Analysis Overview
SHA256
549a95d0d11bf0f2af0de47e6842af75afdcb60f964213e2eab2fba2cc160731
Threat Level: Shows suspicious behavior
The file Five Nights at Candy's 3.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops desktop.ini file(s)
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:26
Reported
2024-11-10 01:31
Platform
win11-20241007-en
Max time kernel
39s
Command Line
Signatures
Loads dropped DLL
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{42E88E54-D074-4F63-82F0-E1BB25E1FE13} | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe
"C:\Users\Admin\AppData\Local\Temp\Five Nights at Candy's 3.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
Network
Files
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\mmfs2.dll
| MD5 | 61210630ca4877f7a0a548591113a573 |
| SHA1 | 072d9f6d7354a8bd8b2b175fecaa631c7cfe2d47 |
| SHA256 | 565cff6852d4b12ca1590dfa1ff681fa798654bda1ca32e3a944c504dd38c2f3 |
| SHA512 | 5f3dbe6e11bd7944d90524feff6ec24f539fa23ea7108db3472886571bd20a45abe14096c38a75c5692b14444c7c25e569d59ef95428c85cf9e5c3cb52b849ed |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Layer.mfx
| MD5 | 4011f85fff8a854cdbc02c38b5e8e050 |
| SHA1 | 6e586270b1dccaa8fe5609abbf83fe60cd9772c1 |
| SHA256 | dc282ade390ae5bb7249595adac896d2436cf0eea5c63f31e44122173dc96daf |
| SHA512 | cea258db8270ef6b8e4388babdd4915c19e0d4c6ae2b8c947cdd29d8a90153786dc2765e8726585e9c08798727910c4e941b39c12a2981dd0d2efc688890d015 |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\txtblt.mfx
| MD5 | 8740745e7af7926a0e7d3b194fb51fdf |
| SHA1 | d7688925efd0287334d444a9e4bd584177ed0fbc |
| SHA256 | 09a214d9738946b14c4470ea95b45de41641e5d69b7559dbf336f7b4624859b0 |
| SHA512 | dc52c25b588f386cceb0eef912e0ac38ffb07443011c957ca3d0fda8c2c6d41e8fbcb33dfc1b7c5ff469216cd8c233d5025b88575bd10684827c18fb5ef52bb3 |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\kcini.mfx
| MD5 | ef2cad7570f3d4cfb8dc7915a92e03af |
| SHA1 | e75063b93d22a45c19b14e93a4030a267faaccab |
| SHA256 | 52cdd0d5265dbe45966a787d0082e01ada41553c898f02347840aded98d6332f |
| SHA512 | 34f202712b3ff0e9bc68c71108f8edd0d61a387a396bfc710af8da26f7d35c0505ba57bfa91ff524c7c43cdc05e09730ca3755e170f65850390fc0a65b8da630 |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Platform.mfx
| MD5 | f028a9790936f628964ffb256405aebb |
| SHA1 | 2dbecca5034f39a78e88cdf962208f742ff43302 |
| SHA256 | 722e0aeb4d6424e95df58c01e5b787a7bcc0b1e1f1c0cf86b18388c42980cfcd |
| SHA512 | f0d3d204e8ec563092d4dbb60dce0370acda92fe39b07e8f021dbc28f56041dc8ddc382b1326cfa8fb694a16a57ebdc56f0824cbf5c9abbe47498e973bff3b32 |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\kcwctrl.mfx
| MD5 | 0f0d7aa7c16138c69c5afcf0556e4fa5 |
| SHA1 | 996db73f43c4359181916dc87e3e920989564590 |
| SHA256 | a02f1647c705602bf51077e2a5c1caf9fbcf8009dcbba4e3b9f25ea31e93b72c |
| SHA512 | 0b475e580ce2d945475045b49ee1e1894f26d9c35496b117aee6a67a583798b53804912081a7790b7d784343eb74e2002e5a97d55b0f712adbdcff5c377e24e9 |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DJoint.mfx
| MD5 | a3438ee15934b2c1b687d7c5e45371f0 |
| SHA1 | 9569d79e2c09d6390de4e650b0005342d239bc68 |
| SHA256 | ad9ed058bb9e42e1fe98de12c982bab00ba2fe53efd0e40de30798be595f2f43 |
| SHA512 | 9ecc1ffbbc99d058189518526b2dc1bb35fcefc481348683f810fe950dd13ee490bf9ae41ae71d13d40a1c130ba5159077f1a835bc8dffcb92bde4355d261b90 |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DBase.mfx
