e1b3ae8fc890c6588e5656f77ef2747ae7ddfc90b6530b240c0c5b9d0ab3ce8c

Analysis

max time kernel
151s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/04/2023, 02:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dolphin-x64-5.0.exe
Size

18.4MB
MD5

eca48982effad82616f206f52336fe4b
SHA1

4d88af3572de650b0b7dccd92dc8de5854edfae6
SHA256

e1b3ae8fc890c6588e5656f77ef2747ae7ddfc90b6530b240c0c5b9d0ab3ce8c
SHA512

778755b2d12c703a2954882a4d333b7cb61ee7ed0482b5cb14c1cbc4b90c8b65f308944a2f9369a89fc54d163c613efc65adf70316c08d447183f65637fcb557
SSDEEP

393216:Y1qyjt4rPX8zs3XxdbHNemtqa7JhnurHTl0WcS4ENyQ4p9Jmm+:Y1qyZePX8khdbtecqa7JhnurHirhENys

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
268	DXSETUP.exe

Loads dropped DLL 10 IoCs

pid	Process
1992	dolphin-x64-5.0.exe
1992	dolphin-x64-5.0.exe
1992	dolphin-x64-5.0.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1992	dolphin-x64-5.0.exe
268	DXSETUP.exe
268	DXSETUP.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Dolphin\Sys\GameSettings\GTL.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RBI.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RVQ.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Shaders\posterize2.glsl	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G3E.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GSZ.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GHV.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GSR.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RSF.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SD2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SPR.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Resources\toolbar_add_breakpoint.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\F.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GFZE01.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GHU.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GT7.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\R8J.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RI3.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SHL.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WRI.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G6N.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GFZJ01.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RDV.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SC2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SHD.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Lite\[email protected]	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\EA4.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GKO.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RRA.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WDM.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Resources\Flag_International.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RBK.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RHD.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\W24.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GES.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GW5.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RZP.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Shaders\spookey1.glsl	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GLB.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RMHJ08.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RCJE8P.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Shaders\Anaglyph\dubois-LCD-Green-Magenta.glsl	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Pink\browse.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G2MEAB.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GGA.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GGT.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GJZ.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RBW.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RLT.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WSL.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Lite\[email protected]	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G2B.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G89.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RIH.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WBM.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RF7.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RMA.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SBD.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SN4.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SXE.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GKM.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\PM4.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\E73.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GZW.ini	dolphin-x64-5.0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	DXSETUP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	dolphin-x64-5.0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1688	vssvc.exe
Token: SeRestorePrivilege	1688	vssvc.exe
Token: SeAuditPrivilege	1688	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27
PID 1992 wrote to memory of 268	1992	dolphin-x64-5.0.exe	27

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe
"C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe
  "C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe" /silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
C:\Program Files\Dolphin\Languages\it\dolphin-emu.mo

Filesize
121KB

MD5
f00a5461ba0b2c95f801923fef70c266

SHA1
f7717e3f341e1b56c46407df643d4ac6dcc09885

SHA256
19c8af2231c12fe7969e63595f818baf9421542d1e4f3ea64ac2ff79352a6f12

SHA512
a9977db27df94510bc75ee961924804c59c0005b9bc9b8961d63b01359c72920a6a6f0f3b014c715f3b0c4208038deb65f114f83dee157422dc035b84a267315

Download Submit
C:\Program Files\Dolphin\Sys\Resources\toolbar_debugger_step_over.png

Filesize
988B

MD5
926a446e9de7d51c34ae548673386417

SHA1
5a0a2666b270eca354f1632de8f98fc966864d08

SHA256
85f27cf7d073c5931530c102d4c39ff731a3eb30c67d506c6626b0ad72f26539

SHA512
d5117a0a76c22b06aa91f7586f866387ad74b4962e569cab64d6abeb83d701c8b66331dc6193478f36faef616a95f404cb15a7a0b0b86f863c93ab09f908ea53

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\DSETUP32.DLL

Filesize
1.5MB

MD5
d8fa7bb4fe10251a239ed75055dd6f73

SHA1
76c4bd2d8f359f7689415efc15e3743d35673ae8

SHA256
fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

SHA512
73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe

Filesize
505KB

MD5
bf3f290275c21bdd3951955c9c3cf32c

SHA1
9fd00f3bb8a870112dae464f555fcd5e7f9200c0

SHA256
8f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d

SHA512
d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\dsetup.dll

Filesize
93KB

MD5
eb701def7d0809e8da765a752ab42be5

SHA1
7897418f0fae737a3ebe4f7954118d71c6c8b426

SHA256
2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

SHA512
6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
474B

MD5
e9c0ca0aaa492b48ca1566e7bc682a36

SHA1
227cb25c9627f777e398dc975485248adf6d9df5

SHA256
cb50626b93f1e9869d586689300f95d2aad40c46eebb36277ec7522ef4d222a4

SHA512
8fe713213789c75db47c4bf5c11c099bda5fad173fd43d60c3168207170c8b7c2182000c12a0f2e5b8b9b9062717870eea2c9fcda767c32876c21f8152b7b29d

Download Submit
\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
\Users\Admin\AppData\Local\Temp\dxredist\DSETUP.dll

Filesize
93KB

MD5
eb701def7d0809e8da765a752ab42be5

SHA1
7897418f0fae737a3ebe4f7954118d71c6c8b426

SHA256
2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

SHA512
6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

Download Submit
\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe

Filesize
505KB

MD5
bf3f290275c21bdd3951955c9c3cf32c

SHA1
9fd00f3bb8a870112dae464f555fcd5e7f9200c0

SHA256
8f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d

SHA512
d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249

Download Submit
\Users\Admin\AppData\Local\Temp\dxredist\dsetup32.dll

Filesize
1.5MB

MD5
d8fa7bb4fe10251a239ed75055dd6f73

SHA1
76c4bd2d8f359f7689415efc15e3743d35673ae8

SHA256
fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

SHA512
73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F0B.tmp\LangDLL.dll

Filesize
5KB

MD5
e447e49175c0db1f27888aede301084f

SHA1
f5946c743265cd8e81f3e7b6376dada57f99877f

SHA256
fd26ef21d72797fedecd3d15f2001cea793383aceb3cee19a5ae2a3d30e197b6

SHA512
e6543bf81bedce94a58f48cd6f9daaec891775e01ff76b771c22d459a778490f9bba0bebbf111b1ca3091b3ca69bca806a9b5e68ce12df03abbaa6ce5c4b7cec

Download Submit