ploutus | 27778cca3d3121f8a6d6eb18f184fec5a6180ea37f2019df5e7463dfec0d81f4

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMP setup.exe
Size

196.6MB
MD5

927c1c98e8851a3d651cd0567490ff7a
SHA1

0d387869f07337eb3c8897834a3b89c2973165ae
SHA256

27778cca3d3121f8a6d6eb18f184fec5a6180ea37f2019df5e7463dfec0d81f4
SHA512

504585b11345765a0a6838f7de5078084efeba383b4d38556e714048451d91e35f2096c1c61030b31483a30afed88bd20fe85287866d5bfd5d5f71d398c47147
SSDEEP

3145728:2zNGszbqBKca0uR2UbLi2nDKafsCF953TnP6EU1U7j8w0oLxpAwWFLpjqDKCUDk:BTa1R2KiEzd953TP6Um4DAweqWZA

Score

10^/10

ploutus atm backdoor discovery upx

Malware Config

Signatures

Detected Ploutus loader 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Sonic Mania PLUS\x360ce.exe	family_ploutus

Ploutus
Ploutus is an ATM malware written in C#.
backdoor atm ploutus
Executes dropped EXE 4 IoCs

Processes:

SMP setup.tmpSonicMania.exeSonicMania.exex360ce.exe

pid process

2432 SMP setup.tmp
4060 SonicMania.exe
1824 SonicMania.exe
2760 x360ce.exe
Loads dropped DLL 5 IoCs

Processes:

SonicMania.exeSonicMania.exex360ce.exe

pid process

4060 SonicMania.exe
4060 SonicMania.exe
1824 SonicMania.exe
1824 SonicMania.exe
2760 x360ce.exe

pid	process
2432	SMP setup.tmp
4060	SonicMania.exe
1824	SonicMania.exe
2760	x360ce.exe

pid	process
4060	SonicMania.exe
4060	SonicMania.exe
1824	SonicMania.exe
1824	SonicMania.exe
2760	x360ce.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\Sonic Mania PLUS\steam_api.dll	upx
behavioral2/memory/4060-85-0x0000000072A10000-0x0000000073848000-memory.dmp	upx
behavioral2/memory/4060-87-0x0000000072A10000-0x0000000073848000-memory.dmp	upx
behavioral2/memory/4060-120-0x0000000072A10000-0x0000000073848000-memory.dmp	upx
behavioral2/memory/1824-124-0x0000000074950000-0x0000000075788000-memory.dmp	upx
behavioral2/memory/1824-127-0x0000000074950000-0x0000000075788000-memory.dmp	upx
behavioral2/memory/1824-129-0x0000000074950000-0x0000000075788000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Drops file in Program Files directory 27 IoCs

Processes:

SMP setup.tmpx360ce.exe

description	ioc	process
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-GV2UR.tmp	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\x360ce.ini	x360ce.exe
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-EA3PH.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-0CDE5.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-0GBET.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\Profile\VALVE\Saves\is-SFAB6.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\Profile\VALVE\Stats\is-IGFUR.tmp	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\unins000.exe	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-UN1M4.tmp	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\unins000.dat	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\SonicMania.exe	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-Q8EUS.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-SK9AR.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\x360ce.tmp	x360ce.exe
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\x360ce.tmp	x360ce.exe
File created	C:\Program Files (x86)\Sonic Mania PLUS\unins000.dat	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-UNROS.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-3S7U8.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-67T9D.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-A7AIG.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-N14NH.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-RRBFL.tmp	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\steam_api.dll	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\x360ce.exe	SMP setup.tmp
File opened for modification	C:\Program Files (x86)\Sonic Mania PLUS\xinput9_1_0.dll	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\is-QBJ8J.tmp	SMP setup.tmp
File created	C:\Program Files (x86)\Sonic Mania PLUS\Profile\VALVE\is-GTERT.tmp	SMP setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
868	4060	WerFault.exe	SonicMania.exe
4080	4060	WerFault.exe	SonicMania.exe
5044	1824	WerFault.exe	SonicMania.exe
2248	1824	WerFault.exe	SonicMania.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SonicMania.exesvchost.exeSonicMania.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SonicMania.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SonicMania.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SonicMania.exeSonicMania.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	SonicMania.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	SonicMania.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	SonicMania.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SonicMania.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "1"	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{1AFB0C44-8914-46F5-B3AB-EEB1EFC4B159}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{BB6F5640-B1C0-4A9A-9882-B5E5F4635667}	svchost.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

