Analysis

  • max time kernel
    63s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2023, 17:45

General

  • Target

    2.1/XboxOneGamePad.exe

  • Size

    609KB

  • MD5

    3096291e785c07eec28d751321ddb495

  • SHA1

    4b7d83e826c129b5f98b4667f0584dddf5fd54af

  • SHA256

    3eba90986be52f7f17d4be2630eec0dc6f2fc1f4c38e0ffa6db6ab39ee3d9278

  • SHA512

    3351e8a17ef8daba756c7efff6fb9a8173e7637c064e00950c9dd821d78e9d93cbb737d69f7c8d2547207478ee3795c7b9a6392a4d477f0ea94a7a8b7d749c38

  • SSDEEP

    12288:WZLwrTd+z4fGpbOfBofQ1iX/math/rgYdB4mklf3Ys6Mcw9L8dBfenw5bP/5tJBT:WZLqMVfh+AlBShf3R6E94dcng/5tJB73

Score
8/10

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 5 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 42 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2.1\XboxOneGamePad.exe
    "C:\Users\Admin\AppData\Local\Temp\2.1\XboxOneGamePad.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpscat.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpscat.exe"
      2⤵
      • Manipulates Digital Signatures
      • Executes dropped EXE
      • Modifies system certificate store
      PID:3748
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      PID:1160
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{ea00bcd4-b3e7-be40-9efb-87a6a998be48}\xbox_one_gamepad.inf" "9" "46304250f" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\local\temp\7zipsfx_000"
      2⤵
      • Manipulates Digital Signatures
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\Xbox_One_GamePad.inf

    Filesize

    8KB

    MD5

    b1b6aef89c26a6bfbe44ec849b441d9e

    SHA1

    fb8290b90cdec6361473612a6c091cc81802576b

    SHA256

    390e4f6264039b8648742e294b3576af253fffdb83fe73cfec227c77e67ec61a

    SHA512

    5fd6cb7b0877453c039c6264fb892119a2b7c8f3abdec09e1a4fd397a4e1df69fc4add1b7b168ea8bce5ba32d68ff525660529056f717c019b1bfa2b999f6bb6

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\amd64\libusb0.dll

    Filesize

    74KB

    MD5

    1d8215f7f8cd02a553499b534ccfb4d5

    SHA1

    bab236f840f1521c43bcbaa2a7b92f14f329bc70

    SHA256

    4f18b5d2c28aa66b648c8683c6d09b52b92cbbee85984bbefad5f38a64bc2a14

    SHA512

    79ef4b25f16b2f2f37605298470ba9c4600e724e4b52d589add7d48816f656b93c082b5c65669e50e0546865063a068d26390e6ec7fbab66c3726e49a3779d69

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\amd64\libusb0.sys

    Filesize

    51KB

    MD5

    16e18ced459b1824234890386ee66cd5

    SHA1

    81d2b572ec0d24aba11ed6bfa9174ffad54140b7

    SHA256

    8058f2afe6ef96a7d2ded432997fd8655970c9ea75a938ee4557d6a2cb4cc989

    SHA512

    b0e67d040d39f043305b0c172906bbea8341f1326108f5c5a0379cd6b287d62cbd86270385713d0f6a14c5106a5a6c23f6247a303e6124cb3e33982978505c98

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\amd64\libusbk.dll

    Filesize

    96KB

    MD5

    c7ddca593b4b77627b82043ba3b496cf

    SHA1

    d6bb0fa60556afd6d7fde70e5a1e53e364460e81

    SHA256

    83a9a1c6a09bcef78c7336ad9f27ae74e47672b974efdcda7c8ea9f169dd20e1

    SHA512

    aebd28d1f01d0a3093451712f819eedb32220a4b7651cb70be27c444552f36d4a6fa3de9d3f54b68c84ac51fdba1442d2983a7fa458dd6c1abe07f7a8442842d

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst.xml

    Filesize

    160B

    MD5

    6137422c5d76cfac8a2bff771aeb8e1c

    SHA1

    a2d2c3face6964912ae6c6449d338dc08c9e673d

    SHA256

    11fb671ef239b3b3553320d63254904f5941d7c20f872c8be2509e04f1976087

    SHA512

    d43bec5b2e7b587ad9ec366924a773cf4506954b3b6fbb6d138a4c8adae154c876474325b9181e33cddd2bda892d4961a61c3562c7eea549c04b6a5883ffe074

