cbf710b8e6b29f0904e289a9b9a895548a2d7c7af5a3145c8279b97a69a09276

Analysis

max time kernel
125s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/04/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeSmuME_0.9.13_x64.exe
Size

38.3MB
MD5

2cc20871992a412fc0d50a68b0461100
SHA1

54339be244cc7ab8072652f77613634fa2cb178d
SHA256

1ca4e771b92f38a1cef4fc2a61f7d729a638f94d0e56f7948eeeb472000cf32c
SHA512

7be15c5fedb11bf63896ce866baf7377fc26eb622c583cb7589ff17f1890f0fc04fda1c450da848a48aecfb34f8efd0d285006ca73d3a4d09e74c4d525dd2ae9
SSDEEP

49152:8Xvil5QafIWd0uPXKA1avMfa5W3hhlDXGA5mdwFrMvOE1EoIKtHtwqVOyQuq+mik:O+sMS5KGFOsIDp5wuVPkfFSh/hsmQZ4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	DeSmuME_0.9.13_x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4a00310000000000975669031020526f6d730000360008000400efbe97566903975669032a000000e841010000000700000000000000000000000000000052006f006d007300000014000000	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000005456d096122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe5456d0965456d0962a000000e90100000000020000000000000000000000000000004100700070004400610074006100000042000000	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000009756270310204c6f63616c00380008000400efbe5456d096975627032a000000fc0100000000020000000000000000000000000000004c006f00630061006c00000014000000	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 52003100000000009756690310204465536d754d45003c0008000400efbe97562703975669032a000000413a01000000090000000000000000000000000000004400650053006d0075004d004500000016000000	DeSmuME_0.9.13_x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	DeSmuME_0.9.13_x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	DeSmuME_0.9.13_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	DeSmuME_0.9.13_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
920	DeSmuME_0.9.13_x64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
920	DeSmuME_0.9.13_x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
920	DeSmuME_0.9.13_x64.exe
920	DeSmuME_0.9.13_x64.exe

C:\Users\Admin\AppData\Local\Temp\DeSmuME_0.9.13_x64.exe
"C:\Users\Admin\AppData\Local\Temp\DeSmuME_0.9.13_x64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DeSmuME\desmume.ini

Filesize
18B

MD5
b8d4fc464e021b73b7281d921592fa85

SHA1
864d8c96deff54c6107a28bb7d8a276e338319cb

SHA256
712541cddf2d5d5731c6de8b23d2d73d825de8b903eacd23cfc1daccf2eec830

SHA512
a741db0b60d02a79e03bf5cd161f69483b665eddfef0bee635b6fd34aef7342d18f95aedacfb14f56391866aadf7a117171de2fe831e4221e4507f47ed786926

Download Submit
C:\Users\Admin\AppData\Local\DeSmuME\desmume.ini

Filesize
77B

MD5
6a7131f6c415e1f44ece098076341bc5

SHA1
eab6547c4d306763081770f0a72971de39c97f95

SHA256
f4b73f5e24c19dc212dce8cd35a0a06ea8c7f781e59c1746349516afe0962c38

SHA512
f58209ef6844302764ece9c3acd94a0234f23a4048d4e2e2e1bf3332275d112dae2b8afa75922406eef084ffe525217e6c897ee7d3b268e3b5f987c710e96bd4

Download Submit
memory/920-85-0x00000000084D0000-0x00000000084E0000-memory.dmp

Filesize
64KB

Download
memory/920-86-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download