x360ce.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	x360ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	x360ce.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	x360ce.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SMP setup.tmpSonicMania.exeSonicMania.exe

pid process

2432 SMP setup.tmp
2432 SMP setup.tmp
4060 SonicMania.exe
4060 SonicMania.exe
1824 SonicMania.exe
1824 SonicMania.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

408 OpenWith.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SMP setup.tmpx360ce.exe

pid process

2432 SMP setup.tmp
2760 x360ce.exe
2760 x360ce.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

x360ce.exe

pid process

2760 x360ce.exe
2760 x360ce.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

SonicMania.exeOpenWith.exeSonicMania.exeOpenWith.exex360ce.exe

pid process

4060 SonicMania.exe
408 OpenWith.exe
1824 SonicMania.exe
764 OpenWith.exe
2760 x360ce.exe

pid	process
2432	SMP setup.tmp
2432	SMP setup.tmp
4060	SonicMania.exe
4060	SonicMania.exe
1824	SonicMania.exe
1824	SonicMania.exe

pid	process
408	OpenWith.exe

pid	process
2432	SMP setup.tmp
2760	x360ce.exe
2760	x360ce.exe

pid	process
2760	x360ce.exe
2760	x360ce.exe

pid	process
4060	SonicMania.exe
408	OpenWith.exe
1824	SonicMania.exe
764	OpenWith.exe
2760	x360ce.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SMP setup.exeSMP setup.tmp

description	pid	process	target process
PID 3900 wrote to memory of 2432	3900	SMP setup.exe	SMP setup.tmp
PID 3900 wrote to memory of 2432	3900	SMP setup.exe	SMP setup.tmp
PID 3900 wrote to memory of 2432	3900	SMP setup.exe	SMP setup.tmp
PID 2432 wrote to memory of 4060	2432	SMP setup.tmp	SonicMania.exe
PID 2432 wrote to memory of 4060	2432	SMP setup.tmp	SonicMania.exe
PID 2432 wrote to memory of 4060	2432	SMP setup.tmp	SonicMania.exe

C:\Users\Admin\AppData\Local\Temp\SMP setup.exe
"C:\Users\Admin\AppData\Local\Temp\SMP setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\is-9P8OO.tmp\SMP setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9P8OO.tmp\SMP setup.tmp" /SL5="$90050,205596299,209920,C:\Users\Admin\AppData\Local\Temp\SMP setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2432

C:\Program Files (x86)\Sonic Mania PLUS\SonicMania.exe
"C:\Program Files (x86)\Sonic Mania PLUS\SonicMania.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1612
4⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1612
4⤵
- Program crash
PID:4080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4060 -ip 4060
1⤵
PID:4556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4684

C:\Program Files (x86)\Sonic Mania PLUS\SonicMania.exe
"C:\Program Files (x86)\Sonic Mania PLUS\SonicMania.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1700
2⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1700
2⤵
- Program crash
PID:2248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1824 -ip 1824
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1824 -ip 1824
1⤵
PID:4992

C:\Program Files (x86)\Sonic Mania PLUS\x360ce.exe
"C:\Program Files (x86)\Sonic Mania PLUS\x360ce.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sonic Mania PLUS\Profile\VALVE\SteamUserID.cfg
Filesize
61B

MD5
535a0be7708ff23b0b1d65a472a34d72

SHA1
b6aa6bfaf0117ec77f6e05387e37306e09e858f5

SHA256
7684b45547226dbf1517c5498df52be4e3b4614b98c548c1c0895871bddcc558

SHA512
4255c13d4e191030711c1200fe3bb1bd874ba828179388d01cbad4cd8054aac63c74e162aeacdcbc8cb9c2ef8ae2acd4d2d40c52658a7671f9efcb1f1c35bffd

