19ffc101f7c4457a5adb66b38ce5823d52f596b323578de48d3585b1b57d24c6

Analysis

max time kernel
92s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe
Size

51.0MB
MD5

334d3992d07061c6b20d08d200811aff
SHA1

c896f1f24fd0af2d523946217fb556fadfac3304
SHA256

dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9
SHA512

6d10bc11d0792c2ef63ae0564df650ec1c7e3a776bf3df3df7097cb5fd3477a173b8dc2bd36628f67a312b766bf684626ec6221be9d259425dad65309f791b4a
SSDEEP

786432:n14+ls/Zo30hnFnAZZhGJHJaIKYlPLkkAt9lMe/HMrGQgQGmLIqFGkCRFrmT:14++iEVFnAxGJfljDeQgQGLqNCjmT

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FNF_FREE_DOWNLOAD.exe

pid process

2072 FNF_FREE_DOWNLOAD.exe
Loads dropped DLL 1 IoCs

Processes:

FNF_FREE_DOWNLOAD.exe

pid process

2072 FNF_FREE_DOWNLOAD.exe

pid	process
2072	FNF_FREE_DOWNLOAD.exe

pid	process
2072	FNF_FREE_DOWNLOAD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

FNF_FREE_DOWNLOAD.exe

pid process

2072 FNF_FREE_DOWNLOAD.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 768 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 768 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FNF_FREE_DOWNLOAD.exe

pid process

2072 FNF_FREE_DOWNLOAD.exe

pid	process
2072	FNF_FREE_DOWNLOAD.exe

description	pid	process
Token: 33	768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	768	AUDIODG.EXE

pid	process
2072	FNF_FREE_DOWNLOAD.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe

description	pid	process	target process
PID 2852 wrote to memory of 2072	2852	dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe	FNF_FREE_DOWNLOAD.exe
PID 2852 wrote to memory of 2072	2852	dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe	FNF_FREE_DOWNLOAD.exe
PID 2852 wrote to memory of 2072	2852	dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe	FNF_FREE_DOWNLOAD.exe

C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe
"C:\Users\Admin\AppData\Local\Temp\dd86e508d33a5b71e82ab1b41a8dd7c49009ac65ba2191c467d7c58267e8ead9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FNF_FREE_DOWNLOAD.exe
Filesize
4.5MB

MD5
02f3e06d9da4b99c66ad76a7f97939f8

SHA1
f7e4ff2a2a7399639ebe2be7f45419ffdc347046

SHA256
90b6b4492df192ebbafd5bf01ebb88301a20558c256b52d0fce8811f714b93e6

SHA512
f88112492c3e23663243c4eec9be329420fd736b6516341da1df29065f18b2860b2fb189fef94a8a495e477e5ee4bc5e0bf439d0f0c83113b71853909b01cd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll
Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win
Filesize
20.1MB

MD5
89b2da0fab50c9d1a9a560caf554aa0c

SHA1
a9921d3260bea112764344e255246ee5ac881d6d

SHA256
b2def46b4c5c7e4393b393749390c261ba75cd6fe9829140f9b18a854039de03

SHA512
8f672ef37835317a6b6e5787a65cf69d09c11c56ae277a964a98fb5430c2c0c982c05f6e37a3f47864af45a8270fe0341ef261f349110095746e958a77f32e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mus_howdoileavetheoptionsmenu.ogg
Filesize
171KB

MD5
52d58680003f351eea0f5c4b489ad7e1

SHA1
413e7e52fad96c05f2b8eb86ef556356efc797b0

SHA256
d8da8bbf7da74fd8639b31192e569bb7790adcc0945517d99fd6f514bcf64b3f

SHA512
7bbd98ec1c89e7cb72b35e7493c6abbc9436188a5d0b194b46552977f0b618a7cf8bffb06c1686aa9efe069a26c39980db1deecc5dcabfd780a00ec4214ceca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini
Filesize
97B

MD5
396f73a1185a5642f5f1e2538b64396a

SHA1
d72d687a5a1258986f218bfccacc6118c39ec4f9

SHA256
e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58

SHA512
e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snd_recordscratch.ogg
Filesize
5KB

