ebd9a15280a9fbd641ead11a6ab911fd72dcd48a6226e2e161005aebc9f70813

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe
Size

37.5MB
MD5

6579ce12a6ab4ca3fb68316f7ea655f4
SHA1

3e2c7ba8039ca48afca85809b2e085a2fb8797f1
SHA256

6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686
SHA512

82de1584b3743f8cf13793e8e2dd0416e5ebc1ba1b07ab380afd1fafe5e08d12134b93e1ea2292fc044a521bc53247902107e54fe5c84a07968f3ab03c78fd24
SSDEEP

786432:E/TOg1jJ74jIRT87Afd5pNW3aavvpoIu3bFt0Xr6m2Hq8iEITqZ6BGZkBSnJ3:ErOg1jJ7CDAV5nW7KNptTm2HzITfGZU

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

pid process

4772 Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

Loads dropped DLL 3 IoCs

Processes:

Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

pid	process
4772	Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
4772	Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
4772	Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

pid process

4772 Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4532 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4532 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

pid process

4772 Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

description	pid	process
Token: 33	4532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4532	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe

description	pid	process	target process
PID 3972 wrote to memory of 4772	3972	6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe	Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
PID 3972 wrote to memory of 4772	3972	6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe	Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
PID 3972 wrote to memory of 4772	3972	6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe	Five_Nights_at_Sonic_s_4_Halloween_Edition.exe

C:\Users\Admin\AppData\Local\Temp\6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe
"C:\Users\Admin\AppData\Local\Temp\6830bfe3ca819cbc0ba8d132b4e4e3510b11e3b9fc87bc0b0cb839e15ec17686.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x474 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Five_Nights_at_Sonic_s_4_Halloween_Edition\fnas4hwSave.ini
Filesize
473B

MD5
af49db880c096471a9bcc74c7609cb85

SHA1
c371b60e42070ee156e3f4f1735d63571d60a5d4

SHA256
24eb0bfe0ccb70eabc62e1572a46070b652d491ad8b22accb313841fdec034aa

SHA512
c8ed9b7a0386ed8c8f774862412fb4695224864160d18ceeb896972158a5c9b0f732cd08457212be5f2ede49c8dbe664845ec3170e3acff30acae84b4608e766

Download Submit
C:\Users\Admin\AppData\Local\Five_Nights_at_Sonic_s_4_Halloween_Edition\fnas4hwSave.ini
Filesize
473B

MD5
36a053e2134caf244150e58fbb11064e

SHA1
5d224b0e6baccfd5366529ef73c7e8da43795298

SHA256
d901d522e4501cf470b6516f6ce39b28c2625af14b782ff0b00cbf10168e2c19

SHA512
39d145d7b1b338369440289fadf42181fdd939db00e1b503a90db1bbd368b8392af37b8731ae27a3f05f018d95637f8a8d8639d0996e0ea34eb8ed1fab0b3950

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Five_Nights_at_Sonic_s_4_Halloween_Edition.exe
Filesize
46.7MB

MD5
8e96c11231ff84a22f68990d56fb30c2

SHA1
c84b78a0578b9ddc26e14d6206ec9f110ab632a8

SHA256
f5317ee946d618ecc983f4476a5d57c955af4f82deba16e91b76f071289ddaec

SHA512
708d46f54675bf3f6b4954d6800e3b16a6022313dca22c6ff8d387277d4a347e8034929ea146728d012eba82d77626393b2856bcbc157e83d204e8a5cf5f6203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZFile.dll
Filesize
57KB

MD5
75f466753767c33e59f218d82660312b

SHA1
181da454addc1413f2eb0cf0bb8eeed860ff296d

SHA256
50bf531db3fae6dbe88f166b8aff11da18ef5a0ed6918bd23cb353068e56e2d4

SHA512
9203e932c46d5a6782a42c3ead5a61ae55774cab9f2ea2ba2d2c5d17baf4b782e45d50140303fc4d8f84c98e7ecdf7c8d0801abc565de46c5676c2cf9748d626

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll
Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini
Filesize
237B

MD5
277a235426b5526cf6c57dfcab0fb833

SHA1
a727a52d5a992a216567597a62085b296b8d47f1

SHA256
7d296b234411bffd6ef6c9cf008ef28af44410bb9b5dc3e50948dcb5a58fae62

SHA512
a46395b66932a3953b0779c4703df3aef0c1b645f68f61f117704bf1f68167ee0bea739aa63fd416a051aa65737a98e3a8884c17d5d1c59bdf886abc23f497d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rousrDissonance.dll
Filesize
319KB

MD5
49069a0ab0892d2a4b1f5ff114571b5c

SHA1
f75c3ef3b3da8fe182307ebf650bf0aa05678429

SHA256
02224a4afa548de7b409d515dc4e9e7c5a60653f432639c568140a05cf84f045

SHA512
557f6e2fff9b11bbf5e3508fbd871b8d4d14a619e11b17738c414903412ec80d6b7f74f80a3d80cbff7956fbe0f83453f03d49edb1550d35a6754638a33c5cb1

Download Submit