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\Settings.ini
Filesize
1KB

MD5
30d86fc29674f688ebc4392d628c9067

SHA1
32009b17b3b6f15526d31df55710c182e9534f9e

SHA256
0b08f7a024d8431636aa500b2c6f51d595a0e1dcf437175c4c8e40d8e8081cd8

SHA512
7c11eb0a5f5f297673d8538b936afbfb9175537242ab073a0ee82cd1c9da8d2683745988f592024e538c0497b80e1033b1d71c9c9f3ad5f1816c433eab6abfd2

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\SonicMania.exe
Filesize
2.8MB

MD5
3a98c304b3fff915ddcf5ac985901362

SHA1
2660bbadf31b51a4727ab19299d12e112e9816b0

SHA256
bd8e8a208d551b6798bcc77648f77642653ebe0ba44beae555cd70f538663b9b

SHA512
66e00f754d4484278382bde5a0fac9627896f17c2771fd89d3da1f4d39ae1d308d87530d30397ade61b1d08dd05d38a647af15c48cefba7af0bfcd3538ed1de3

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\VALVE.ini
Filesize
963B

MD5
c693c5c19f8cd19f7c72fe98753bcac8

SHA1
9d5b34346cf3571023961eee84a21f78fe25a769

SHA256
c38a05e4f7d07a1d98e38cecdd9d232e6bac454481ec25c10bc4ad8780b08b3b

SHA512
780f5e183a5d74a77755e3604751c83e59e491eb851b2cec2702e7b5df884320b7360266b322af267c8f32dea229b118406f430f8d656b1ec666affcd0852f73

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\XINPUT9_1_0.dll
Filesize
123KB

MD5
5236623449893c0e1e98fc95f067fcff

SHA1
50b4f1e2340b7c7ad065b2111fc075b2cafe6231

SHA256
301f0d831d95bb5c3b5c57f8a92a35211531b410fcf2bd08927a286b867142a3

SHA512
9b94bddcb5e64bbf3649567f16a828588423873b60858d45c40155f36cc7f95d205f4e9b6cdc8ac2852240fdb6a67d0940c60e4f103cecbf118eae1438019c0c

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\steam_api.dll
Filesize
1.2MB

MD5
18f1462ac04e9cfa08a0412df6025449

SHA1
b0f7258ccfd01f3fbfcb68e9b3e1416a05beae00

SHA256
5432b15f9a081e807fa3d22f982d51c60d5a683d31cc467180d73726fb9f182d

SHA512
96de56597da5f33fc44098eb5389baff29b47aefba44ea141e0d20afec307bb39b4084f99eeb0d392a6702c3508e63ceee09c9704d1033441e0ee3446e37a4db

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\unins000.exe
Filesize
1.5MB

MD5
ffa8684fe0b47b55ebc3902f0dfa078a

SHA1
5e9efdb6b731725e7f34cfaddbccb7190136a974

SHA256
50f2323f2d59828f55aa30e2e1d23e43451db51405cc1d8188edc775eafb33d8

SHA512
792da7df204fcb113f775ec13130022cc736d771b2bbc7cd44f480c44c01f434ececb1f14c2961ab02b98076a619670b17c94fba4e9edfce27974877745c391c

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\x360ce.exe
Filesize
3.1MB

MD5
b6e5bd3c6abd734ac9d66f7dbcdb8409

SHA1
485e46c4dcf4d1274eae63932c024bdf9fc52e34

SHA256
28e424c515f3724c872fc1d5d79709fa9d13e7986c47fb678b90a677a225abf5

SHA512
2e825c315db6761af99385d6be13308bc0f111d024b8a0e9e22d806d54b8312c1864f08799b73ee7b441719fb81d57000cfc5ce7ddc118745ca41226858db67b

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\x360ce.ini
Filesize
4KB

MD5
589486bf3b287e01feba8611f0c5f283

SHA1
785283a6822868372bb738fda07653faba8f1fb7

SHA256
955d8ee3f5fb13a1316ff61eb3be9b8bfeb4cdd92bef245554cfb7496d3d24d7

SHA512
28ed87f75f54606e554bc88d3d5b1b008eb764c735893f65cee109f78bf7982665f82d5a216f8a3105696b4e8c6b437309ab2e19c857b8980fb389d3dd222f1c

