Analysis

  • max time kernel
    263s
  • max time network
    248s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 18:44

General

  • Target

    Exo_AA_software.exe

  • Size

    6.6MB

  • MD5

    8b5eeeeed392e1ae5bad0b5a94c5690b

  • SHA1

    da3ad5180bd3bb9021c8b9eec256c1e2aecd3b4f

  • SHA256

    3fa20a022ceafed663d70a0d7d41c2efe9fb185f1f9d2ed947e608c6076e9fae

  • SHA512

    42fe98a71de00f25e3628ca82a78c32338abf2214e7d6958335e381d3890cbc55d02473b6aade8ab7192d883fa04bb30e9d1a749d7e7e5265d8dec5af77e31ee

  • SSDEEP

    98304:R0Wrsjet17vxLYLD++e2+S1ycVzjr5epB1W9DkfjsbQ1/cbAK54oMjU1:Ui1dYBe2+SA0TczP+RMjU

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 5 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 17 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe
    "C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\SYSTEM32\msiexec.exe
      msiexec /i C:\Users\Admin\AppData\Local\Temp\TMP60EC.tmp /quiet
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
    • C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp
      C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp /install
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      PID:5104
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C40F007A9B2DA01EE5A8378AF9EB0447 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe
        "C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe" install "C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf" Nefarius\ViGEmBus\Gen1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2212
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "1" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\vigembus.inf" "9" "429a86e87" "0000000000000134" "WinSta0\Default" "0000000000000164" "208" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3332
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88408607219:ViGEmBus_Device:1.17.333.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000134"
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      PID:2956
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2532
    • C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe
      "C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"
      1⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp
        C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp Run
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\System32\explorer.exe" C:\Users\Public\Documents\ConfigCSAConfigs
          3⤵
            PID:4928
          • C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
            "C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"
            3⤵
            • Executes dropped EXE
            PID:2096
          • C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
            "C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"
            3⤵
            • Executes dropped EXE
            PID:412
          • C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
            "C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"
            3⤵
            • Executes dropped EXE
            PID:3352
          • C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe
            "C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"
            3⤵
            • Executes dropped EXE
            PID:4800
          • C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe
            "C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4656
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c tasklist | findstr /i "dnspy"
              4⤵
                PID:3640
                • C:\Windows\system32\tasklist.exe
                  tasklist
                  5⤵
                  • Enumerates processes with tasklist
                  PID:4804
                • C:\Windows\system32\findstr.exe
                  findstr /i "dnspy"
                  5⤵
                    PID:5072
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:448
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4968

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Config.Msi\e5765b2.rbs

                  Filesize

                  8KB

                  MD5

                  456ef623e55f96b2b391714bf9bbae7b

                  SHA1

                  a2d3749393f2be1eef8f7fe76218021c2a91d119

                  SHA256

                  1d165f7efb7cae7d65bb65772776c52e0727100664f95ba82e5a910031aa8a6a

                  SHA512

                  30815a868a7934f1ef8a7d2892b68fce7f666917ecc352dee78abe856959bac7d65484b4c70e09070f420a9dfffe6527450d5cab16c72199cd93d20db31b5222

                • C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf

                  Filesize

                  3KB

                  MD5

                  cd0027aa0f5a8a47a6596d880f06964b

                  SHA1

                  167b62bfd7471179cf68cb5b2f83c8365edf4875

                  SHA256

                  634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6

                  SHA512

                  19563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9

                • C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe

                  Filesize

                  494KB

                  MD5

                  68d2ea8e31ce2f290c19611732d7c104

                  SHA1

                  9f72145d9b96a1c838041a3b1815835470018e33

                  SHA256

                  6591ea75bd60ab2e094b078ffe3de9011694a975c5c84ae8103aa18a73093dc3

                  SHA512

                  918ed578dc0c92e20a04536aaebaed7b0de4dfff49ff83ef5ee031e67862a687e40be59bd734e7d0d9da3189e6f586bf253a01cd3dd2b6e8b818f2dd251aea58

                • C:\Users\Admin\AppData\Local\Temp\TMP60EC.tmp

                  Filesize

                  856KB

                  MD5

                  d8d2cff2eae7f1d956e3f8a2edaf891d

                  SHA1

                  bc33e35ed5d60c492bd6733462bd6cbc19c2cd59

                  SHA256

                  5abbba8a4a07aaaeb50b4666183b2f243e0e5ad288026d2a9f3595ed237c4b28

                  SHA512

                  50d98dd7d81e309cf764da7d40e321270f2e5ebc387d7b35ddb414c2efcfaa1bf302e51d5dfd3fa4cf871a3449705dc5e57466a3e97fdd5c16f5af3cd3051447

                • C:\Users\Admin\AppData\Local\Temp\TMP7427.tmp

                  Filesize

                  459KB

                  MD5

                  0f0b50d92e030b8965ce669c8058fa6e

                  SHA1

                  257b3f0402285a29f4618b32958c208b3e9d4c4d

                  SHA256

                  e137863a79da797f08e7a137280ff2a123809044a888fd75ce9c973198915abe

                  SHA512

                  fc7c384fd6f682ad01b598abf87c522b38068f4488cea6dc7bd6dedd66e995e4d8fb583c54c6afed0c4c7a9a2318bb6ed257bb3cbd0e48fae83a7819d1167d79

                • C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp

                  Filesize

                  119KB

                  MD5

                  fd813c4110a3132b5f209aa74bf613c5

                  SHA1

                  b2845351b7b2f8a8bb9f8971811ad40905a46f4d

                  SHA256

                  88e9af50aa27fe4072de001b5b90bd9a970f36fdf1d87b084f6f54f86959a4b2

                  SHA512

                  3c2ca18fe57cf01390773dee48d1c7a3b8e7048755a37b9e7c5dcabdcd9d402d539713dc6f48c5a68ee9293b113acb175112c02bdde7f9152bfdc7dcc0800009

                • C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe

                  Filesize

                  491KB

                  MD5

                  b77ba203f4d3c2830835567a4fcd8ad7

                  SHA1

                  a6f908b61cefaf2584aca5ad712deba1d4fba09b

                  SHA256

                  378dff510775d05a87b7099ddf665a5d70add7fbdb6c9278784702a81ab5c024

                  SHA512

                  5d7b359a508749279dd7edbd87f65dc46b6ede414bcec8f30fbc28c8a6fdc10cb7c05148065a4886929ac931f1199263f15ae4e4a0feb43f6ccd8c722b91a005

                • C:\Users\Public\Documents\ConfigCSA\Login

                  Filesize

                  38B

                  MD5

                  1da00f9e1f81a7d6e8a241337c5c9d92

                  SHA1

                  a623f97ec3316fea8d4636743547aae9181b5eb0

                  SHA256

                  5384d62fd035e13cd43fb57be42cf515749ea9af08ba32f373ac082aab704f0e

                  SHA512

                  dc173fec66902fcc307f5247cfaee4b4423744b44b549d64b41fd739eac8b7d87967ecd1b2cf7c1d96f0f52135c58c86181f38920d5ce88aac29e58dc582e808

                • C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe

                  Filesize

                  26KB

                  MD5

                  ec605ecb2f3314e8eaa1a0e96fb580be

                  SHA1

                  b35625d08757b08c2bcc71e9774f8ecb9200930c

                  SHA256

                  cb4c6cd4cba2c0ff4094ea1fbb30527bce230382a3a068b1a6285b433760f020

                  SHA512

                  737cc96bf07357379bbbcc1caccf8ed1c4f7d49987dac9a53c7a9428da949ec4ebc1134f0a94461a24cf8c5f7e6bd174efa285febb5eebb945426ddfa2e151b2