MD5
7063fcd92394608267f83a28f83a9b6a

SHA1
dd0a49b562f831b1a754b485bb08e93a8186737e

SHA256
1ccf4c82e4fc6cf43726323a670aaa81d5e711be09613fc03d3c353bd758d127

SHA512
76bad32303fb361480c222b14ad0ee45adb9b7d80e3105728f6b8a39a557480fa2fce134f20aea4386be21822daca49feed8f5772b40d3e95921076e93a40ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_breakitdown.swows
Filesize
41KB

MD5
122d21ec49586b295ab8d8cfd86c1471

SHA1
5f42d9dc934445c83da2f26c24d1025016828e24

SHA256
19add083e7a262b58d0eced6370924c045d123f100d668c30ee52548f328a7bd

SHA512
9da9639dd255f2ec2ee37804e4dc85aba4276a23623a1a3433c668d6b93419984bd66017a5051aa4f7058faa6cf75c8745f1229b60eada768bd79363833fd4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_channelsurf.swows
Filesize
25KB

MD5
73b4a89d395eaa0135488dd16445240d

SHA1
88e22d9c318651e4687fd15173993053e88c0fd3

SHA256
87c7a777c9e45cb98a7574a7e74116e5f409f36de203e375a1de31aaad7cd4cb

SHA512
7b2113832b716ce323a02bd39cc3495244ebb95a6f05436d307f301dfb0504d6767111453f2c6b4f05cf92a939e8f0bf89224d7fa56456f6d2f3d8716733145c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_cinemassacre.swows
Filesize
23KB

MD5
ebd57c027b931472dc8328271dcd2874

SHA1
25cea55dc4e4b868043dc90e0c098ea8554f3e64

SHA256
ba0a003f8010c44236eb7891d31b87795c54adcf4795f4d9210348cc9cb6c1e0

SHA512
34b5db54fc508957fbdf331fd9fce7f01cfe81e3988b81e2da2bc99ea8e548a6240f18c656a3fe61e1a0f133cc100bd7048d9e7f98d65187ce95a6f18caa1e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_frostbytep1.swows
Filesize
13KB

MD5
642550fe0541978b70f5757001636863

SHA1
646ca0324bb15672380d54e6891d479f428e9485

SHA256
8de198a43bc72b868fc7b89908406cdeeadcc6ba6b286a857466f65ef10d4dd3

SHA512
404ba473e2f304bdcd288dece96964c529248065212a6545d553d360fc58740bf74e5136bd795ebf9cd3229d61d44361e0f0648947996d350f6ec3b34f6124eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_frostbytep2.swows
Filesize
16KB

MD5
cd654391eb8d3932b5f4bd1401f786d5

SHA1
67926e6c7d00f725cda9c1adcb8e8533c9f34cef

SHA256
71f5de7726c5960488c3d7de00650ea916be26ee5cf2716b65b2567b21f5ad71

SHA512
42184ba6e10e91e327bc4ec464e3d6d63e5e733f1217cb36ba481fc642bf4d3ecb1ea4d522d0afb34d54246931ad39ebc801d5e59f6f90cbfc8ccb51dea9b971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_tutorial.swows
Filesize
10KB

MD5
aa573ea35c94f0a0a11d6c2c1d3f4823

SHA1
8f223f174eabbc5852f04f6ab579bb7bffa77201

SHA256
f7afdb2f0a90992b381026e76f8e9a7b462b25bdcdea8d216a145349b5827234

SHA512
7eeeffb3ec02282ec11d1d1adb5642b18c55067722a344ea462fbe509c64e4606775ceaf2b15efdba9ff59ab810dd4e8092f607cf287248d92ba32d0d34cefe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w1s1.swows
Filesize
15KB

MD5
cb88ad7efad086b2dd62bfa98b4a049a

SHA1
7807d65e7269b2e55a79bf3c73deb020e3a87949

SHA256
a96ef2102b309315dda8e9f2520f14c4ea7f728e8db4163465110dae3bd38387

SHA512
7dbfbc7f342b37e385fd8409855d82b1f33bbbd44267b37b5664a1d5083685d1a56dc6c8fb3bcaadbec3b64de7728a09ebf95824666ee28fd12efb8b9bca501c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w1s2.swows
Filesize
24KB

