Analysis
-
max time kernel
600s -
max time network
525s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12/09/2024, 16:33
General
-
Target
Undertale Sin Virus.rar
-
Size
416.1MB
-
MD5
f35e66cbe4d4f2e85313c85ff1f1fa1c
-
SHA1
75ed50bd755a1d7697582573852f6d8123f49402
-
SHA256
5a70bb17f65024a56a861fade9b347eed5a3917e9c6b6480de0c4574a313cea6
-
SHA512
1da8ed216fe14303e6ea686450f9b8a66c891af9ea8b82764b2bf334076d66b805014d2e82dbfdb3a15e82ba96b90b49be7e0fe1176ea97516c4b77cf1eb5d6e
-
SSDEEP
12582912:tF6OMdC2/vZGIwuE8WW6HpHdSxSh4okixJgUQnzt3s:tsP1GnuEAx01x2za
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Undertale Sin Virus.rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Undertale Sin Virus.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Undertale Sin Virus.rar"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c113201-f15a-45e2-9ab0-e6fcb63885fb} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {999dc0c2-a909-4161-b1b9-ea05633223f0} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3120 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f04dc2-26e5-402b-af6d-495f05b685ab} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 2760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71208f94-bbb9-4b05-b78d-c9f8495cba58} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4180 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4148 -prefMapHandle 4168 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08164fe2-b85c-41b6-a790-f3f5be92850e} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5252 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c792996-fc99-4ed0-8432-ec18cf4c957d} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5377e6f-80d3-4b32-aa75-436b381c9617} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5728 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14a9b0db-3d67-42f1-9a6a-b6ed9a450f8f} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab4⤵
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Undertale Sin Virus\" -ad -an -ai#7zMap1674:100:7zEvent313601⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Undertale Sin Virus\UNDERTALE.exe"C:\Users\Admin\Downloads\Undertale Sin Virus\UNDERTALE.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
- Network Service Discovery
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD508847d7d068f5a16e9ae0d5e6424ebf5
SHA1991f61a23f1e1912a03600e8bd8581295623260e
SHA256045e70de295027ea039ea1f0214d80e5e1a1d21a929f3ad333f4401b1eccfe99
SHA512f401801de991010aef60d6704338e5350bb95d71c237dfaf40d291cad3d72c1c03eb8ec6cacaa5e7e78d2e578af78fcc165d78af52ea7ccefe13536c3a97302d
-
Filesize
55B
MD53f1d32108e02c1d1811ac3bfad726940
SHA1bf5150fdad48ba91591cd0796bcd3f54d55940c0
SHA256f8e7c0134b51cb5dadd92500703c39b96ff56b00dea9fff469d6395c1714d645
SHA5124ae40476d1577bfabd8c46168840671548ea1a34b88d75fa3e68577629770a0a87298f61c61f91e1a0f092dad91d46b20a37eaf6735f92167bed16eaf5c8a710
-
Filesize
141B
MD51637a06ec3cc6a20b426e003332fce4f
SHA1c7ebf19fdd3a6288cd839d5e8f13158683f5c48e
SHA256c7685f7970769b14e065707e3045470c5e1bd49693b363d14141bc022d37f81e
SHA51256f649ec471966538de269d99be270f643341fde3bd6b7d347a9f9a20e69209d4967dc4829f1e2890f0347df4592d8c75cfbb3f7bb7ff399f3e07c44cfbc915a
-
Filesize
142B
MD5300ffa95046a1ac8d872b3503185327d