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe

    Filesize

    119KB

    MD5

    e8d2db3e1bae316ceaae09482f1647f5

    SHA1

    791bec58419eba734e1073e099818a925c31c6bc

    SHA256

    46a6b22c25fd875265ae63b3b661e444afe528beabe2a3144cad296a24e8b1e6

    SHA512

    089a1fb8172590367f8ec66e77447288ff1773c744b491a1c4f11a14df9a72b1638d5b3085422054955906d34f537457683792182333686ad7255f7d6f80a795

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpinst64.exe

    Filesize

    1.0MB

    MD5

    be3c79033fa8302002d9d3a6752f2263

    SHA1

    a01147731f2e500282eca5ece149bcc5423b59d6

    SHA256

    181bf85d3b5900ff8abed34bc415afc37fc322d9d7702e14d144f96a908f5cab

    SHA512

    77097f220cc6d22112b314d3e42b6eedb9ccd72beb655b34656326c2c63fb9209977ddac20e9c53c4ec7ccc8ea6910f400f050f4b0cb98c9f42f89617965aaea

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\dpscat.exe

    Filesize

    35KB

    MD5

    365257a15aee00a58921d0b633b8b916

    SHA1

    4b72312e2253c42ce9dd7ce29390ca93313d1baa

    SHA256

    35b2cfde5f214fd4cb7579960060e0cf3148428f927c035dbda253e4d00943b2

    SHA512

    53dfa9332ddf2a265a529d2a46de9e79f8f8c7264a6bd507856a7fd223e0a5de8dcd8752b10fd8cbff4de8ad1aab7d880bde4ef8c48af1c1a2b8e30d303ebc70

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\x86\libusb0_x86.dll

    Filesize

    66KB

    MD5

    535779909a40b42f4f3e48598f5778a5

    SHA1

    3a238468009a6dea3e4f70821339185e56ea3b69

    SHA256

    00caca07869b19d10b370552ac7cc2f6f2ee246fc15db11650f6cd3f4ef9b666

    SHA512

    723b42c3df960f031343b9bb74a55ab874cd1f740a187a58bfecdad78876dd227392f18f6faea33e743593511a12635ef6419bb68d4361c6631584ebc8838e80

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx_000\x86\libusbk_x86.dll

    Filesize

    81KB

    MD5

    f513a9294b0347fa30b739f9f9bff866

    SHA1

    f4b0408f2922251adde0656c7b9f4c1e8e60b0ef

    SHA256

    d1a8bded0b4a57bdee0b87c569a665c432f41dfa47ff4489d69847845cb7a31c

    SHA512

    e819afa7296739a9b2c0a198ea3e6a57fab98146caca7de9c2dfc9dcc94be3828201de7559928dc9064371a7c3adb70d86e1d6a6f462860b7160cb377605e4b3

  • C:\Windows\System32\CatRoot2\dberr.txt

    Filesize

    151KB

    MD5

    3df0d93e84c2ad8516231e54145e86d0

    SHA1

    df5198a1a195e6e1649af3fe8f77562c57ec191c

    SHA256

    1ea4dfbffe6d7ca10cbad1437736583ee1a132ab7d9ad52201d0143cd573b16c

    SHA512

    098236955fc6819c51f7bcd40b592579cc15016a3aa0780c73cf6c7f8ed03e7b186c0a0cc24ca0f7c2a494ecb77cb347400dc368c6623c138c45e456cf3e7312

  • \??\c:\users\admin\appdata\local\temp\7ZIPSF~1\XBOX_O~1.CAT

    Filesize

    4KB

    MD5

    4d9cb53cda70e2fae11e9ae418ef4cf0

    SHA1

    931941cb7b609c045e74b3ca48c3e1192827c42e

    SHA256

    296bdfc8d018b06d67b91eba6d03507bbf6a2bc95063e2aff632fcb1456181e0

    SHA512

    5f42bc5392d43226d512bfce216fe5f57c7d42f6d6a68fc6f8beac5c5efe82492e3becd51b000145f6ed5fa858f7e5bc7df75cd50a1a50587a36a563774e3983