cbf710b8e6b29f0904e289a9b9a895548a2d7c7af5a3145c8279b97a69a09276

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeSmuME_0.9.13_x64.exe
Size

38.3MB
MD5

2cc20871992a412fc0d50a68b0461100
SHA1

54339be244cc7ab8072652f77613634fa2cb178d
SHA256

1ca4e771b92f38a1cef4fc2a61f7d729a638f94d0e56f7948eeeb472000cf32c
SHA512

7be15c5fedb11bf63896ce866baf7377fc26eb622c583cb7589ff17f1890f0fc04fda1c450da848a48aecfb34f8efd0d285006ca73d3a4d09e74c4d525dd2ae9
SSDEEP

49152:8Xvil5QafIWd0uPXKA1avMfa5W3hhlDXGA5mdwFrMvOE1EoIKtHtwqVOyQuq+mik:O+sMS5KGFOsIDp5wuVPkfFSh/hsmQZ4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c004346534616003100000000005456b6a0120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe5456b6a0965628b32e00000070e10100000001000000000000000000000000000000d32fc4004100700070004400610074006100000042000000	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4e00310000000000965674b31000526f6d7300003a0009000400efbe965674b3965674b32e0000003d0700000000040000000000000000000000000000009b96bd0052006f006d007300000014000000	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	DeSmuME_0.9.13_x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5000310000000000965628b310004c6f63616c003c0009000400efbe5456b6a0965628b32e00000083e101000000010000000000000000000000000000000f5bc6004c006f00630061006c00000014000000	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5600310000000000965628b310004465536d754d4500400009000400efbe965628b3965628b32e000000afe201000000020000000000000000000000000000000f5bc6004400650053006d0075004d004500000016000000	DeSmuME_0.9.13_x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
452	DeSmuME_0.9.13_x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4232	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
452	DeSmuME_0.9.13_x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
452	DeSmuME_0.9.13_x64.exe
452	DeSmuME_0.9.13_x64.exe

C:\Users\Admin\AppData\Local\Temp\DeSmuME_0.9.13_x64.exe
"C:\Users\Admin\AppData\Local\Temp\DeSmuME_0.9.13_x64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DeSmuME\desmume.ini

Filesize
18B

MD5
b8d4fc464e021b73b7281d921592fa85

SHA1
864d8c96deff54c6107a28bb7d8a276e338319cb

SHA256
712541cddf2d5d5731c6de8b23d2d73d825de8b903eacd23cfc1daccf2eec830

SHA512
a741db0b60d02a79e03bf5cd161f69483b665eddfef0bee635b6fd34aef7342d18f95aedacfb14f56391866aadf7a117171de2fe831e4221e4507f47ed786926

Download Submit
C:\Users\Admin\AppData\Local\DeSmuME\desmume.ini

Filesize
77B

MD5
6a7131f6c415e1f44ece098076341bc5

SHA1
eab6547c4d306763081770f0a72971de39c97f95

SHA256
f4b73f5e24c19dc212dce8cd35a0a06ea8c7f781e59c1746349516afe0962c38

SHA512
f58209ef6844302764ece9c3acd94a0234f23a4048d4e2e2e1bf3332275d112dae2b8afa75922406eef084ffe525217e6c897ee7d3b268e3b5f987c710e96bd4

Download Submit