Malware Analysis Report

2025-04-03 12:26

Sample ID 241109-29dkjavanc
Target Tetris_GameBoy.exe
SHA256 97369f6ae97d34de8ba072b3d612f3c07ee42dd47b1072e84b8b1a5262b59765
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

97369f6ae97d34de8ba072b3d612f3c07ee42dd47b1072e84b8b1a5262b59765

Threat Level: Shows suspicious behavior

The file Tetris_GameBoy.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:16

Reported

2024-11-09 23:17

Platform

win10v2004-20241007-en

Max time kernel

32s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe

"C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe" game.gb

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4a8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe

MD5 ec5ed0f7856d75b4690b8dedc7a859ac
SHA1 037447579b3e527eb18604f367af05c30419b3d4
SHA256 e9d2702546a8c9da8bb66e3fe1be5c8807ec436243466293392b5f918b870e48
SHA512 d77661e6f05a8eddc40e5ec7e49bb9f703b59d2b11b2104382dc0887717f358c37716b55a68154368dea10e66ecf07075fb91a63c898c975c64db55bd2453a74

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba_esv.dll

MD5 23658506dcd0124777c4a743b4438b2f
SHA1 f73cb7a463f16dc494a7f6a1b4e8bad5746f1312
SHA256 f431e36c91106f5d7cf6e205f2d5231f50a4745e1fecec08a835ce9324b02484
SHA512 6ca7ef83494d86e0a5d87e3923b90f72e42262727d41fa51eaad17aeea13fcde12d8b1fa0dbedde650ea8cf0ede499ee68dec37a980b96049408f20d83983d18

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba.ini

MD5 bebaff2e57072ef81ed21466dd9534cb
SHA1 1a0f8a27a7ff8704b987769caa60779028734509
SHA256 6aefedb248c234313207bd0bbf6fd27ae7bd735756b1b5fb6c1af9d3d8b0d26b
SHA512 5f120e7accabb2072d5bcde6d78cdc9f4d206b58c68d83d0c5307f5be1a2f7fac95823f5ad4967fe2cc0920e5bb76c4b3e832c375d0166b96d983fb1fb16a115

C:\Users\Admin\AppData\Local\Temp\RarSFX0\game.gb

MD5 982ed5d2b12a0377eb14bcdc4123744e
SHA1 74591cc9501af93873f9a5d3eb12da12c0723bbc
SHA256 0d6535aef23969c7e5af2b077acaddb4a445b3d0df7bf34c8acef07b51b015c3
SHA512 2da21a753badad613eee0e10ebce24a9f47d26e21895c16406c66b6cd0244f8b73945e51a75d7f13aebcaacaa39e7a42a53b7d4f850f48e0174f22b5506b88ab

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:16

Reported

2024-11-09 23:17

Platform

win10ltsc2021-20241023-en

Max time kernel

34s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe

"C:\Users\Admin\AppData\Local\Temp\Tetris_GameBoy.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe" game.gb

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4e0

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tetris.exe

MD5 ec5ed0f7856d75b4690b8dedc7a859ac
SHA1 037447579b3e527eb18604f367af05c30419b3d4
SHA256 e9d2702546a8c9da8bb66e3fe1be5c8807ec436243466293392b5f918b870e48
SHA512 d77661e6f05a8eddc40e5ec7e49bb9f703b59d2b11b2104382dc0887717f358c37716b55a68154368dea10e66ecf07075fb91a63c898c975c64db55bd2453a74

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba_esv.dll

MD5 23658506dcd0124777c4a743b4438b2f
SHA1 f73cb7a463f16dc494a7f6a1b4e8bad5746f1312
SHA256 f431e36c91106f5d7cf6e205f2d5231f50a4745e1fecec08a835ce9324b02484
SHA512 6ca7ef83494d86e0a5d87e3923b90f72e42262727d41fa51eaad17aeea13fcde12d8b1fa0dbedde650ea8cf0ede499ee68dec37a980b96049408f20d83983d18

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vba.ini

MD5 bebaff2e57072ef81ed21466dd9534cb
SHA1 1a0f8a27a7ff8704b987769caa60779028734509
SHA256 6aefedb248c234313207bd0bbf6fd27ae7bd735756b1b5fb6c1af9d3d8b0d26b
SHA512 5f120e7accabb2072d5bcde6d78cdc9f4d206b58c68d83d0c5307f5be1a2f7fac95823f5ad4967fe2cc0920e5bb76c4b3e832c375d0166b96d983fb1fb16a115

C:\Users\Admin\AppData\Local\Temp\RarSFX0\game.gb

MD5 982ed5d2b12a0377eb14bcdc4123744e
SHA1 74591cc9501af93873f9a5d3eb12da12c0723bbc
SHA256 0d6535aef23969c7e5af2b077acaddb4a445b3d0df7bf34c8acef07b51b015c3
SHA512 2da21a753badad613eee0e10ebce24a9f47d26e21895c16406c66b6cd0244f8b73945e51a75d7f13aebcaacaa39e7a42a53b7d4f850f48e0174f22b5506b88ab