SHA1c26d87845d39977b8ed23d3a4f1747fa31337a79
SHA256266cfbdef96ce54d5bee5ad591955fba88e5ded3cd45d3ba9c1f6f4d345b3afe
SHA512aa6a0e79ca309fe1e287092069f740eb8a27d9f72f440657afd9c9ae5c70798e07b6c5ad9e4fb98d33370678d993ea13b6c371fb22fc39b013f1c1a66a6879ad
-
Filesize
5KB
MD5de2d13a4155e23dc3605c5d026d372df
SHA1198830e02e8012d73e2f0075e7e226ac55485d06
SHA256a6b1c00d023de7f391f7096f72fc781f414b7a7f9ebeee2170b6394c43c0cc50
SHA5124bc630c1b7cc302d69808180e47e86ed8ea56992aef24b5235ec5fb722f9e7a660b86f7604518b527bf83a2959a56e53dcd07c1c74e3c2724a2fe613e3e9642e
-
Filesize
671B
MD54cb17c9569e7cbf7b96eb1e774243865
SHA1e8474f1b81657011350e1dbac7ab04a2006692a4
SHA256c7982c72289ecda9b4ecc9108dd38e48690441614f92c02b40c8cd10895bc41f
SHA512e91385cea4373a0cff23203d3201c9398bc7cbe397ac01552bc1671cca0edc6c1147a3e15633f8cef7aaf58c2ce1dacb10cde15781b87f8dacaca4091827beaa
-
Filesize
982B
MD576c8956ed867e0a5d1ebc3e9b89cfe93
SHA158483ba0faaa746baa8e6b0ddfd9294f0636c272
SHA25669bd39690a1fa62091fdb86e350daef34737fad9d3afff9d7fd7280ad4abee38
SHA512cabe27950f40c9f88cb6a727921c58e404a21d72806c2f74c298fdf0366d8f50d366f8484e6b5ba563ec9f1fc77ac7c394ed19f4f326757b162bdc72747491bd
-
Filesize
27KB
MD5143dd6279e9a2629ca6a29f7010c6f06
SHA108a84952f547aa03fdf6986152fa2c33fb6863f0
SHA2564f59ad44db8b53501ccbc22ffada1d151deb249a996cbea346e0447d38391453
SHA5127858135c7f0acc8899d3cbafda83a72dc40e1c37779fa5786b25f8d2c2ab9694d8ac4ea1213bdd7a45d4ab9879a00cfada2b5d33d3147287781eb28b8411fff3
-
Filesize
11KB
MD5f87af4a0db37892bcd00ef440ef3d45c
SHA1f76cdd0df4ec3b81ad62bfa503f573823178ce5a
SHA256c3f6ed1ca16dc963bc98f9994d043ba5e73083b511e87791175b315e4eab2957
SHA512190acefcb2bbc1f9ed7568a6821292fa1d62f9a1859409b14e333e0564e73d39c9af5aa8a6cdadaa913cbde5b9b8b5d49e78c778e53cee60856b045344ce14e1
-
Filesize
11KB
MD5521a337882eeb6dce1a576b80a62ca64
SHA1bd535ee83c6e88b5d427a29a595476ca6115a833
SHA256a512067e4e8f5cf406d8c8f38c2dfcdce44cd006c4b26f05af6245666f845fb1
SHA512dda4233fc375f6535969a74e18f7bf034e4322c95394ef4975664f61913225d7c57bd96695a12f9a9097c94193d63c1a4387a05489f0482c1dfc69506ae5514e
-
Filesize
11KB
MD5546a1adcd4bd94c76f73df3a609b7b46
SHA1dc841c2df463b1165b448870755e3b84e7f522c8
SHA256d26edd9da06ca833d4bbd3dc243655facfb357352a6b0101f153e4c9a48dc2e8
SHA51280005c695eaea60f59daf9c765f5d4707eeb697c0a5ea7adf3ac697a087f5757c33c6ddcdb5a0d8c72c2ca9d0fd2426c1eb0d83bfbaa34db7b7852dacc1a7c3b
-
Filesize
3.6MB
MD593d87952773a2bb59a8667d0bc06c2c0
SHA1480c87f42e8ecbcde1104f4a61de5dee6a9cb3c5
SHA2569ec41f5094544c938fc075f5506c089d0c1e11fb93afba79a196981bef81d19b
SHA512d9fce47e5c037e4954437c95abea6959e39c91d0bcd596f1c3267e5c09e5a0defade4c63617609b5386879bcae06e3c60e909fcf2476e250bc960eea0c2d1c6d
-
Filesize
1.9MB
MD586e39e9161c3d930d93822f1563c280d
SHA1f5944df4142983714a6d9955e6e393d9876c1e11
SHA2560b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f
SHA5120a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3
-
Filesize
706KB
MD5899ab1c1a6e95840941f7f030008a43c
SHA1a65412dd2564c135beeaf7edc88413e054d7b590
SHA2567fe619474474a96a8c90240f2c213c995381b498f626de5e3604daa6ff7313f4
SHA512c0fbedc37efb6257a4d29740cb13b3887342f115b0f494856f18500be8a7d79fb08573d9f4f99557360ef6353b1f46166335dfcec0a3cdaae4b79e579816d521
-
Filesize
53KB
MD51b3ff3d73b7082321a50bed0b78d1812
