Malware Analysis Report

2025-08-06 00:23

Sample ID 240611-a8emnayalm
Target SonicFGX_2022v2.exe
SHA256 ed9fb40de7a103920158a5d9e1faa921a29671bb9472ea8b07e0d511d081114a
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ed9fb40de7a103920158a5d9e1faa921a29671bb9472ea8b07e0d511d081114a

Threat Level: Shows suspicious behavior

The file SonicFGX_2022v2.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 00:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 00:52

Reported

2024-06-11 00:54

Platform

win7-20231129-en

Max time kernel

49s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe

"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"

Network

N/A

Files

memory/2136-0-0x0000000000260000-0x0000000000261000-memory.dmp

\Users\Admin\AppData\Local\Temp\gm_ttt_2211\D3DX8.dll

MD5 8c7c11dbf9cba3bcb065201c560945e3
SHA1 3104c3f99dc23711ad52fc733602a07f0564a494
SHA256 120c8e8fef7ea02713d2966dbad325d631323cb207b11cfa768aeec48f5150cc
SHA512 778f8ff13ebc154ffca26b21937c26da33e075a10671c91fce274e322195841fd33eb764cf21530837e268dce1f59d232920fe45fc239bfcbce14bf737dc3ee0

memory/2136-4-0x0000000010000000-0x0000000010082000-memory.dmp

\Users\Admin\AppData\Local\Temp\gm_ttt_2211\gm82\gm82core.dll

MD5 a6c69bebeeecae6f9f2b4ace1d1531b2
SHA1 1af3e336b1810f5a275408e95ceefa4eb200076d
SHA256 ce701943a5a8cf16797c91d7ce4d2a1c43c2511a5bd828d315adf9539983edb1
SHA512 edc971e8d2ec027435f16bccd241509c94e3548e3eff6968f467da4ad0805a2d21fdd9c076e1ff5372c6718713c0797b76f9df62a5337423532566a143d646e9

\Users\Admin\AppData\Local\Temp\gm_ttt_2211\Extension3571\Dll.dll

MD5 bfc4bb347d1d673b5c0086c5797c8da0
SHA1 51097c13d4bb2f74650074bee185238968fff326
SHA256 c97460ea765a8eafe3cd20758aaba2fe3f2a77bf5315b1c536c70b38e2b9bbae
SHA512 ae6bfdecec07639ce78e5b8bfb5441ce6e9cb77f45b31ce3a1f46d8706c264d1899e980bc5ca2958ce1754c87713c80e697b20cb93998ceb9768a99346f77dbe

memory/2136-19-0x0000000018190000-0x0000000018191000-memory.dmp

memory/2136-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2136-21-0x0000000010000000-0x0000000010082000-memory.dmp

memory/2136-22-0x0000000000400000-0x0000000000960000-memory.dmp

memory/2136-33-0x0000000000400000-0x0000000000960000-memory.dmp

memory/2136-35-0x0000000010000000-0x0000000010082000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 00:52

Reported

2024-06-11 00:54

Platform

win10v2004-20240508-en

Max time kernel

43s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-2 C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A
File created C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-1 C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A
File created C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-2 C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe:data C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\GameMaker Server\license.dat:data-1 C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe

"C:\Users\Admin\AppData\Local\Temp\SonicFGX_2022v2.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x464 0x2f4

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1552

Network

Files

memory/4020-0-0x0000000000B30000-0x0000000000B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\D3DX8.dll

MD5 8c7c11dbf9cba3bcb065201c560945e3
SHA1 3104c3f99dc23711ad52fc733602a07f0564a494
SHA256 120c8e8fef7ea02713d2966dbad325d631323cb207b11cfa768aeec48f5150cc
SHA512 778f8ff13ebc154ffca26b21937c26da33e075a10671c91fce274e322195841fd33eb764cf21530837e268dce1f59d232920fe45fc239bfcbce14bf737dc3ee0

memory/4020-5-0x0000000010000000-0x0000000010082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\gm82\gm82core.dll

MD5 a6c69bebeeecae6f9f2b4ace1d1531b2
SHA1 1af3e336b1810f5a275408e95ceefa4eb200076d
SHA256 ce701943a5a8cf16797c91d7ce4d2a1c43c2511a5bd828d315adf9539983edb1
SHA512 edc971e8d2ec027435f16bccd241509c94e3548e3eff6968f467da4ad0805a2d21fdd9c076e1ff5372c6718713c0797b76f9df62a5337423532566a143d646e9

C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\Extension3571\Dll.dll

MD5 bfc4bb347d1d673b5c0086c5797c8da0
SHA1 51097c13d4bb2f74650074bee185238968fff326
SHA256 c97460ea765a8eafe3cd20758aaba2fe3f2a77bf5315b1c536c70b38e2b9bbae
SHA512 ae6bfdecec07639ce78e5b8bfb5441ce6e9cb77f45b31ce3a1f46d8706c264d1899e980bc5ca2958ce1754c87713c80e697b20cb93998ceb9768a99346f77dbe

C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\gm82\SDL2.dll

MD5 3f25925f454362a61705694be43b62c9
SHA1 5794b736c9342b9b4c2e91fd2fc580e87d168664
SHA256 f70051e79801f33793090ee0e99d8d57cb392121064dbe0a6b66b375e3f9b6ea
SHA512 0e7bdb14078125146a00b487db2778ab30901ed121b9b7a9bce3f9e077acb9860c206be44c2319567eb04091744516e8d7b240c4d02f27da517e642c48ffabdb

C:\Users\Admin\AppData\Local\Temp\gm_ttt_51938\gm82\gm82joy.dll

MD5 13d17ade2a82860879f77fc0c4279016
SHA1 30a444938c8961f2e0fd3df8b9067622984946b8
SHA256 9c655421e8bc59c3448e8b5a4fc022f41fccf495c25a9bfcbdb1c684aad188e1
SHA512 72ed9d1d764f1534b46c23d8b0648ead1b0ab8201c25b2e66e9f5a55ddc813d1170cf2f3763f41bc24c9a8bc7d2f4c45f953abeeca4bb19daa1e8d044d490d9c

memory/4020-41-0x0000000010000000-0x0000000010082000-memory.dmp

memory/4020-40-0x0000000000400000-0x0000000000960000-memory.dmp

memory/4020-44-0x0000000000B30000-0x0000000000B31000-memory.dmp

C:\Users\Admin\AppData\Roaming\sonicfgx_data\data\saves\redring.ini

MD5 1b968035bed3704f87b732128dc1c8c7
SHA1 a8d52f908abe508d50039ca5fd39d97b8f427288
SHA256 4042ffb9ab303cf18524a3aaf08bb447b7dc5c56c0708448105cad5ede531248
SHA512 324d6fe37312b5b05f6f8e0abcdab18874be4570ba05871e36c5d0ea211b0803e2f3b254fdeedce7e92fedde944308252bf44272078c4d60ed9c8832c707bb4d

C:\Users\Admin\AppData\Roaming\sonicfgx_data\data\saves\config.ini

MD5 7c7887babbbdd1780947e8bb25d673b1
SHA1 14a27d329f0d809329cea526c0e70e44c8562be5
SHA256 0bb2cba416fc8827b4f6a37e60d33aad77e4eb3c63f79ba8dbea4ddeb5cd43c6
SHA512 9e03173eea02118f586b57735c1072c3466199f53a25770d7f51e89122b4339447f7a527fbca09e2f7a3b7a399c798e4bb373abff2b34ca62cdba6a55175921c

memory/4020-107-0x0000000000400000-0x0000000000960000-memory.dmp