Resubmissions
11/06/2024, 00:52
240611-a8emnayalm 711/06/2024, 00:45
240611-a4a4nsxcnf 711/06/2024, 00:38
240611-azc3gaxbjb 7Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 00:52
Static task
static1
Behavioral task
behavioral1
Sample
SonicFGX_2022v2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
SonicFGX_2022v2.exe
Resource
win10v2004-20240508-en
General
-
Target
SonicFGX_2022v2.exe
-
Size
31.2MB
-
MD5
c08469c16ea50572a10b29ab8d7524c7
-
SHA1
7a3e251a8bbc739d8cfc9e1d120216fedb089a8f
-
SHA256
ed9fb40de7a103920158a5d9e1faa921a29671bb9472ea8b07e0d511d081114a
-
SHA512
8de7c83d1df1cb13f0932dce74f1a7c6a2932a68ef113f2b31a39f91dd2ae1174506ce8bb4de28c3959158d817a3c8fce357d2bf2e20690635b040120292f2d5
-
SSDEEP
786432:AYQ6LnVWWQWJ95s/6DZevnuELpMr0zLdWN//:nhVCq9/DdE9Mr0zLINH
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0003000000022990-2.dat acprotect -
Loads dropped DLL 5 IoCs
pid Process 4020 SonicFGX_2022v2.exe 4020 SonicFGX_2022v2.exe 4020 SonicFGX_2022v2.exe 4020 SonicFGX_2022v2.exe 4020 SonicFGX_2022v2.exe -
resource yara_rule behavioral2/files/0x0003000000022990-2.dat upx behavioral2/memory/4020-5-0x0000000010000000-0x0000000010082000-memory.dmp upx behavioral2/memory/4020-41-0x0000000010000000-0x0000000010082000-memory.dmp upx -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN SonicFGX_2022v2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3768 4020 WerFault.exe 82 -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-2 SonicFGX_2022v2.exe File created C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-1 SonicFGX_2022v2.exe File created C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-2 SonicFGX_2022v2.exe File created C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe:data SonicFGX_2022v2.exe File opened for modification C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-1 SonicFGX_2022v2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4588 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4020 SonicFGX_2022v2.exe 4020 SonicFGX_2022v2.exe 4020 SonicFGX_2022v2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"1⤵
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 15522⤵
- Program crash
PID:3768
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x464 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4020 -ip 40201⤵PID:3252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD58c7c11dbf9cba3bcb065201c560945e3
SHA13104c3f99dc23711ad52fc733602a07f0564a494
SHA256120c8e8fef7ea02713d2966dbad325d631323cb207b11cfa768aeec48f5150cc
SHA512778f8ff13ebc154ffca26b21937c26da33e075a10671c91fce274e322195841fd33eb764cf21530837e268dce1f59d232920fe45fc239bfcbce14bf737dc3ee0
-
Filesize
701KB
MD5bfc4bb347d1d673b5c0086c5797c8da0
SHA151097c13d4bb2f74650074bee185238968fff326
SHA256c97460ea765a8eafe3cd20758aaba2fe3f2a77bf5315b1c536c70b38e2b9bbae
SHA512ae6bfdecec07639ce78e5b8bfb5441ce6e9cb77f45b31ce3a1f46d8706c264d1899e980bc5ca2958ce1754c87713c80e697b20cb93998ceb9768a99346f77dbe
-
Filesize
1.2MB
MD53f25925f454362a61705694be43b62c9
SHA15794b736c9342b9b4c2e91fd2fc580e87d168664
SHA256f70051e79801f33793090ee0e99d8d57cb392121064dbe0a6b66b375e3f9b6ea
SHA5120e7bdb14078125146a00b487db2778ab30901ed121b9b7a9bce3f9e077acb9860c206be44c2319567eb04091744516e8d7b240c4d02f27da517e642c48ffabdb
-
Filesize
120KB
MD5a6c69bebeeecae6f9f2b4ace1d1531b2
SHA11af3e336b1810f5a275408e95ceefa4eb200076d
SHA256ce701943a5a8cf16797c91d7ce4d2a1c43c2511a5bd828d315adf9539983edb1
SHA512edc971e8d2ec027435f16bccd241509c94e3548e3eff6968f467da4ad0805a2d21fdd9c076e1ff5372c6718713c0797b76f9df62a5337423532566a143d646e9
-
Filesize
70KB
MD513d17ade2a82860879f77fc0c4279016
SHA130a444938c8961f2e0fd3df8b9067622984946b8
SHA2569c655421e8bc59c3448e8b5a4fc022f41fccf495c25a9bfcbdb1c684aad188e1
SHA51272ed9d1d764f1534b46c23d8b0648ead1b0ab8201c25b2e66e9f5a55ddc813d1170cf2f3763f41bc24c9a8bc7d2f4c45f953abeeca4bb19daa1e8d044d490d9c
-
Filesize
200B
MD57c7887babbbdd1780947e8bb25d673b1
SHA114a27d329f0d809329cea526c0e70e44c8562be5
SHA2560bb2cba416fc8827b4f6a37e60d33aad77e4eb3c63f79ba8dbea4ddeb5cd43c6
SHA5129e03173eea02118f586b57735c1072c3466199f53a25770d7f51e89122b4339447f7a527fbca09e2f7a3b7a399c798e4bb373abff2b34ca62cdba6a55175921c
-
Filesize
800B
MD51b968035bed3704f87b732128dc1c8c7
SHA1a8d52f908abe508d50039ca5fd39d97b8f427288
SHA2564042ffb9ab303cf18524a3aaf08bb447b7dc5c56c0708448105cad5ede531248
SHA512324d6fe37312b5b05f6f8e0abcdab18874be4570ba05871e36c5d0ea211b0803e2f3b254fdeedce7e92fedde944308252bf44272078c4d60ed9c8832c707bb4d