Overview
overview
8Static
static
1BetterJoyForCemu.exe
windows7-x64
8BetterJoyForCemu.exe
windows10-2004-x64
7BetterJoyF...xe.xml
windows7-x64
1BetterJoyF...xe.xml
windows10-2004-x64
1Crc32.NET.dll
windows7-x64
1Crc32.NET.dll
windows10-2004-x64
1Crc32.NET.xml
windows7-x64
1Crc32.NET.xml
windows10-2004-x64
1Drivers/HI...n).bat
windows7-x64
5Drivers/HI...n).bat
windows10-2004-x64
5Drivers/HI...n).bat
windows7-x64
1Drivers/HI...n).bat
windows10-2004-x64
1Drivers/HI...ib.dll
windows7-x64
1Drivers/HI...ib.dll
windows10-2004-x64
1Drivers/HI...sts.js
windows7-x64
1Drivers/HI...sts.js
windows10-2004-x64
1Drivers/HI...els.js
windows7-x64
1Drivers/HI...els.js
windows10-2004-x64
1Drivers/HI...in.css
windows7-x64
3Drivers/HI...in.css
windows10-2004-x64
7Drivers/HI...in.css
windows7-x64
3Drivers/HI...in.css
windows10-2004-x64
7Drivers/HI...min.js
windows7-x64
1Drivers/HI...min.js
windows10-2004-x64
1Drivers/HI...min.js
windows7-x64
1Drivers/HI...min.js
windows10-2004-x64
1Drivers/HI...min.js
windows7-x64
1Drivers/HI...min.js
windows10-2004-x64
1Drivers/HI...min.js
windows7-x64
1Drivers/HI...min.js
windows10-2004-x64
1Drivers/HI...min.js
windows7-x64
1Drivers/HI...min.js
windows10-2004-x64
1Analysis
-
max time kernel
42s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/02/2023, 03:12
Static task
static1
Behavioral task
behavioral1
Sample
BetterJoyForCemu.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
BetterJoyForCemu.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
BetterJoyForCemu.exe.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
BetterJoyForCemu.exe.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Crc32.NET.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
Crc32.NET.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Crc32.NET.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
Crc32.NET.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Drivers/HIDGuardian/HIDGuardian Install (Run as Admin).bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
Drivers/HIDGuardian/HIDGuardian Install (Run as Admin).bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Drivers/HIDGuardian/HIDGuardian Uninstall (Run as Admin).bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
Drivers/HIDGuardian/HIDGuardian Uninstall (Run as Admin).bat
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Lib.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Lib.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/custom/api-requests.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/custom/api-requests.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/custom/viewmodels.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/custom/viewmodels.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap-theme.min.css
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap-theme.min.css
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap.min.css
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap.min.css
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap.min.js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/bootstrap.min.js
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/jquery-3.2.1.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/jquery-3.2.1.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/jquery.form.min.js
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral28
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/jquery.form.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/knockout-min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/knockout-min.js
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/knockout.mapping.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
Drivers/HIDGuardian/_drivers/HidCerberus.Srv/Content/dep/knockout.mapping.min.js
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
Drivers/HIDGuardian/HIDGuardian Install (Run as Admin).bat
-
Size
377B
-
MD5
30cab8ec7ceeac504feb97217931982a
-
SHA1
bd49ce2c7b524bbe74baf6bc76297746680b0da4
-
SHA256
be7d428a517fa481fcca0136f5efc7255dccb4084dafc59b1ddeb10723ba1568
-
SHA512
1a9860ddfd46a3713170d73f153e581d1c6150dc09a2be62867ee9899972a70040b24b65647da4e33f8e577fad61ea5d63ffc84182950086e228fbc62871027a
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\hidguardian.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET893D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\HidGuardian.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET893E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET893E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET894F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\HidGuardian.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET8950.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET893D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\WdfCoInstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET894F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\SET8950.tmp DrvInst.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 1460 devcon.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 852 DrvInst.exe Token: SeRestorePrivilege 968 rundll32.exe Token: SeRestorePrivilege 968 rundll32.exe Token: SeRestorePrivilege 968 rundll32.exe Token: SeRestorePrivilege 968 rundll32.exe Token: SeRestorePrivilege 968 rundll32.exe Token: SeRestorePrivilege 968 rundll32.exe Token: SeRestorePrivilege 968 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1460 1976 cmd.exe 29 PID 1976 wrote to memory of 1460 1976 cmd.exe 29 PID 1976 wrote to memory of 1460 1976 cmd.exe 29 PID 852 wrote to memory of 968 852 DrvInst.exe 31 PID 852 wrote to memory of 968 852 DrvInst.exe 31 PID 852 wrote to memory of 968 852 DrvInst.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\HIDGuardian Install (Run as Admin).bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\devcon.exedevcon.exe install .\HidGuardian\HidGuardian.inf Root\HidGuardian2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6946508b-f46c-5a38-137d-8d1ca180a725}\hidguardian.inf" "9" "6ca3f57bf" "0000000000000068" "WinSta0\Default" "0000000000000568" "208" "c:\users\admin\appdata\local\temp\drivers\hidguardian\_drivers\hidguardian"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{6ea3e04d-62ab-74fa-bd6e-8f6883882b50} Global\{2041c16f-c4b7-0716-62bf-88255b16852c} C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\hidguardian.inf C:\Windows\System32\DriverStore\Temp\{4aad9c59-d2c4-4393-b692-3f2c61308f5d}\HidGuardian.cat2⤵
- Suspicious use of AdjustPrivilegeToken
PID:968
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ed55be0eb2910d8d7b9918eda7b0a213
SHA154f8ee84e102f794bc47019d2dae056c318641b5
SHA256695bcaf8328c7d207c3c9f1bf45deda8e82bd29aa1c542f3b61a8321b1f4b9f9
SHA512f2558f84f35dc1801e32a3b06d25d452a4e4a66c8048416d5e22d4f2756cfb88f92da4011461c4e85c0e2468ac1a59ede72089cbb72aa22f3ae7007ca57fe9f3
-
Filesize
2KB
MD56b0c393b7ad7cd02d672654f16308cf8
SHA13d7bbd0596e7b10948e9163a65b503feed3b77d0
SHA256e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e
SHA512c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b
-
Filesize
36KB
MD57ff3b4842c374d8b4a6b5f73ef4937b0
SHA13560a98e4f8051f51767ee094787896b01401674
SHA2567853f2b2ac260a5ea9fc70e08445ca83708d73a0024154debb590bf33a0c64a7
SHA512c980795c08425e49024537dd786f01ff4148fb628e634a7386082311a68c5eccc4ac316cae87f40d0acaf80c2e111a0cfbc806aeaaee4b980fbb7e8a82a018b8
-
Filesize
1.7MB
MD55487685a7fc7d49a43bf30593f7d8d9b
SHA1ff1752e13c80b369157162722971b11f82228783
SHA25624368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b
SHA512ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566
-
Filesize
2KB
MD56b0c393b7ad7cd02d672654f16308cf8
SHA13d7bbd0596e7b10948e9163a65b503feed3b77d0
SHA256e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e
SHA512c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b