c65fbeeb19e8ffe3f794dd544812c9626bd23f5c3a685897307f43c45270786c

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe
Size

9.2MB
MD5

eddba78e2b822728a58f9672933ef493
SHA1

da324746f626810e779ff2569f85d82ed34721a1
SHA256

f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79
SHA512

4b5576694dcdc77a1c5b2b4417facf65dbb6a5e54dfbcef0f53f4b9a1c9474989ca0d0ff8c2822d524b0282b3dad160fe5e752e1b4fed33aca4d558087792427
SSDEEP

196608:HUSPQiZ2PwXsow5QzwWSlv/e2FpLEvZkm7vRjJ+A8uKgiUT:HFIabQiwWqv7X4emr3+Az

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3132	new platformer prototype.exe

Loads dropped DLL 1 IoCs

pid	Process
3132	new platformer prototype.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3132	new platformer prototype.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2052	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3132	new platformer prototype.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3132	4448	f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe	84
PID 4448 wrote to memory of 3132	4448	f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe	84
PID 4448 wrote to memory of 3132	4448	f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe	84

C:\Users\Admin\AppData\Local\Temp\f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe
"C:\Users\Admin\AppData\Local\Temp\f18a59d97c873b24dac2d0b58c2c05627cd4379185e2fad2bbdbac27c2174d79.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new platformer prototype.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new platformer prototype.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win

Filesize
5.4MB

MD5
bd8ff2cfce2202bf610f22e15b4776f5

SHA1
2cc25c7ea34b6b4c00d8a4126f9dcaf4aec3edc7

SHA256
be988aca5f97f1003bb9f23288af2d81c31bfdffb2192cfd9c81594b75b2c63a

SHA512
b20702bf7c69de8f8974744d1082106100479f79fc603ff1aee80acd02eff31acc4bfa33b7ac2ea5d469f2c5878b1eb6d811007cb4915535033073183c65b68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new platformer prototype.exe

Filesize
4.2MB

MD5
cfc50b2e2595dbaed183b5553b9d6007

SHA1
f5539c234f57786425ec1b59ab0ad101da2ddc1f

SHA256
1980ce17a5642b2245ad7daf6eb786a36d7e85e8aadda8480d08ce2078db5673

SHA512
afc4047aa9103357c25b3a158d9c016558b5e3d23caeaa0dd2fa7cbbb264955fd749bc23c1cde2d0a987bd40a13ee0f688cb838ce4cc89c8dc1e745fa0665267

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini

Filesize
97B

MD5
396f73a1185a5642f5f1e2538b64396a

SHA1
d72d687a5a1258986f218bfccacc6118c39ec4f9

SHA256
e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58

SHA512
e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snd_menuLoop.ogg

Filesize
249KB

MD5
5f8ebac0c8ba4bda4cfce87b751bf0ea

SHA1
38e04736b1d45fd502c1f91a0305133423a83972

SHA256
e96b4c4eb50204a6c45e9763b3b319445cb9e934e4ea85c86f8ed5a1034af7e1

SHA512
46363a6d125c5f6e7739bcbbf3d75076ff1576404cb4b9e37acc832b9017edf6e935e3614b54b3716f2a2f3a62319c4763ee1bc73dd7c3b7c9578a688aa66b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\splash.png

Filesize
41KB

MD5
e6e015c36f529e003045c626a72c5f24

SHA1
21fc36c9ce4cea20f95b4f498c4f392a40d35a32

SHA256
4b6656283d36cdea398e23e7035e414d80bd70d5f1a213dd836e44911d8ce6c8

SHA512
2eb8ddff1bf9b01b2249f0cab6bedac73b8f18d535fe07885301fe3dc7700d121dfe1f6de9cdc8b3680d9dcc5418ed1b64df8216761331213fc4cf8318487d3d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads