Overview

overview

7

Static

static

1

XOutput.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    300s
  • max time network
    297s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2023 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XOutput.exe

  • Size

    2.2MB

  • MD5

    250844b8abb064b491296026467eeb71

  • SHA1

    def2c93459a4f5481139647095b3866be985e2e9

  • SHA256

    5768f80c72d36e90d3213614279c4ea0fe15abff28870bb64861aa42f90f6673

  • SHA512

    ec8702598b1c1891fd54274e2cd58ab247f816ef1bab5bb5969e066601df9cad6af089485ca08e7dcbab0ec3ca81825b0193356a1e1fe18e2c000483a1c022f1

  • SSDEEP

    24576:rRAPggD7PIEjR4xq7iiXTK7D3So9AIB+j3pSo2UXuwwpSDBsRhxA/bSInQivEHCn:kL70XWIB+jZkwwpSqRDA/+FOGCn

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XOutput.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C joy.cpl
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\System32\control.exe
        "C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:4188

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Costura\44B19228E411D572B12D7DA34982BC35\64\vigemclient.dll
    Filesize

    307KB

    MD5

    40e1edb55ec4db991440c45f723a14d6

    SHA1

    5797f1922984b684b73e2363d8573049237445e4

    SHA256

    966e579ad8224ca87ae78a8788c5eb0c33ecb932dcc6ca25c39871e20b97a15a

    SHA512

    c99e4016374203f29f75132afd5f42cecceb50a5b45a33bddb1bc60b4d3b196c6ebaa1dba12f8e1bff2c95bf83518a12bf25d659d634c5a33445445d8246e178

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Costura\44B19228E411D572B12D7DA34982BC35\64\vigemclient.dll
    Filesize

    307KB

    MD5

    40e1edb55ec4db991440c45f723a14d6

    SHA1

    5797f1922984b684b73e2363d8573049237445e4

    SHA256

    966e579ad8224ca87ae78a8788c5eb0c33ecb932dcc6ca25c39871e20b97a15a

    SHA512

    c99e4016374203f29f75132afd5f42cecceb50a5b45a33bddb1bc60b4d3b196c6ebaa1dba12f8e1bff2c95bf83518a12bf25d659d634c5a33445445d8246e178

    Download Submit

  • memory/3312-143-0x0000000000000000-mapping.dmp

    Download

  • memory/4136-138-0x000001FD5E220000-0x000001FD5E228000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4136-134-0x000001FD5E250000-0x000001FD5E272000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4136-137-0x000001FD5C210000-0x000001FD5C218000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4136-132-0x000001FD3FA00000-0x000001FD3FC38000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4136-140-0x000001FD5E280000-0x000001FD5E28E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4136-139-0x000001FD61AE0000-0x000001FD61B18000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4136-141-0x00007FFA6DF40000-0x00007FFA6EA01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4136-133-0x00007FFA6DF40000-0x00007FFA6EA01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4188-144-0x0000000000000000-mapping.dmp

    Download

  • memory/5048-142-0x0000000000000000-mapping.dmp

    Download