Malware Analysis Report

2025-08-06 02:40

Sample ID 241103-j3524aslbk
Target TSMA.zip
SHA256 02075d6de1fda7331022cf61c38be386258b1f43a5777083ca615cd8fa4c315f
Tags
aspackv2 discovery execution evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

02075d6de1fda7331022cf61c38be386258b1f43a5777083ca615cd8fa4c315f

Threat Level: Likely malicious

The file TSMA.zip was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 discovery execution evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

ASPack v2.12-2.42

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 08:14

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 08:12

Reported

2024-11-03 08:17

Platform

win11-20241023-en

Max time kernel

135s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-MPNOO.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-CAVCS.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-52TQB.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\ME\is-EJ4QR.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-F92JU.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-F7KMU.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-AMJ8L.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Tilesets\is-5PP6J.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-GDTL3.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-HP12R.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-BI068.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-05222.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-S8L9G.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-TKA7B.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-NS7LI.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-JKMOO.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8A6MK.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-S5AJ7.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-K8KND.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-M62AB.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-0QPAA.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-69H8Q.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-TLJLE.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-P4H8D.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Faces\is-JRROC.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-4HO6P.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-G1T5C.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-8P7QQ.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-TUKV6.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-RKED5.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SFU5A.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-T9HO2.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-KRJOC.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-4UBH7.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles1\is-EON9M.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8Q1IR.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-2QLCD.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-VRK71.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-L9PCC.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-KB154.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-CQ1S2.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-IS8DU.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-S3LGG.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-I4JFU.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SJRT2.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-I9IIQ.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-9CH2O.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-V8SON.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-IMN5C.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-1OCAK.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-4R6A6.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGS\is-MBSL1.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-J7L1O.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-JI8J9.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-FR83T.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-PS23B.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-ASBUE.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-75HG0.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-PTSUP.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-OSO32.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-5CHGO.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-GJU9J.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SKQ99.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-TIIKD.tmp C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp" /SL5="$70220,140800,0,C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4860-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4860-2-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp

MD5 394289faec0a43faea574588cb367018
SHA1 b02982a816782c3c16ad5a321dce0a79cab124a2
SHA256 89c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202
SHA512 e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4

memory/4424-7-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4860-76-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4424-78-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4424-77-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4424-1480-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4424-1582-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4860-1583-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 08:12

Reported

2024-11-03 08:15

Platform

win11-20241007-en

Max time kernel

3s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Audio\SE\!$02_actor002_kiss02.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Audio\SE\!$02_actor002_kiss02.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004DC

Network

N/A

Files

memory/3544-0-0x00007FFF159E3000-0x00007FFF159E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rsb21fv.ex1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3544-9-0x00000234AAD70000-0x00000234AAD92000-memory.dmp

memory/3544-10-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp

memory/3544-11-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp

memory/3544-12-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp

memory/3544-15-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 08:12

Reported

2024-11-03 08:17

Platform

win11-20241007-en

Max time kernel

71s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe

"C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe"

Network

Files

memory/2692-0-0x0000000010000000-0x0000000010324000-memory.dmp

memory/2692-2-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-1-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-31-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-30-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-29-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-28-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-27-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-26-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-25-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-24-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-23-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-22-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-21-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-20-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-19-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-18-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-17-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-34-0x0000000003700000-0x0000000003701000-memory.dmp

memory/2692-32-0x00000000036A0000-0x00000000036A4000-memory.dmp

memory/2692-39-0x0000000003690000-0x0000000003691000-memory.dmp

memory/2692-38-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/2692-37-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/2692-36-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/2692-35-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-33-0x00000000036F0000-0x00000000036F1000-memory.dmp

memory/2692-16-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-15-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-14-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-13-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-12-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-11-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-10-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-9-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-8-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-7-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-6-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-5-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-4-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-3-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2692-40-0x0000000010000000-0x0000000010324000-memory.dmp

memory/2692-41-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2692-43-0x0000000010000000-0x0000000010324000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-03 08:12

Reported

2024-11-03 08:17

Platform

win11-20241007-en

Max time kernel

66s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 3156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4360 wrote to memory of 3156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4360 wrote to memory of 3156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3156 -ip 3156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 620

Network

Files

memory/3156-0-0x0000000010000000-0x0000000010324000-memory.dmp

memory/3156-2-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-1-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-21-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-20-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-19-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-18-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-17-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-16-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-15-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-14-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-13-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-12-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-11-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-10-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-9-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-8-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-7-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-6-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-5-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-4-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-3-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-22-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-24-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/3156-23-0x0000000002780000-0x0000000002784000-memory.dmp

memory/3156-25-0x0000000010000000-0x0000000010324000-memory.dmp

memory/3156-26-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/3156-30-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/3156-32-0x0000000002780000-0x0000000002781000-memory.dmp

memory/3156-31-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/3156-27-0x0000000002770000-0x0000000002771000-memory.dmp

memory/3156-29-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/3156-28-0x0000000002790000-0x0000000002791000-memory.dmp

memory/3156-33-0x0000000010000000-0x0000000010324000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-03 08:12

Reported

2024-11-03 08:17

Platform

win11-20241007-en

Max time kernel

138s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\WFExit.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 4304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 4304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 4304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\WFExit.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\WFExit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-03 08:12

Reported

2024-11-03 08:17

Platform

win11-20241007-en

Max time kernel

140s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\wfAudio.dll,#1

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\wfAudio.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\wfAudio.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/580-0-0x0000000075350000-0x00000000756D8000-memory.dmp

memory/580-1-0x0000000077CF6000-0x0000000077CF8000-memory.dmp

memory/580-2-0x0000000075351000-0x0000000075380000-memory.dmp

memory/580-3-0x0000000075350000-0x00000000756D8000-memory.dmp

memory/580-4-0x0000000075350000-0x00000000756D8000-memory.dmp

memory/580-5-0x0000000075350000-0x00000000756D8000-memory.dmp

memory/580-6-0x0000000075350000-0x00000000756D8000-memory.dmp

memory/580-7-0x0000000075350000-0x00000000756D8000-memory.dmp