| MD5 | b649efba2a46292359c3a27d4ae298a5 |
| SHA1 | 4519ee35d4879daf3cb63fb4e7eb15719518e2d1 |
| SHA256 | 7e6fd9a92a6096df4820b8f4578d91463c1130c50a647ed413e1bf35965bd64d |
| SHA512 | 4d4971f231cc583accb6b85112d5e25eef9b575a54a617f70d88ba49727b0a1fe7753e85d71d3eb561ccd5dd59484802f7b2251a269d4d6a2f2463dcef351ca1 |
memory/2816-45-0x0000000003260000-0x00000000032A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DRopeAndChain.mfx
| MD5 | c31ca4d0b77385aaf8356de0d5a45066 |
| SHA1 | d6ed8f9f2c34149767de1c155b009ac88dbcb947 |
| SHA256 | 4fda7bd63dbf1aef243a720fd940dbd4c376fadb725f532fd02c8a8e37ddba20 |
| SHA512 | aab4b94fd7fa0cbd6df5d37ad768430dc70179fa86f1aa48a505b6c3f6a2c6ae62c76f1b32677ed1ffab142d2c3256816b4911c691dc9ff26a0aa1c16d3322ff |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DStatic.mvx
| MD5 | 74433434ded999cb768e7542bf4f9069 |
| SHA1 | c3b9cdf87916a8764e0cef5a28edc3dcc78a699a |
| SHA256 | 8dad3a9acb6e3691245b6a03cadbc280c0ff4abe52cba4d585e174e7f6f97ddc |
| SHA512 | 1845a5aba9dd960158528a6826f0205e5c756a1b290b29718b844bbc18ba44813ce52541cb517c98b06efc07d9fe98c0a28455f97ca8bad70f367361696a084d |
memory/2816-61-0x0000000003310000-0x0000000003331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DPlatform.mvx
| MD5 | 738c5bb2519be276aa3b9c2dbde2ff25 |
| SHA1 | 918913f1a780b0e00f9156cc036971e4c316bbb0 |
| SHA256 | fbf83dd09cbcc9f2129ddc8e41be79c38625d2b54aa22e5a5d1dab8ed2f2117d |
| SHA512 | 940c46c0b5cd486dee30a541c960c06edfd415474fcda902f9c231062c3052cf30d282ed26f5097d0fa70d695182cccaa3381d6f79849da318c6cfa681161e0c |
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\Box2DBouncingBall.mvx
| MD5 | 5a97d8acb2e2dbc4cd2f4a17480a703c |
| SHA1 | cbb0768c65c868d5d36d17e0577660b51a8d73b1 |
| SHA256 | b4a3550af4092d8c7e22010c56c33432281bd8524a2f1a23c8f9a839bf035208 |
| SHA512 | 5460e443f04ca8b3befa169004de0dbb23608a6ecb6105bf65f43e21902d97ec02b0182051a7dd5317289f5e45878aeb144d138a5a5f1016504211caf739c496 |
memory/2816-77-0x0000000003390000-0x00000000033B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\mmf2d3d9.dll
| MD5 | fffa396440851831d50de58bfa88aae3 |
| SHA1 | e300c432878f7fca0a14ad448f86bb01965741ef |
| SHA256 | 194990f3009efe9af4d5a94f598fa926d31c7da0f5792cab0aa5bfb2bfeccf77 |
| SHA512 | a706501c2c0e418a292bdeecb862378b4150d8a2fbb49c0721a9039931619c1ad9841bdb93eaebeddee1a21ba17ef8f3d081cf0216c79957acbe8ccc12f13890 |
memory/2816-69-0x0000000003350000-0x0000000003371000-memory.dmp
memory/2816-53-0x00000000032C0000-0x00000000032E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mrtED2F.tmp\oggflt.sft
| MD5 | 3c63ea4611008fbcf86435559e9dffab |
| SHA1 | fdc9c6302fcc427530b2dbff63aad1b6d204125a |
| SHA256 | 9efb0b4cff5bb033cf1e04bdeabc581db7d787399c5238f4fb40a1e820aac6b8 |
| SHA512 | 938c6ebbd0a7248f32bc83d2548791b35764417a74728b8b861d2bd539c182ced6f5168a604679e20c150dc6741fd6868768e7d1ffce224667546d3ea80787d3 |
memory/2816-89-0x0000000003BE0000-0x0000000003C04000-memory.dmp
C:\Users\Admin\AppData\Roaming\MMFApplications\fivecandys3
| MD5 | 355868bdffa89d15098ed67f73c602a0 |
| SHA1 | 842247226ec6decd97d190b98158bc6f84a40f55 |
| SHA256 | d0a7a803d7e184f9bc3c69a9c955e6faedc24f0462381807bb9227b3e0cb118e |
| SHA512 | 1bbe59087b05da34568292ed664438975e73b8936afca1837f842031d3e89ba582510bddcaa29e1aefecdad13c1432135d0d18fe47fe3e360dcd5c94ce3ae0eb |
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |