Analysis Overview
SHA256
02075d6de1fda7331022cf61c38be386258b1f43a5777083ca615cd8fa4c315f
Threat Level: Likely malicious
The file TSMA.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies Wine through registry keys
Executes dropped EXE
Checks BIOS information in registry
ASPack v2.12-2.42
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 08:14
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 08:12
Reported
2024-11-03 08:17
Platform
win11-20241023-en
Max time kernel
135s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-MPNOO.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-CAVCS.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-52TQB.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\ME\is-EJ4QR.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-F92JU.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-F7KMU.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-AMJ8L.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Tilesets\is-5PP6J.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-GDTL3.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-HP12R.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-BI068.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-05222.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-S8L9G.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-TKA7B.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-NS7LI.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-JKMOO.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8A6MK.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-S5AJ7.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Characters\is-K8KND.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-M62AB.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-0QPAA.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-69H8Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-TLJLE.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-P4H8D.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Faces\is-JRROC.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-4HO6P.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-G1T5C.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-8P7QQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-TUKV6.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-RKED5.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SFU5A.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-T9HO2.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-KRJOC.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-4UBH7.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Titles1\is-EON9M.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-8Q1IR.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-2QLCD.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-VRK71.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-L9PCC.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-KB154.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-CQ1S2.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-IS8DU.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-S3LGG.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-I4JFU.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SJRT2.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-I9IIQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-9CH2O.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-V8SON.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Animations\is-IMN5C.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks2\is-1OCAK.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGM\is-4R6A6.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\BGS\is-MBSL1.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-J7L1O.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-JI8J9.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-FR83T.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-PS23B.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-ASBUE.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlebacks1\is-75HG0.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Parallaxes\is-PTSUP.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Graphics\Battlers\is-OSO32.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-5CHGO.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-GJU9J.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-SKQ99.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Enterbrain\RGSS3\RPGVXAce\Audio\SE\is-TIIKD.tmp | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4860 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp |
| PID 4860 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp |
| PID 4860 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe | C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp" /SL5="$70220,140800,0,C:\Users\Admin\AppData\Local\Temp\RPGVXAce_RTP\RTP100\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4860-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4860-2-0x0000000000401000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0B51E.tmp\Setup.tmp
| MD5 | 394289faec0a43faea574588cb367018 |
| SHA1 | b02982a816782c3c16ad5a321dce0a79cab124a2 |
| SHA256 | 89c8d27247ff86f189ebba01e27c47daa184a04c5f002130f9d336ca80d71202 |
| SHA512 | e99977ed9b3ea6607d347fe3e339cff40e70166db6a93443046cb7e0bc2a6f7c598503a55030f7d9ae0e8ede8b706bb4bd682bbdadf215641247b96bae0d09f4 |
memory/4424-7-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4860-76-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4424-78-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4424-77-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4424-1480-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4424-1582-0x0000000000400000-0x0000000000526000-memory.dmp
memory/4860-1583-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 08:12
Reported
2024-11-03 08:15
Platform
win11-20241007-en
Max time kernel
3s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Audio\SE\!$02_actor002_kiss02.ps1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004DC
Network
Files
memory/3544-0-0x00007FFF159E3000-0x00007FFF159E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rsb21fv.ex1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3544-9-0x00000234AAD70000-0x00000234AAD92000-memory.dmp
memory/3544-10-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp
memory/3544-11-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp
memory/3544-12-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp
memory/3544-15-0x00007FFF159E0000-0x00007FFF164A2000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-03 08:12
Reported
2024-11-03 08:17
Platform
win11-20241007-en
Max time kernel
71s
Max time network
95s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe
"C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\Game.exe"
Network
Files
memory/2692-0-0x0000000010000000-0x0000000010324000-memory.dmp
memory/2692-2-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-1-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-31-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-30-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-29-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-28-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-27-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-26-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-25-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-24-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-23-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-22-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-21-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-20-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-19-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-18-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-17-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-34-0x0000000003700000-0x0000000003701000-memory.dmp
memory/2692-32-0x00000000036A0000-0x00000000036A4000-memory.dmp
memory/2692-39-0x0000000003690000-0x0000000003691000-memory.dmp
memory/2692-38-0x00000000036C0000-0x00000000036C1000-memory.dmp
memory/2692-37-0x0000000002F00000-0x0000000002F01000-memory.dmp
memory/2692-36-0x0000000002EE0000-0x0000000002EE1000-memory.dmp
memory/2692-35-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-33-0x00000000036F0000-0x00000000036F1000-memory.dmp
memory/2692-16-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-15-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-14-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-13-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-12-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-11-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-10-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-9-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-8-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-7-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-6-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-5-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-4-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-3-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/2692-40-0x0000000010000000-0x0000000010324000-memory.dmp
memory/2692-41-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/2692-43-0x0000000010000000-0x0000000010324000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-03 08:12
Reported
2024-11-03 08:17
Platform
win11-20241007-en
Max time kernel
66s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4360 wrote to memory of 3156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4360 wrote to memory of 3156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4360 wrote to memory of 3156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\System\RGSS301.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3156 -ip 3156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 620
Network
Files
memory/3156-0-0x0000000010000000-0x0000000010324000-memory.dmp
memory/3156-2-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-1-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-21-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-20-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-19-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-18-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-17-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-16-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-15-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-14-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-13-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-12-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-11-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-10-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-9-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-8-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-7-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-6-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-5-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-4-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-3-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-22-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-24-0x00000000027D0000-0x00000000027D1000-memory.dmp
memory/3156-23-0x0000000002780000-0x0000000002784000-memory.dmp
memory/3156-25-0x0000000010000000-0x0000000010324000-memory.dmp
memory/3156-26-0x00000000027D0000-0x00000000027D1000-memory.dmp
memory/3156-30-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/3156-32-0x0000000002780000-0x0000000002781000-memory.dmp
memory/3156-31-0x00000000027A0000-0x00000000027A1000-memory.dmp
memory/3156-27-0x0000000002770000-0x0000000002771000-memory.dmp
memory/3156-29-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/3156-28-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3156-33-0x0000000010000000-0x0000000010324000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-03 08:12
Reported
2024-11-03 08:17
Platform
win11-20241007-en
Max time kernel
138s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 4304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 4304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 4304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\WFExit.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\WFExit.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-03 08:12
Reported
2024-11-03 08:17
Platform
win11-20241007-en
Max time kernel
140s
Max time network
135s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3060 wrote to memory of 580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\wfAudio.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The_Moral_Sword_of_Asagi\wfAudio.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/580-0-0x0000000075350000-0x00000000756D8000-memory.dmp
memory/580-1-0x0000000077CF6000-0x0000000077CF8000-memory.dmp
memory/580-2-0x0000000075351000-0x0000000075380000-memory.dmp
memory/580-3-0x0000000075350000-0x00000000756D8000-memory.dmp
memory/580-4-0x0000000075350000-0x00000000756D8000-memory.dmp
memory/580-5-0x0000000075350000-0x00000000756D8000-memory.dmp
memory/580-6-0x0000000075350000-0x00000000756D8000-memory.dmp
memory/580-7-0x0000000075350000-0x00000000756D8000-memory.dmp