92baa41f94a860ea33409d9f739bb2a0447342bb81eb4e0ac64a1ccb7ac7cbfb

General

Target

x360ce_x64.exe
Size

3.1MB
MD5

0b23e452f11b2b42ae0fe6772ac607bc
SHA1

61f5150fbad995b616a5dcca34de33fb052ab238
SHA256

92baa41f94a860ea33409d9f739bb2a0447342bb81eb4e0ac64a1ccb7ac7cbfb
SHA512

502fe140c8ab2aa35cdefcacce19708497514e37df3465094e412f0826ef1dd5588218c2f6ef0706eb56a28302eb4901d6b62ce7d9a2847d0e549d8f61230d1b
SSDEEP

49152:6zbfJJb4/WGLUbtJJb4/WGBJJb4/WGwJJb4/WGA0wr+jTZtY56OUfN7UCLJJJe4z:8XbbGgNbbGVbbGobbGABr+pre6GK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1860	x360ce_x64.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	x360ce_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	x360ce_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	x360ce_x64.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1860	x360ce_x64.exe
1860	x360ce_x64.exe
1860	x360ce_x64.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1860	x360ce_x64.exe
1860	x360ce_x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	x360ce_x64.exe

C:\Users\Admin\AppData\Local\Temp\x360ce_x64.exe
"C:\Users\Admin\AppData\Local\Temp\x360ce_x64.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X360CE\x360ce.Presets.xml

Filesize
182B

MD5
1173f52418aa6f5f4c01a26cd8a050b8

SHA1
9afa290244bb2aa5ed6a4b18d28098c0d17d703d

SHA256
00e52c4738dba57851e8a3bf6df76ada9ea844aa3b2bb26d019880e999cf2fef

SHA512
5ffab5fdb063c42450db26b4b4f5cdcc6561d2b415d5432ed1b480da01c046bfdf03381bc8eb2dc4c758c668b5dccd0d5dfbf4ed769442cafc4468a0f74efbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\x360ce.ini

Filesize
872B

MD5
00385d5815c39d0920a297bf90e178e4

SHA1
bb61ab307dbcafbd6fa30bc825bc072abd361574

SHA256
c41d43558fc8be854621b21f32d7dfa358287780ccb47af867ca704765072549

SHA512
5aa3f08d7df729de01efa8c939e67c82f1aa8a12dd299a60122adf36defe655868a9b555ca99eba474081fd77030092c253c8e68db69df8b2f808b148726f68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x360ce.ini

Filesize
612B

MD5
dc39201decf45e6cd3fd8d8f90d930e5

SHA1
22cc7ab2fbe68ba21f63dd3ee8ba32b086b75e01

SHA256
8161bc85b2566c7658e75b1a4d0c7bd31c55e8246b667ab5ab7b7182c3858c2a

SHA512
f4c4b1d286d40655f6bb19a28a1742bb9685ddced933dbcbcbabc7f38f4e0c3e6e6c5a6dc5720695b01102dc2a0fd8a33b96fc84120100bbea3f5a392cb9c35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x360ce.ini

Filesize
580B

MD5
bbc6ad7b6ac7c23503b1c99239db7c45

SHA1
326d7fdebc35748c36a6d497e75c78a88f736144

SHA256
90fda8576e9265febf364ad44c5651fd73c2e109163c4ec3361b5b411de9bf5d

SHA512
1bd3c41a7019e2c54e5254248d3e5ed62b8d1418ea04197843a360cd4f26384d4e89c64b37a7a177dd4ac844b3ac98d0e38f2c4c4601e17e506403c7a43a3f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xinput1_3.dll

Filesize
142KB

MD5
f26b59ba3bece9d04b92415a3205667a

SHA1
09337ad2b5b345aa75ef32a31c828038fd892166

SHA256
2d8e3e39ffa1c5cf15f6a7f6cc8020d00d8277b1c2e61c49443b80fc1fbe97ad

SHA512
ebbbe5d7d6fe008ed72415372edb0048745c588268e14dd466fe126b3a1a39d48b44a86fe4900d50d65a479c364e1e32a2e2acfd3329ce1c16e035c197c1dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xinput_Amd64.tmp.dll

Filesize
142KB

MD5
f26b59ba3bece9d04b92415a3205667a

SHA1
09337ad2b5b345aa75ef32a31c828038fd892166

SHA256
2d8e3e39ffa1c5cf15f6a7f6cc8020d00d8277b1c2e61c49443b80fc1fbe97ad

SHA512
ebbbe5d7d6fe008ed72415372edb0048745c588268e14dd466fe126b3a1a39d48b44a86fe4900d50d65a479c364e1e32a2e2acfd3329ce1c16e035c197c1dbca

Download Submit
memory/1860-11-0x000000001DDE0000-0x000000001DE6E000-memory.dmp

Filesize
568KB

Download
memory/1860-49-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1860-16-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1860-14-0x00000000229A0000-0x0000000022D7A000-memory.dmp

Filesize
3.9MB

Download
memory/1860-0-0x00000000005D0000-0x00000000008E2000-memory.dmp

Filesize
3.1MB

Download
memory/1860-36-0x00007FFBD8160000-0x00007FFBD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/1860-37-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1860-44-0x00000000201A0000-0x00000000201A8000-memory.dmp

Filesize
32KB

Download
memory/1860-47-0x0000000020ED0000-0x0000000020EF2000-memory.dmp

Filesize
136KB

Download
memory/1860-15-0x000000001DFC0000-0x000000001DFE0000-memory.dmp

Filesize
128KB

Download
memory/1860-48-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1860-12-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1860-13-0x0000000003410000-0x0000000003452000-memory.dmp

Filesize
264KB

Download
memory/1860-10-0x00000000033E0000-0x000000000340C000-memory.dmp

Filesize
176KB

Download
memory/1860-87-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/1860-1-0x00007FFBD8160000-0x00007FFBD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/1860-147-0x00007FFBD8160000-0x00007FFBD8C21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing