4aebbb23d160253876cc3a93c7cc31ed0c48645ae04070345bb5933ed4efee04

Analysis

max time kernel
145s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe
Size

6.3MB
MD5

a44c2b3293d3a571dd97135f7597eabd
SHA1

aaf0af62fda44272763977da40e933f8899d453d
SHA256

2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f
SHA512

0a5512fdd36e48ab363c6e6a0e1b275c0285261461d265284e7f18bc46c3c5ef8f59469dfdfc19627c49be3238e0e481ba846fff713b5ea4051e15b351e3b827
SSDEEP

196608:cUSPkm7ChnGtmpSgSfvsqRCEgiY7N46kYmDw:cFahnGIEgSHsq88YBbkBw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3900	Q-Bert Arcade - Demo.exe

Loads dropped DLL 1 IoCs

pid	Process
3900	Q-Bert Arcade - Demo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3900	Q-Bert Arcade - Demo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3900	Q-Bert Arcade - Demo.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3900	2208	2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe	90
PID 2208 wrote to memory of 3900	2208	2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe	90
PID 2208 wrote to memory of 3900	2208	2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe	90

C:\Users\Admin\AppData\Local\Temp\2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe
"C:\Users\Admin\AppData\Local\Temp\2142fb28cf11eb0432f24155b8ceb9e5840f95098250d6398ddef4cd637e467f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q-Bert Arcade - Demo.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q-Bert Arcade - Demo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q-Bert Arcade - Demo.exe

Filesize
4.2MB

MD5
d97a2a9e38c1bacd600ec875c840c204

SHA1
cef27af637edf6a86b2d6fb22ecd26a4c1470035

SHA256
1aa3b0d030889ce25c64c1cea26563c53c65e40e826aa42aed87162e2c1f2fd2

SHA512
25ec638b8f665d95e622b889a10c614d94089a2191aad10e81e10423d9ba21aea3d424e147f67f7096c367f5ee67b548ae7bd2f76cf89a19458d9451f688a5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win

Filesize
7.2MB

MD5
28acd2a9b35fa842b9bf2ac8a89ff0fd

SHA1
a203833b4782eff70caa86a96e6da5c17de9f1b0

SHA256
28da176cdb4a605e54f0d1590ab8284e52f689c9cd599184ae211ba48519ac93

SHA512
382c179bb9910ff62855ec873eb168c2f6cbb2a4a1a50b009a4fb43b37b2692e42611a644f8d4a693e93ff91277bb8dfdeeac5fc8a901b86e8eae3389a56717e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini

Filesize
98B

MD5
bee7ae2731d086e856e07a7b8b918588

SHA1
f622603e47359d27cce4e807bcf3fee717ee1450

SHA256
fd5b77e901c09b15ba323aa004619a4b7a5ebed04ffe89f849875462a07b1e4f

SHA512
3b57c963a1301e73c2454991766cb511f29c5f2ca082cb915491a551dba76d64789483165018943e2f3a874e12885c8cf0788cc7530e5913b944ce90a627f593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\splash.png

Filesize
1KB

MD5
118f4f4575ce667bd88f2057f2c0b525

SHA1
aa1d179b2f5eb59d83bcf114cdbeffcc0d4a7c4d

SHA256
9dd817cc5e767fd4ef6547a1936d6f2b295564a4b89be558e5bb7a619bb8503b

SHA512
6fd169429a3e64c6d688c2bad0f639fca56249a5d72a0d556ed014700ac14c7f58a7d0ae2584a27f01a42279223c18389e8c0e0679b8f4a96fb548bf397f5f9d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads