908babf5e35f2c31922744e1bf78990f9c1edbc5f7c1ce950812e920e60da1e9

General

Target

x360ce.exe
Size

14.7MB
MD5

be80f3348b240bcee1aa96d33fe0e768
SHA1

40ea5de9a7a15f6e0d891cd1ba4bca8519bb85ed
SHA256

74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829
SHA512

dfb3b191152981f21180e93597c7b1891da6f10b811db2c8db9f45bbecc9feb54bc032bdd648c7ad1134e9b09e5e2b9705d5e21294e1ae328a4390350745536a
SSDEEP

196608:n+/7/fO/vBSVnf+viDyJBwhsCArf+viDyJBQhsCAaIF/f+viDyJBaF9hsCA6EJ0k:nX/vu0Bwhs8vu0BQhsvFOvu0BaF9hsR

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

Processes:

x360ce.exe

description	ioc	process
File created	C:\Windows\INF\c_diskdrive.PNF	x360ce.exe
File created	C:\Windows\INF\c_processor.PNF	x360ce.exe
File created	C:\Windows\INF\c_volume.PNF	x360ce.exe
File created	C:\Windows\INF\c_monitor.PNF	x360ce.exe

Loads dropped DLL 1 IoCs

Processes:

x360ce.exe

pid process

364 x360ce.exe

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

x360ce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	x360ce.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

x360ce.exe

pid	process
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe
364	x360ce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

x360ce.exe

description pid process

Token: SeDebugPrivilege 364 x360ce.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

x360ce.exe

pid process

364 x360ce.exe
364 x360ce.exe
364 x360ce.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

x360ce.exe

pid process

364 x360ce.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

x360ce.exe

pid process

364 x360ce.exe

description	pid	process
Token: SeDebugPrivilege	364	x360ce.exe

C:\Users\Admin\AppData\Local\Temp\x360ce.exe
"C:\Users\Admin\AppData\Local\Temp\x360ce.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:364

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc
1⤵
PID:1376

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\c_monitor.PNF

Filesize
6KB

MD5
f6fd140537140509171e2771c38534b4

SHA1
7a851875992006a7d9d3a474ce887df7794141ed

SHA256
299ed273d32805ffd4da3e78b7e73390ca68c2eb377481d76b57829c3bae6da1

SHA512
45914e85e3473b7dec1710be5e0bbb5ec6abae08b060c06ab0018aa54c5ecde2bd3ce6fd96c6ae37916e846839656fc988cc22a81d05b51f689b920477ae035f

Download Submit
C:\Windows\INF\c_processor.PNF

Filesize
5KB

MD5
faae33656c78deb72ff9b3bdd673fa3a

SHA1
302b1f074d5a50636fafb2232e7928a05b05a30a

SHA256
9836057b14021082e33547621ebaa4c1e6ec7a314f9d6e3e683695843b2a3b12

SHA512
5d5d17a3702255b8e0093734885d8adc44f52d5057f5566b30032551494aeb43ab149c98a686eac5f680f470f24c6bc7883343789584573add2cac01066ea7ce

Download Submit
C:\Windows\INF\c_volume.PNF

Filesize
4KB

MD5
9928873d826d3c2b28fc34de6a8d258b

SHA1
004ce000c9a45c754b4b8683d04bad69399ede12

SHA256
7a0b2d514fc79377984e382dbb0069891895d6c6410625c4978ab3cfcd094ff3

SHA512
4ab53c58c0a7db9ed96f8483012b2f7cdfb9647d7ff10eb5eade9c54bf8ffc4013e35fc141b6f84d2d02a06d476591f8dc6fb2f31f8dd54c8d944fd8228cdef0

Download Submit
\ProgramData\X360CE\Temp\ViGEmClient.dll.84A31178\ViGEmClient.dll

Filesize
29KB

MD5
a8781afcba77ccb180939fdbd5767168

SHA1
3cb4fe39072f12309910dbe91ce44d16163d64d5

SHA256
02b50cbe797600959f43148991924d93407f04776e879bce7b979f30dd536ba9

SHA512
8184e22bb4adfcb40d0e0108d2b97c834cba8ab1e60fee5fd23332348298a0b971bd1d15991d8d02a1bc1cc504b2d34729ed1b8fea2c6adb57e36c33ac9559e9

Download Submit
memory/364-27-0x000002096C9C0000-0x000002096C9C8000-memory.dmp

Filesize
32KB

Download
memory/364-28-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-8-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-9-0x000002096BBB0000-0x000002096BBD0000-memory.dmp

Filesize
128KB

Download
memory/364-10-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-22-0x000002096C870000-0x000002096C88C000-memory.dmp

Filesize
112KB

Download
memory/364-23-0x000002096C890000-0x000002096C8BC000-memory.dmp

Filesize
176KB

Download
memory/364-24-0x000002096C8C0000-0x000002096C90A000-memory.dmp

Filesize
296KB

Download
memory/364-26-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-25-0x000002096C940000-0x000002096C962000-memory.dmp

Filesize
136KB

Download
memory/364-0-0x000002094D910000-0x000002094E7D2000-memory.dmp

Filesize
14.8MB

Download
memory/364-6-0x000002096A330000-0x000002096A37A000-memory.dmp

Filesize
296KB

Download
memory/364-4-0x00000209692E0000-0x00000209696BA000-memory.dmp

Filesize
3.9MB

Download
memory/364-41-0x00007FFA4D4D0000-0x00007FFA4DEBC000-memory.dmp

Filesize
9.9MB

Download
memory/364-42-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-43-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-44-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-45-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-46-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-47-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-48-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-2-0x000002094EB60000-0x000002094EB70000-memory.dmp

Filesize
64KB

Download
memory/364-3-0x0000020968C40000-0x0000020968DD2000-memory.dmp

Filesize
1.6MB

Download
memory/364-1-0x00007FFA4D4D0000-0x00007FFA4DEBC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads