Analysis Overview
SHA256
ed9fb40de7a103920158a5d9e1faa921a29671bb9472ea8b07e0d511d081114a
Threat Level: Shows suspicious behavior
The file SonicFGX_2022v2.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
UPX packed file
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 00:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 00:52
Reported
2024-06-11 00:54
Platform
win7-20231129-en
Max time kernel
49s
Max time network
19s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe
"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"
Network
Files
memory/2136-0-0x0000000000260000-0x0000000000261000-memory.dmp
\Users\Admin\AppData\Local\Temp\gm_ttt_2211\D3DX8.dll
| MD5 | 8c7c11dbf9cba3bcb065201c560945e3 |
| SHA1 | 3104c3f99dc23711ad52fc733602a07f0564a494 |
| SHA256 | 120c8e8fef7ea02713d2966dbad325d631323cb207b11cfa768aeec48f5150cc |
| SHA512 | 778f8ff13ebc154ffca26b21937c26da33e075a10671c91fce274e322195841fd33eb764cf21530837e268dce1f59d232920fe45fc239bfcbce14bf737dc3ee0 |
memory/2136-4-0x0000000010000000-0x0000000010082000-memory.dmp
\Users\Admin\AppData\Local\Temp\gm_ttt_2211\gm82\gm82core.dll
| MD5 | a6c69bebeeecae6f9f2b4ace1d1531b2 |
| SHA1 | 1af3e336b1810f5a275408e95ceefa4eb200076d |
| SHA256 | ce701943a5a8cf16797c91d7ce4d2a1c43c2511a5bd828d315adf9539983edb1 |
| SHA512 | edc971e8d2ec027435f16bccd241509c94e3548e3eff6968f467da4ad0805a2d21fdd9c076e1ff5372c6718713c0797b76f9df62a5337423532566a143d646e9 |
\Users\Admin\AppData\Local\Temp\gm_ttt_2211\Extension3571\Dll.dll
| MD5 | bfc4bb347d1d673b5c0086c5797c8da0 |
| SHA1 | 51097c13d4bb2f74650074bee185238968fff326 |
| SHA256 | c97460ea765a8eafe3cd20758aaba2fe3f2a77bf5315b1c536c70b38e2b9bbae |
| SHA512 | ae6bfdecec07639ce78e5b8bfb5441ce6e9cb77f45b31ce3a1f46d8706c264d1899e980bc5ca2958ce1754c87713c80e697b20cb93998ceb9768a99346f77dbe |
memory/2136-19-0x0000000018190000-0x0000000018191000-memory.dmp
memory/2136-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2136-21-0x0000000010000000-0x0000000010082000-memory.dmp
memory/2136-22-0x0000000000400000-0x0000000000960000-memory.dmp
memory/2136-33-0x0000000000400000-0x0000000000960000-memory.dmp
memory/2136-35-0x0000000010000000-0x0000000010082000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 00:52
Reported
2024-06-11 00:54
Platform
win10v2004-20240508-en
Max time kernel
43s
Max time network
46s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-2 | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-1 | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-2 | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe:data | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-1 | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe
"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464 0x2f4
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1552
Network
Files
memory/4020-0-0x0000000000B30000-0x0000000000B31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\D3DX8.dll
| MD5 | 8c7c11dbf9cba3bcb065201c560945e3 |
| SHA1 | 3104c3f99dc23711ad52fc733602a07f0564a494 |
| SHA256 | 120c8e8fef7ea02713d2966dbad325d631323cb207b11cfa768aeec48f5150cc |
| SHA512 | 778f8ff13ebc154ffca26b21937c26da33e075a10671c91fce274e322195841fd33eb764cf21530837e268dce1f59d232920fe45fc239bfcbce14bf737dc3ee0 |
memory/4020-5-0x0000000010000000-0x0000000010082000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\gm82\gm82core.dll
| MD5 | a6c69bebeeecae6f9f2b4ace1d1531b2 |
| SHA1 | 1af3e336b1810f5a275408e95ceefa4eb200076d |
| SHA256 | ce701943a5a8cf16797c91d7ce4d2a1c43c2511a5bd828d315adf9539983edb1 |
| SHA512 | edc971e8d2ec027435f16bccd241509c94e3548e3eff6968f467da4ad0805a2d21fdd9c076e1ff5372c6718713c0797b76f9df62a5337423532566a143d646e9 |
C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\Extension3571\Dll.dll
| MD5 | bfc4bb347d1d673b5c0086c5797c8da0 |
| SHA1 | 51097c13d4bb2f74650074bee185238968fff326 |
| SHA256 | c97460ea765a8eafe3cd20758aaba2fe3f2a77bf5315b1c536c70b38e2b9bbae |
| SHA512 | ae6bfdecec07639ce78e5b8bfb5441ce6e9cb77f45b31ce3a1f46d8706c264d1899e980bc5ca2958ce1754c87713c80e697b20cb93998ceb9768a99346f77dbe |
C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\gm82\SDL2.dll
| MD5 | 3f25925f454362a61705694be43b62c9 |
| SHA1 | 5794b736c9342b9b4c2e91fd2fc580e87d168664 |
| SHA256 | f70051e79801f33793090ee0e99d8d57cb392121064dbe0a6b66b375e3f9b6ea |
| SHA512 | 0e7bdb14078125146a00b487db2778ab30901ed121b9b7a9bce3f9e077acb9860c206be44c2319567eb04091744516e8d7b240c4d02f27da517e642c48ffabdb |
C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\gm82\gm82joy.dll
| MD5 | 13d17ade2a82860879f77fc0c4279016 |
| SHA1 | 30a444938c8961f2e0fd3df8b9067622984946b8 |
| SHA256 | 9c655421e8bc59c3448e8b5a4fc022f41fccf495c25a9bfcbdb1c684aad188e1 |
| SHA512 | 72ed9d1d764f1534b46c23d8b0648ead1b0ab8201c25b2e66e9f5a55ddc813d1170cf2f3763f41bc24c9a8bc7d2f4c45f953abeeca4bb19daa1e8d044d490d9c |
memory/4020-41-0x0000000010000000-0x0000000010082000-memory.dmp
memory/4020-40-0x0000000000400000-0x0000000000960000-memory.dmp
memory/4020-44-0x0000000000B30000-0x0000000000B31000-memory.dmp
C:\Users\Admin\AppData\Roaming\sonicfgx_data\data\saves\redring.ini
| MD5 | 1b968035bed3704f87b732128dc1c8c7 |
| SHA1 | a8d52f908abe508d50039ca5fd39d97b8f427288 |
| SHA256 | 4042ffb9ab303cf18524a3aaf08bb447b7dc5c56c0708448105cad5ede531248 |
| SHA512 | 324d6fe37312b5b05f6f8e0abcdab18874be4570ba05871e36c5d0ea211b0803e2f3b254fdeedce7e92fedde944308252bf44272078c4d60ed9c8832c707bb4d |
C:\Users\Admin\AppData\Roaming\sonicfgx_data\data\saves\config.ini
| MD5 | 7c7887babbbdd1780947e8bb25d673b1 |
| SHA1 | 14a27d329f0d809329cea526c0e70e44c8562be5 |
| SHA256 | 0bb2cba416fc8827b4f6a37e60d33aad77e4eb3c63f79ba8dbea4ddeb5cd43c6 |
| SHA512 | 9e03173eea02118f586b57735c1072c3466199f53a25770d7f51e89122b4339447f7a527fbca09e2f7a3b7a399c798e4bb373abff2b34ca62cdba6a55175921c |
memory/4020-107-0x0000000000400000-0x0000000000960000-memory.dmp