Malware Analysis Report

2024-12-01 01:56

Sample ID 241110-btzjyswflp
Target Five Nights at Candy's 3.exe
SHA256 549a95d0d11bf0f2af0de47e6842af75afdcb60f964213e2eab2fba2cc160731
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

549a95d0d11bf0f2af0de47e6842af75afdcb60f964213e2eab2fba2cc160731

Threat Level: Shows suspicious behavior

The file Five Nights at Candy's 3.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Drops desktop.ini file(s)

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:26

Reported

2024-11-10 01:31

Platform

win11-20241007-en

Max time kernel

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{42E88E54-D074-4F63-82F0-E1BB25E1FE13} C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe

"C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\mmfs2.dll

MD5 61210630ca4877f7a0a548591113a573
SHA1 072d9f6d7354a8bd8b2b175fecaa631c7cfe2d47
SHA256 565cff6852d4b12ca1590dfa1ff681fa798654bda1ca32e3a944c504dd38c2f3
SHA512 5f3dbe6e11bd7944d90524feff6ec24f539fa23ea7108db3472886571bd20a45abe14096c38a75c5692b14444c7c25e569d59ef95428c85cf9e5c3cb52b849ed

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Layer.mfx

MD5 4011f85fff8a854cdbc02c38b5e8e050
SHA1 6e586270b1dccaa8fe5609abbf83fe60cd9772c1
SHA256 dc282ade390ae5bb7249595adac896d2436cf0eea5c63f31e44122173dc96daf
SHA512 cea258db8270ef6b8e4388babdd4915c19e0d4c6ae2b8c947cdd29d8a90153786dc2765e8726585e9c08798727910c4e941b39c12a2981dd0d2efc688890d015

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\txtblt.mfx

MD5 8740745e7af7926a0e7d3b194fb51fdf
SHA1 d7688925efd0287334d444a9e4bd584177ed0fbc
SHA256 09a214d9738946b14c4470ea95b45de41641e5d69b7559dbf336f7b4624859b0
SHA512 dc52c25b588f386cceb0eef912e0ac38ffb07443011c957ca3d0fda8c2c6d41e8fbcb33dfc1b7c5ff469216cd8c233d5025b88575bd10684827c18fb5ef52bb3

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\kcini.mfx

MD5 ef2cad7570f3d4cfb8dc7915a92e03af
SHA1 e75063b93d22a45c19b14e93a4030a267faaccab
SHA256 52cdd0d5265dbe45966a787d0082e01ada41553c898f02347840aded98d6332f
SHA512 34f202712b3ff0e9bc68c71108f8edd0d61a387a396bfc710af8da26f7d35c0505ba57bfa91ff524c7c43cdc05e09730ca3755e170f65850390fc0a65b8da630

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Platform.mfx

MD5 f028a9790936f628964ffb256405aebb
SHA1 2dbecca5034f39a78e88cdf962208f742ff43302
SHA256 722e0aeb4d6424e95df58c01e5b787a7bcc0b1e1f1c0cf86b18388c42980cfcd
SHA512 f0d3d204e8ec563092d4dbb60dce0370acda92fe39b07e8f021dbc28f56041dc8ddc382b1326cfa8fb694a16a57ebdc56f0824cbf5c9abbe47498e973bff3b32

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\kcwctrl.mfx

MD5 0f0d7aa7c16138c69c5afcf0556e4fa5
SHA1 996db73f43c4359181916dc87e3e920989564590
SHA256 a02f1647c705602bf51077e2a5c1caf9fbcf8009dcbba4e3b9f25ea31e93b72c
SHA512 0b475e580ce2d945475045b49ee1e1894f26d9c35496b117aee6a67a583798b53804912081a7790b7d784343eb74e2002e5a97d55b0f712adbdcff5c377e24e9

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DJoint.mfx

MD5 a3438ee15934b2c1b687d7c5e45371f0
SHA1 9569d79e2c09d6390de4e650b0005342d239bc68
SHA256 ad9ed058bb9e42e1fe98de12c982bab00ba2fe53efd0e40de30798be595f2f43
SHA512 9ecc1ffbbc99d058189518526b2dc1bb35fcefc481348683f810fe950dd13ee490bf9ae41ae71d13d40a1c130ba5159077f1a835bc8dffcb92bde4355d261b90