                • C:\Windows\Installer\MSI6CB5.tmp

                  Filesize

                  211KB

                  MD5

                  a3ae5d86ecf38db9427359ea37a5f646

                  SHA1

                  eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                  SHA256

                  c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                  SHA512

                  96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                • \??\c:\PROGRA~1\NEFARI~1\VIRTUA~1\ViGEmBus.sys

                  Filesize

                  161KB

                  MD5

                  87fe350c6ffe8d60ce58dbc16a2d091e

                  SHA1

                  7e2727a31c54df2fe4fba73a6b0537afa5faf534

                  SHA256

                  8fb8402b7266fa9b9ea8841708317c8c25367b2947eeda9b6462c0e4801f05a4

                  SHA512

                  f892b87a8d45ddb14a99e736eff26f7257c492dade5754362acf4d2522927c337dd3d6ec4d47b0553681764e5cf15db61f8a96098889a7b5a56c052b53dced63

                • \??\c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\ViGEmBus.cat

                  Filesize

                  10KB

                  MD5

                  5312064607460baaa4562aabc42b8922

                  SHA1

                  c8a0758e5ae7158acb0f6f111ad298fbc0b1a2ae

                  SHA256

                  58b8a1bf9160fd4310a183b3431580eda2bc0a5ecaac2e0fbd6399184ff02404

                  SHA512

                  dcfc68f09d339695aa3b8eea02a7adafc21473d259df9d6dd7cbb7d29fb8f3ff9b3184f8921d9f829c665b1447ebec7ce97729914fb7367bf6e07d9fd02d2aba

                • memory/2416-137-0x000000000A820000-0x000000000A858000-memory.dmp

                  Filesize

                  224KB

                • memory/2416-130-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-145-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-144-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-193-0x0000000074E50000-0x0000000075600000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2416-127-0x0000000074E50000-0x0000000075600000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2416-128-0x0000000000590000-0x00000000005B4000-memory.dmp

                  Filesize

                  144KB

                • memory/2416-134-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-133-0x0000000006890000-0x0000000006DBC000-memory.dmp

                  Filesize

                  5.2MB

                • memory/2416-131-0x0000000006190000-0x0000000006352000-memory.dmp

                  Filesize

                  1.8MB

                • memory/2416-160-0x000000000CB40000-0x000000000D0E4000-memory.dmp

                  Filesize

                  5.6MB

                • memory/2416-143-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-129-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-135-0x000000000AF30000-0x000000000AFC2000-memory.dmp

                  Filesize

                  584KB

                • memory/2416-136-0x000000000AEA0000-0x000000000AEA8000-memory.dmp

                  Filesize

                  32KB

                • memory/2416-173-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-138-0x000000000A800000-0x000000000A80E000-memory.dmp

                  Filesize

                  56KB

                • memory/2416-142-0x0000000004F30000-0x0000000004F40000-memory.dmp

                  Filesize

                  64KB

                • memory/2416-141-0x0000000074E50000-0x0000000075600000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2640-140-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/2640-194-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/2640-121-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/2640-119-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/3984-114-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/3984-117-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/3984-2-0x00007FFB4D900000-0x00007FFB4D902000-memory.dmp

                  Filesize

                  8KB

                • memory/3984-3-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/3984-0-0x00007FFB4D8F0000-0x00007FFB4D8F2000-memory.dmp

                  Filesize

                  8KB

                • memory/3984-1-0x00007FF7AE6D0000-0x00007FF7AF402000-memory.dmp

                  Filesize

                  13.2MB

                • memory/4656-174-0x000001D11F6C0000-0x000001D11F6F7000-memory.dmp

                  Filesize

                  220KB

                • memory/4656-192-0x000001D11F6C0000-0x000001D11F6F7000-memory.dmp

                  Filesize

                  220KB

                • memory/4968-186-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-185-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-187-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-188-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-189-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-190-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-191-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-181-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-180-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB

                • memory/4968-179-0x000002F233970000-0x000002F233971000-memory.dmp

                  Filesize

                  4KB