Download Submit
C:\Program Files (x86)\Sonic Mania PLUS\x360ce.ini
Filesize
4KB

MD5
5cf9331c130bfe61b29c1a6aa2bc6c33

SHA1
c7fe0116a588677e3d120b8fa01151e37f580741

SHA256
f9253821eb2b29a8df8d92d334093671314eaf411416bb00c1d7b3bc55b9badb

SHA512
1ce39a7d66ba9d70c2938badc22696c720c61e545acee80f70511c463010a7cc620dcbdbcbbde7c53be07478d2ebc3f678f6ae7b8db53f571632a1c212fe7689

Download Submit
C:\ProgramData\X360CE\x360ce.Presets.xml
Filesize
182B

MD5
f135ee37bdc2bee6bf638994e6a94f0b

SHA1
4760b3c9a1bc86f8b57891cedd01ba76a6552e8c

SHA256
5a1e6a26433d1c1d5b72ecf67ca89dba3ef9a35192b23640911bbf232c21b458

SHA512
94346c7cf89c39440635ce876cba9b56571f7c40372a13717b565d202258586714932a3fcafdd6bbf64b91cc4a924b686de3ab9c2f53afcd6b77e801c1f1d785

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9P8OO.tmp\SMP setup.tmp
Filesize
1.5MB

MD5
f1137b2a2cd2bd596117090d9f2da793

SHA1
f16c89642990d661c24eb7f5db3a410596ea72c9

SHA256
361352552d47e35f2aa17f0d866d75135810a49cd8170f0b4050cf283f95a39f

SHA512
dd942a0df586c0ef64e8a45669165906566028c31e987ca1946bb9b5f8283e049b2ce2a55dff018529a3290dd8067784399422bf0dcfb7418d18251f2177d087

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1824-127-0x0000000074950000-0x0000000075788000-memory.dmp

Filesize
14.2MB

Download
memory/1824-129-0x0000000074950000-0x0000000075788000-memory.dmp

Filesize
14.2MB

Download
memory/1824-124-0x0000000074950000-0x0000000075788000-memory.dmp

Filesize
14.2MB

Download
memory/2432-25-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2432-96-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2432-21-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2432-7-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2432-76-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2432-23-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2432-31-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2760-145-0x0000000006B10000-0x0000000006B9E000-memory.dmp

Filesize
568KB

Download
memory/2760-144-0x00000000068B0000-0x00000000068DC000-memory.dmp

Filesize
176KB

Download
memory/2760-175-0x000000000B0E0000-0x000000000B102000-memory.dmp

Filesize
136KB

Download
memory/2760-171-0x000000000A480000-0x000000000A488000-memory.dmp

Filesize
32KB

Download
memory/2760-150-0x000000000A920000-0x000000000AC74000-memory.dmp

Filesize
3.3MB

Download
memory/2760-132-0x0000000000E30000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/2760-133-0x0000000005FD0000-0x0000000006574000-memory.dmp

Filesize
5.6MB

Download
memory/2760-134-0x0000000005980000-0x000000000599A000-memory.dmp

Filesize
104KB

Download
memory/2760-135-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/2760-149-0x000000000A1A0000-0x000000000A1C0000-memory.dmp

Filesize
128KB

Download
memory/2760-146-0x0000000006BB0000-0x0000000006BF4000-memory.dmp

Filesize
272KB

Download
memory/2760-148-0x000000000A540000-0x000000000A91A000-memory.dmp

Filesize
3.9MB

Download
memory/2760-147-0x0000000007C90000-0x0000000007C9A000-memory.dmp

Filesize
40KB

Download
memory/3900-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3900-97-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3900-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3900-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4060-85-0x0000000072A10000-0x0000000073848000-memory.dmp

Filesize
14.2MB

Download
memory/4060-120-0x0000000072A10000-0x0000000073848000-memory.dmp

Filesize
14.2MB

Download
memory/4060-87-0x0000000072A10000-0x0000000073848000-memory.dmp

Filesize
14.2MB

Download