932a3953b0779c4703df3aef0c1b645f68f61f117704bf1f68167ee0bea739aa63fd416a051aa65737a98e3a8884c17d5d1c59bdf886abc23f497d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rousrDissonance.dll
Filesize
319KB

MD5
49069a0ab0892d2a4b1f5ff114571b5c

SHA1
f75c3ef3b3da8fe182307ebf650bf0aa05678429

SHA256
02224a4afa548de7b409d515dc4e9e7c5a60653f432639c568140a05cf84f045

SHA512
557f6e2fff9b11bbf5e3508fbd871b8d4d14a619e11b17738c414903412ec80d6b7f74f80a3d80cbff7956fbe0f83453f03d49edb1550d35a6754638a33c5cb1

Download Submit