Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2023 22:56
Static task
static1
Behavioral task
behavioral1
Sample
dolphin-x64-5.0.exe
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
dolphin-x64-5.0.exe
Resource
win10v2004-20230703-en
General
-
Target
dolphin-x64-5.0.exe
-
Size
18.4MB
-
MD5
eca48982effad82616f206f52336fe4b
-
SHA1
4d88af3572de650b0b7dccd92dc8de5854edfae6
-
SHA256
e1b3ae8fc890c6588e5656f77ef2747ae7ddfc90b6530b240c0c5b9d0ab3ce8c
-
SHA512
778755b2d12c703a2954882a4d333b7cb61ee7ed0482b5cb14c1cbc4b90c8b65f308944a2f9369a89fc54d163c613efc65adf70316c08d447183f65637fcb557
-
SSDEEP
393216:Y1qyjt4rPX8zs3XxdbHNemtqa7JhnurHTl0WcS4ENyQ4p9Jmm+:Y1qyZePX8khdbtecqa7JhnurHirhENys
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4460 DXSETUP.exe -
Loads dropped DLL 3 IoCs
pid Process 392 dolphin-x64-5.0.exe 4460 DXSETUP.exe 4460 DXSETUP.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Dolphin\Languages\pl\dolphin-emu.mo dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\EAE.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\G5D.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GLL.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GLU.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\R4Z.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Themes\Clean\[email protected] dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Languages\ca\dolphin-emu.mo dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\misc.bin dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Themes\Clean Lite\config.png dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\SXEE52.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\WWA.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Resources\Platform_Gamecube.png dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\RST.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GAUE08.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GDE.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GGN.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GRH.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GUV.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\RO8.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Resources\[email protected] dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\EAS.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\mbox\Readme.txt dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GGCOSD.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GKD.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GUN.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GWO.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\R2G.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Themes\Clean\[email protected] dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\EAO.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\G9B.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GMT.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GVS46J.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Themes\Clean Pink\[email protected] dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\nwc24msg.cfg dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Dolphin.exe dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\RZY.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Shaders\acidtrip.glsl dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GGY.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GDW.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GWJ.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\JDV.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\SBN.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Shaders\auto_toon.glsl dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Themes\Clean Lite\[email protected] dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\D85.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GGC.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GQSEAF.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\R4B.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\SF8.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Themes\Clean\[email protected] dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Languages\ar\dolphin-emu.mo dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\R4R.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GB4.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GD7.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GFA.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GTC.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GUP.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\RVU.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\W3M.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\G9R.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\GVJ.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\GameSettings\SOS.ini dolphin-x64-5.0.exe File created C:\Program Files\Dolphin\Sys\Shaders\Anaglyph\fullcolor.glsl dolphin-x64-5.0.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DirectX.log DXSETUP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000489fc6cecf0f0900000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000489fc6c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809000489fc6c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809190489fc6c000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000489fc6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 392 dolphin-x64-5.0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2588 vssvc.exe Token: SeRestorePrivilege 2588 vssvc.exe Token: SeAuditPrivilege 2588 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 392 wrote to memory of 4460 392 dolphin-x64-5.0.exe 88 PID 392 wrote to memory of 4460 392 dolphin-x64-5.0.exe 88 PID 392 wrote to memory of 4460 392 dolphin-x64-5.0.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe"C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe"C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe" /silent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4460
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.9MB
MD59660ec7cddf093a1807cb25fe0946b8e
SHA15986661c62d689380476db238d7c18fa37d1b616
SHA25619d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66
SHA5125213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755
-
Filesize
121KB
MD5f00a5461ba0b2c95f801923fef70c266
SHA1f7717e3f341e1b56c46407df643d4ac6dcc09885
SHA25619c8af2231c12fe7969e63595f818baf9421542d1e4f3ea64ac2ff79352a6f12
SHA512a9977db27df94510bc75ee961924804c59c0005b9bc9b8961d63b01359c72920a6a6f0f3b014c715f3b0c4208038deb65f114f83dee157422dc035b84a267315
-
Filesize
988B
MD5926a446e9de7d51c34ae548673386417
SHA15a0a2666b270eca354f1632de8f98fc966864d08
SHA25685f27cf7d073c5931530c102d4c39ff731a3eb30c67d506c6626b0ad72f26539
SHA512d5117a0a76c22b06aa91f7586f866387ad74b4962e569cab64d6abeb83d701c8b66331dc6193478f36faef616a95f404cb15a7a0b0b86f863c93ab09f908ea53
-
Filesize
93KB
MD5eb701def7d0809e8da765a752ab42be5
SHA17897418f0fae737a3ebe4f7954118d71c6c8b426
SHA2562a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f
SHA5126ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f
-
Filesize
1.5MB
MD5d8fa7bb4fe10251a239ed75055dd6f73
SHA176c4bd2d8f359f7689415efc15e3743d35673ae8
SHA256fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8
SHA51273f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4
-
Filesize
505KB
MD5bf3f290275c21bdd3951955c9c3cf32c
SHA19fd00f3bb8a870112dae464f555fcd5e7f9200c0
SHA2568f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d
SHA512d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249
-
Filesize
505KB
MD5bf3f290275c21bdd3951955c9c3cf32c
SHA19fd00f3bb8a870112dae464f555fcd5e7f9200c0
SHA2568f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d
SHA512d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249
-
Filesize
93KB
MD5eb701def7d0809e8da765a752ab42be5
SHA17897418f0fae737a3ebe4f7954118d71c6c8b426
SHA2562a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f
SHA5126ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f
-
Filesize
1.5MB
MD5d8fa7bb4fe10251a239ed75055dd6f73
SHA176c4bd2d8f359f7689415efc15e3743d35673ae8
SHA256fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8
SHA51273f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4
-
Filesize
5KB
MD5e447e49175c0db1f27888aede301084f
SHA1f5946c743265cd8e81f3e7b6376dada57f99877f
SHA256fd26ef21d72797fedecd3d15f2001cea793383aceb3cee19a5ae2a3d30e197b6
SHA512e6543bf81bedce94a58f48cd6f9daaec891775e01ff76b771c22d459a778490f9bba0bebbf111b1ca3091b3ca69bca806a9b5e68ce12df03abbaa6ce5c4b7cec
-
Filesize
474B
MD5097474b1b6c36b629d943abac486770a
SHA19795c77c95f14264e0560b1e4971e83e51842418
SHA256b739153c3fdaf582ee1bf501e177fb0500bedd8f1c6b98cf0287a7a2910bb9a9
SHA512a4e92e02354de0a8b93e5a223444b57a7d451c8628f43867510d424fc2c6f30f2df374b95f44720da3c1c910f3929eb0881111d7160ac0aa5a59a494ded04d33