Analysis Overview
SHA256
97369f6ae97d34de8ba072b3d612f3c07ee42dd47b1072e84b8b1a5262b59765
Threat Level: Shows suspicious behavior
The file Tetris_GameBoy.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:16
Reported
2024-11-09 23:17
Platform
win10v2004-20241007-en
Max time kernel
32s
Max time network
34s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4640 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe |
| PID 4640 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe |
| PID 4640 wrote to memory of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe
"C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe" game.gb
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4a8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe
| MD5 | ec5ed0f7856d75b4690b8dedc7a859ac |
| SHA1 | 037447579b3e527eb18604f367af05c30419b3d4 |
| SHA256 | e9d2702546a8c9da8bb66e3fe1be5c8807ec436243466293392b5f918b870e48 |
| SHA512 | d77661e6f05a8eddc40e5ec7e49bb9f703b59d2b11b2104382dc0887717f358c37716b55a68154368dea10e66ecf07075fb91a63c898c975c64db55bd2453a74 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba_esv.dll
| MD5 | 23658506dcd0124777c4a743b4438b2f |
| SHA1 | f73cb7a463f16dc494a7f6a1b4e8bad5746f1312 |
| SHA256 | f431e36c91106f5d7cf6e205f2d5231f50a4745e1fecec08a835ce9324b02484 |
| SHA512 | 6ca7ef83494d86e0a5d87e3923b90f72e42262727d41fa51eaad17aeea13fcde12d8b1fa0dbedde650ea8cf0ede499ee68dec37a980b96049408f20d83983d18 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba.ini
| MD5 | bebaff2e57072ef81ed21466dd9534cb |
| SHA1 | 1a0f8a27a7ff8704b987769caa60779028734509 |
| SHA256 | 6aefedb248c234313207bd0bbf6fd27ae7bd735756b1b5fb6c1af9d3d8b0d26b |
| SHA512 | 5f120e7accabb2072d5bcde6d78cdc9f4d206b58c68d83d0c5307f5be1a2f7fac95823f5ad4967fe2cc0920e5bb76c4b3e832c375d0166b96d983fb1fb16a115 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\game.gb
| MD5 | 982ed5d2b12a0377eb14bcdc4123744e |
| SHA1 | 74591cc9501af93873f9a5d3eb12da12c0723bbc |
| SHA256 | 0d6535aef23969c7e5af2b077acaddb4a445b3d0df7bf34c8acef07b51b015c3 |
| SHA512 | 2da21a753badad613eee0e10ebce24a9f47d26e21895c16406c66b6cd0244f8b73945e51a75d7f13aebcaacaa39e7a42a53b7d4f850f48e0174f22b5506b88ab |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:16
Reported
2024-11-09 23:17
Platform
win10ltsc2021-20241023-en
Max time kernel
34s
Max time network
37s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5020 wrote to memory of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe |
| PID 5020 wrote to memory of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe |
| PID 5020 wrote to memory of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe
"C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe" game.gb
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4e0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe
| MD5 | ec5ed0f7856d75b4690b8dedc7a859ac |
| SHA1 | 037447579b3e527eb18604f367af05c30419b3d4 |
| SHA256 | e9d2702546a8c9da8bb66e3fe1be5c8807ec436243466293392b5f918b870e48 |
| SHA512 | d77661e6f05a8eddc40e5ec7e49bb9f703b59d2b11b2104382dc0887717f358c37716b55a68154368dea10e66ecf07075fb91a63c898c975c64db55bd2453a74 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba_esv.dll
| MD5 | 23658506dcd0124777c4a743b4438b2f |
| SHA1 | f73cb7a463f16dc494a7f6a1b4e8bad5746f1312 |
| SHA256 | f431e36c91106f5d7cf6e205f2d5231f50a4745e1fecec08a835ce9324b02484 |
| SHA512 | 6ca7ef83494d86e0a5d87e3923b90f72e42262727d41fa51eaad17aeea13fcde12d8b1fa0dbedde650ea8cf0ede499ee68dec37a980b96049408f20d83983d18 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba.ini
| MD5 | bebaff2e57072ef81ed21466dd9534cb |
| SHA1 | 1a0f8a27a7ff8704b987769caa60779028734509 |
| SHA256 | 6aefedb248c234313207bd0bbf6fd27ae7bd735756b1b5fb6c1af9d3d8b0d26b |
| SHA512 | 5f120e7accabb2072d5bcde6d78cdc9f4d206b58c68d83d0c5307f5be1a2f7fac95823f5ad4967fe2cc0920e5bb76c4b3e832c375d0166b96d983fb1fb16a115 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\game.gb
| MD5 | 982ed5d2b12a0377eb14bcdc4123744e |
| SHA1 | 74591cc9501af93873f9a5d3eb12da12c0723bbc |
| SHA256 | 0d6535aef23969c7e5af2b077acaddb4a445b3d0df7bf34c8acef07b51b015c3 |
| SHA512 | 2da21a753badad613eee0e10ebce24a9f47d26e21895c16406c66b6cd0244f8b73945e51a75d7f13aebcaacaa39e7a42a53b7d4f850f48e0174f22b5506b88ab |