SHA1a5d7f1d516d296d016e3422b1a58a01a4ebac379
SHA2562ca9d9d20c21c7f41eda12fe5c2b5377b260e1aa02294c4fb4495d5c742988c1
SHA512d196504ef6d8ab4f0e91b8f1f07e1d1e6cae20a7649ff6a3f4e1eef1a7e7d0e3bedefa1e8b0b86589dcfe731855a02c5f973123ba1dd5e398d3c58b597654a70
-
Filesize
184KB
MD53099d098e086bd364c1319648c855a8f
SHA15d214a6ca2bbef591f23ad2032a90b4df0e73e68
SHA25670ed6bd9751159268dae8b256c8ebbeb481c22f08e874f94c07694a7eae099a2
SHA5124e90918572f3a4f59ef962037964fa42322c5e025e506b41667138e1b5d74945a22ddde78b8315e202314aaf6dd8bf563b50437b054fb510084a41d3031cf581
-
Filesize
38KB
MD5f851df4bc59e60e9be07e2ba413b44a0
SHA11004c711725031a7ed4b48fe9647cd03670d8385
SHA25685dbde2ff5894d1942618b763e3d70af7d5c46c09da77ea772bbe93a858b70fd
SHA51247f4a4e11eefd3f0fbae3a85125d82321a8a9b69d06cd5e3acc124f6a4909b4cfe36830a10a3020f04c58410913913de1ed4606b16c76d44198d6bb493bf73bc
-
Filesize
199KB
MD56a29fbe5262d5b28bdd3e401348870a6
SHA19c2097c504a7223157aa1207a71e5254ab6f3f98
SHA25669c40b001e1391f2d28170523e02e2bf27b582e28c8c8ffd4c70ebb5d9b31344
SHA512cc825987f964434996a2354e93cc41752b7bf1615b085c59ba2472861b606cc76c8d449db05662abc13eea015ec976cf0e0e0ace22f39474d6b8ba833532c339
-
Filesize
128KB
MD552cf7d40ada92f9aba120965ae8d7205
SHA18e6ee2bc459f1b791d3f239cedea48db2254fec7
SHA2563e8020cead56b4173f3cdcd36d657d96606fb2915fd0e696ad071e572f58398c
SHA512ae85a8a8127d9c7a7234754db767e0f2bdea6c8f55fa1e7e7e27da5de247e0f14b47424f61c99682357013d320e440be364f2e7fa54cc44dcc515ac10801bd6f
-
Filesize
1018KB
MD5230f94489b5b99bf31ce29d13e8c45e7
SHA1f4549e1c3e8bc62624d1704c435c1ac9f775e937
SHA2568b609cd61cc75a085c2e2da0ff5f120d0f8caa011e9217eb3358b18601b29ee9
SHA51205bcaca5e6a56ef659a96128487e86bb6c59f9a831b3c66e5c69f254235ac1f756538a65593fb039f3ab551ea3149ed55fc0a1438e7e277c0efe12aff5dfe2b7
-
Filesize
648KB
MD5d616e0ef2ae212ae0717c1b3838d2cd6
SHA1eec3f046a8ad007b8fca4cc843ad62db267a59bf
SHA25665688e20f6a2fc02ad2736db1a7106289f5a6cde5114daa326f85b930fc73209
SHA512777f61c394141e2f883897367ff5c984875b5bbb49f70c2153cc5d51566c8ce2f02aae3d963846644479486b96f8f0c07bcd9581b5b8fc43a50a5efbea9d5f62
-
Filesize
77KB
MD578b6f18263306ca32f385dbdda3eec32
SHA1092d4552d05dbee249c9d56062920cebfb83ab44
SHA256cb56c7bde85153639f0642d875efe2f434ab29f6872d0239e459c70eff8b7d25
SHA512c7baf521f4bbc38c288490ab629b7bdd07fc7c77dc413eb41a592e6847a63eb9b5c7bd4203234652a621603e523ee62c83caaed80a7cc20b49001bc33a30c612
-
Filesize
370KB
MD5209fb1cd97977cf1341d2d021073acd9
SHA11df11e5d82b469aba4d6586e299709b8ddfcfb87
SHA256b97d79fe04ed08527efbc2af7c62adde13c0ef6b1250825b35572a575327fa93
SHA512f7ba4c15722cc63cbf0aee3a17200897a0323a67622d53371f140cd53c5a8ec1f343f826aab10c0bed94ad656d6d42762c4eeaf36601c6c5d5b27d527641661d
-
Filesize
97B
MD5396f73a1185a5642f5f1e2538b64396a
SHA1d72d687a5a1258986f218bfccacc6118c39ec4f9
SHA256e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58
SHA512e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da
-
Filesize
893B
MD5188cf6da0fd3f7ec3e1be7d6a2c38663
SHA117f12013c22612b58382ab7ef01da4a96036fb9a
SHA256358239b9859b8b15135b8092ce1cf45473db83e0cbe50c632bcd2a510d41cd05
SHA5124d60a961cd3f30d180f07fd894d74db0f730e93323338b112918c44719f2d2cc4b4b18803288fc0d047710840cbc78106fb3eb13a6249747b6d21fb7382fda45
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