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DBase.mfx

MD5 b649efba2a46292359c3a27d4ae298a5
SHA1 4519ee35d4879daf3cb63fb4e7eb15719518e2d1
SHA256 7e6fd9a92a6096df4820b8f4578d91463c1130c50a647ed413e1bf35965bd64d
SHA512 4d4971f231cc583accb6b85112d5e25eef9b575a54a617f70d88ba49727b0a1fe7753e85d71d3eb561ccd5dd59484802f7b2251a269d4d6a2f2463dcef351ca1

memory/2816-45-0x0000000003260000-0x00000000032A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DRopeAndChain.mfx

MD5 c31ca4d0b77385aaf8356de0d5a45066
SHA1 d6ed8f9f2c34149767de1c155b009ac88dbcb947
SHA256 4fda7bd63dbf1aef243a720fd940dbd4c376fadb725f532fd02c8a8e37ddba20
SHA512 aab4b94fd7fa0cbd6df5d37ad768430dc70179fa86f1aa48a505b6c3f6a2c6ae62c76f1b32677ed1ffab142d2c3256816b4911c691dc9ff26a0aa1c16d3322ff

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DStatic.mvx

MD5 74433434ded999cb768e7542bf4f9069
SHA1 c3b9cdf87916a8764e0cef5a28edc3dcc78a699a
SHA256 8dad3a9acb6e3691245b6a03cadbc280c0ff4abe52cba4d585e174e7f6f97ddc
SHA512 1845a5aba9dd960158528a6826f0205e5c756a1b290b29718b844bbc18ba44813ce52541cb517c98b06efc07d9fe98c0a28455f97ca8bad70f367361696a084d

memory/2816-61-0x0000000003310000-0x0000000003331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DPlatform.mvx

MD5 738c5bb2519be276aa3b9c2dbde2ff25
SHA1 918913f1a780b0e00f9156cc036971e4c316bbb0
SHA256 fbf83dd09cbcc9f2129ddc8e41be79c38625d2b54aa22e5a5d1dab8ed2f2117d
SHA512 940c46c0b5cd486dee30a541c960c06edfd415474fcda902f9c231062c3052cf30d282ed26f5097d0fa70d695182cccaa3381d6f79849da318c6cfa681161e0c

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DBouncingBall.mvx

MD5 5a97d8acb2e2dbc4cd2f4a17480a703c
SHA1 cbb0768c65c868d5d36d17e0577660b51a8d73b1
SHA256 b4a3550af4092d8c7e22010c56c33432281bd8524a2f1a23c8f9a839bf035208
SHA512 5460e443f04ca8b3befa169004de0dbb23608a6ecb6105bf65f43e21902d97ec02b0182051a7dd5317289f5e45878aeb144d138a5a5f1016504211caf739c496

memory/2816-77-0x0000000003390000-0x00000000033B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\mmf2d3d9.dll

MD5 fffa396440851831d50de58bfa88aae3
SHA1 e300c432878f7fca0a14ad448f86bb01965741ef
SHA256 194990f3009efe9af4d5a94f598fa926d31c7da0f5792cab0aa5bfb2bfeccf77
SHA512 a706501c2c0e418a292bdeecb862378b4150d8a2fbb49c0721a9039931619c1ad9841bdb93eaebeddee1a21ba17ef8f3d081cf0216c79957acbe8ccc12f13890

memory/2816-69-0x0000000003350000-0x0000000003371000-memory.dmp

memory/2816-53-0x00000000032C0000-0x00000000032E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\oggflt.sft

MD5 3c63ea4611008fbcf86435559e9dffab
SHA1 fdc9c6302fcc427530b2dbff63aad1b6d204125a
SHA256 9efb0b4cff5bb033cf1e04bdeabc581db7d787399c5238f4fb40a1e820aac6b8
SHA512 938c6ebbd0a7248f32bc83d2548791b35764417a74728b8b861d2bd539c182ced6f5168a604679e20c150dc6741fd6868768e7d1ffce224667546d3ea80787d3

memory/2816-89-0x0000000003BE0000-0x0000000003C04000-memory.dmp

C:\Users\Admin\AppData\Roaming\MMFApplications\fivecandys3

MD5 355868bdffa89d15098ed67f73c602a0
SHA1 842247226ec6decd97d190b98158bc6f84a40f55
SHA256 d0a7a803d7e184f9bc3c69a9c955e6faedc24f0462381807bb9227b3e0cb118e
SHA512 1bbe59087b05da34568292ed664438975e73b8936afca1837f842031d3e89ba582510bddcaa29e1aefecdad13c1432135d0d18fe47fe3e360dcd5c94ce3ae0eb

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c