MD5
ca9b484cddd819bc1a744a73b4a6ad32

SHA1
a4128174cd75f6ff370aaf497ad4f196b46ae135

SHA256
bf4c8e0d92aa9adb5f0317ba9310527d4ecdbdc3fc46a3e96fa9d86ece341ed2

SHA512
02b957ef27b44f74ab53d32c3e16f7c5cf187a4f4d33071c81b9e4bebed756d54a9afc51b90f7aa3bde77b590fd6988b994b81fd5ba137b25f6ed61250089565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w2s1.swows
Filesize
26KB

MD5
08385e474ddbfb2e466f4c3753cf2e3c

SHA1
0b7c322e963c4483b3f50342f91aaad08cba0342

SHA256
cbf2817bbfa0aed7659032908c2b1da41ff02563660cc18c07dfcdec70d704a4

SHA512
2500cd06e891d5c929b18627afce618b14a8a003b7746b03d341710942a4aca22cc2a8d77c255949faa21c86c482865847e892994801af6f5654af59cbd5b968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w2s2.swows
Filesize
27KB

MD5
f58c343cc7f81541f466204cb4aadf20

SHA1
aa4c99160dbd15587a22fea7faaa86b6f3eac0a1

SHA256
3029816f9b2eaaac5e70eac37864ca1388f61fbfc46d7d87fe370922be841a56

SHA512
1cdab9498d53ac1e9b184a4b8adfb666d9dfc6bce05623bdbd39cffe0a1ea9863896ea6aaaa08861b88c2b19cfb5438e77399f69c56dfba45466cff7f672b721

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w3s1.swows
Filesize
21KB

MD5
980a7b8c20131273ee7d6327e36ab646

SHA1
d19b2ca626f240b0e009fdd0bbadfaf03174b472

SHA256
b4fa0e07ff9bd7acd215ba65aaf78c38ebb686a5c6f5d3f2bc97cabfa681a438

SHA512
1efe7daf267abab5ca631fd0dfa21882073b139d21b2f3096f59c897e616635b7747fcd9144831c432cc18da4cb2e7f02d02ef559273c3952c00c48e7c006a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w3s2.swows
Filesize
31KB

MD5
7ed8f7ea17dc8c515e0815167101faef

SHA1
7f16baff1d12b4858fd470a1e22f82884f129e12

SHA256
41db0c0b54a7c254e2da04616eabbbef4d915776eb07b09e51724f329bc9d94b

SHA512
fb5ec0323510a370f3c953aaa80178e93211aa254a2bee5e0553b6d9ea9a6a94add08324ecbf0d381684a696e93cadf5c22c3f9a09fce05549371015d899b24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w4s1.swows
Filesize
36KB

MD5
29a2efeecdcc29feb8f178b847439995

SHA1
4c307c3b34165726a4747f0abdf5b8f0c5dd58d3

SHA256
2b62f113a0d3fc5d3c8b68686995a7409217b4e399b31c66fb11d00b6d02de70

SHA512
14d09ce5e7fdccdec3cf73a8baf57fe8262388eac06a3f04a993d7407f8eec5928fb3a69defaba8832dd420983b82541b9b2eac33e98fc68bc6af7db3b8ff5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@mus_w4s2.swows
Filesize
27KB

MD5
10998944ff90841e0859e856277ea358

SHA1
6b0ec880ae9dd7b24f95c680a94d72e0963aab4b

SHA256
eeb305f3d17f0fc7efa24578cf877590f486d8fd6b8ecf4c9d86ee43a842c9f5

SHA512
4a19e6122c7a238307fc49a9a730b1c4d33d3e8dd3fffe511f1e1240497425f9f35ce294810160d89a227c1bd9b7e3c219f2513deda8a7d3db43078f1689fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\songs@toby test.swows.txt
Filesize
12KB

MD5
cbe43c10d0e1a5d6199cb4c02e97b298

SHA1
60809509bf01cbd93f783a7feb0f8db839576e5a

SHA256
8825512b463b0fb1dd4531fcbbbf583afd68f5c3f5ba74806a377456ed493af4

SHA512
cba817443d53af0957d29062d668699bada8a8add208a406df395c68f9f73e64ff2cd22723add39f520d3bb62fdde70f307a5e5ea070028547834eb0a8510acd

Download Submit