Analysis
-
max time kernel
66s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/11/2024, 08:12
Behavioral task
behavioral1
Sample
RPGVXAce_RTP/RTP100/Setup.exe
Resource
win11-20241023-en
Behavioral task
behavioral2
Sample
The_Moral_Sword_of_Asagi/Audio/SE/!$02_actor002_kiss02.ps1
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
The_Moral_Sword_of_Asagi/Game.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
The_Moral_Sword_of_Asagi/System/RGSS301.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
The_Moral_Sword_of_Asagi/WFExit.dll
Resource
win11-20241007-en
General
-
Target
The_Moral_Sword_of_Asagi/System/RGSS301.dll
-
Size
1.0MB
-
MD5
dd25855ac39d32da033902fc58fa210b
-
SHA1
0ffa23a4d0b81438a329258f5c8d3b3403f4aa94
-
SHA256
27647690ed16218cd988dd71069fdca67207515b2a2df775be361f0198ab6876
-
SHA512
07f7f7cb4eda2165b4b28456fb01d4edea6e3d5f305dde19256865777905a0d0bb1d13ce1194a8639d740f633ccf1507a1b87530644d5e2d512a86829195ae60
-
SSDEEP
24576:+pc8WbPqpzFwdPhet279ae3P7zqP2JzCNkX67Flr1nH0F3ia:+pc8W7qEdPhet2hae3HfJR2Uf
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2168 3156 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4360 wrote to memory of 3156 4360 rundll32.exe 80 PID 4360 wrote to memory of 3156 4360 rundll32.exe 80 PID 4360 wrote to memory of 3156 4360 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#12⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6203⤵
- Program crash
PID:2168
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3156 -ip 31561⤵PID:4056