74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240319-es
resource tags

arch:x64arch:x86image:win10v2004-20240319-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-04-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x360ce.exe
Size

14.7MB
MD5

be80f3348b240bcee1aa96d33fe0e768
SHA1

40ea5de9a7a15f6e0d891cd1ba4bca8519bb85ed
SHA256

74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829
SHA512

dfb3b191152981f21180e93597c7b1891da6f10b811db2c8db9f45bbecc9feb54bc032bdd648c7ad1134e9b09e5e2b9705d5e21294e1ae328a4390350745536a
SSDEEP

196608:n+/7/fO/vBSVnf+viDyJBwhsCArf+viDyJBQhsCAaIF/f+viDyJBaF9hsCA6EJ0k:nX/vu0Bwhs8vu0BQhsvFOvu0BaF9hsR

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 34 IoCs

Processes:

x360ce.exe

description	ioc	process
File opened for modification	C:\Windows\INF\pci.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\cpu.PNF	x360ce.exe
File created	C:\Windows\INF\c_processor.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\netrtl64.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\kdnic.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\disk.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\input.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	x360ce.exe
File created	C:\Windows\INF\c_volume.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\usbport.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\acpi.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	x360ce.exe
File created	C:\Windows\INF\c_monitor.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\umbus.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	x360ce.exe
File created	C:\Windows\INF\c_media.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\printqueue.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\monitor.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\volume.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\audioendpoint.PNF	x360ce.exe
File created	C:\Windows\INF\c_diskdrive.PNF	x360ce.exe
File created	C:\Windows\INF\c_display.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\swenum.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\c_swdevice.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	x360ce.exe

Loads dropped DLL 1 IoCs

Processes:

x360ce.exe

pid process

2828 x360ce.exe

pid	process
2828	x360ce.exe

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

x360ce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	x360ce.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

x360ce.exe

pid process

2828 x360ce.exe
2828 x360ce.exe
2828 x360ce.exe
2828 x360ce.exe
2828 x360ce.exe
2828 x360ce.exe
2828 x360ce.exe
2828 x360ce.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

x360ce.exe

description pid process

Token: SeDebugPrivilege 2828 x360ce.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

x360ce.exe

pid process

2828 x360ce.exe
2828 x360ce.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

x360ce.exe

pid process

2828 x360ce.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

x360ce.exe

pid process

2828 x360ce.exe

pid	process
2828	x360ce.exe
2828	x360ce.exe
2828	x360ce.exe
2828	x360ce.exe
2828	x360ce.exe
2828	x360ce.exe
2828	x360ce.exe
2828	x360ce.exe

description	pid	process
Token: SeDebugPrivilege	2828	x360ce.exe

pid	process
2828	x360ce.exe
2828	x360ce.exe

pid	process
2828	x360ce.exe

pid	process
2828	x360ce.exe

C:\Users\Admin\AppData\Local\Temp\x360ce.exe
"C:\Users\Admin\AppData\Local\Temp\x360ce.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3876 --field-trial-handle=2252,i,5414749771348078149,869093153057065571,262144 --variations-seed-version /prefetch:8
1⤵
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X360CE\Temp\ViGEmClient.dll.84A31178\ViGEmClient.dll
Filesize
29KB

MD5
a8781afcba77ccb180939fdbd5767168

SHA1
3cb4fe39072f12309910dbe91ce44d16163d64d5

SHA256
02b50cbe797600959f43148991924d93407f04776e879bce7b979f30dd536ba9

SHA512
8184e22bb4adfcb40d0e0108d2b97c834cba8ab1e60fee5fd23332348298a0b971bd1d15991d8d02a1bc1cc504b2d34729ed1b8fea2c6adb57e36c33ac9559e9

Download Submit
C:\Windows\INF\audioendpoint.PNF
Filesize
5KB

MD5
000c7d7e817255c95d3d99da4cf816cd

SHA1
3859c7f226c5e14efd8e5f7754f2393aaeb6b361

SHA256
f256054fe973ce483b4603bf9e9b4a9e5f384221e053a36c2a532c3f2681441c

SHA512
9ccf28549e1ffb6a1039f4f4a6dfa2b5d7f7e971c50973c1a384e69a96c38d66d38c30c9238adb535eeb120feccf8f812dad9c3feffc75057acbc825fa171777

Download Submit
C:\Windows\INF\c_swdevice.PNF
Filesize
6KB

MD5
121ac29d8965ea29b910dc0816ac8630

SHA1
327f95f4806ef4ee5d1d98f8d2c45137d2cc1d7b

SHA256
68612f2abca10aad91343d982d9c8cbec42cb2c44c88d16dbb1da230c8515b99

SHA512
d2faaf9cc7087391ea5779f8e7d9399ea0010080ca19d45469cb01c1a197688c9ee911912c10f11ab41272709e12462329ffc971a9c52bf7659cd61528ff40eb

Download Submit
C:\Windows\INF\cdrom.PNF
Filesize
11KB

MD5
7abb71d0f7c4385557d580c534ea7ed8

SHA1
6f16950b4bd72ab40276bcf35caa5c90deabfd67

SHA256
bd51f43b53828381150b5daee7de33c3340670e71527adba57bf7bca6251beae

SHA512
43e0341105b008e1464dd26b74543088b1cf113f41c7211d927eb0e383fcf31c5d9241aef6dd97548b6f2b5828436eea7dbeee74e679e07242566444f451efd1

Download Submit
C:\Windows\INF\cpu.PNF
Filesize
20KB

MD5
57b905c7bb0298fd1553cc2471a9fed6

SHA1
f25c9b9297401d6146800c0bff105a831ef8b107

SHA256
afec4bf283c2042fd19009b9d89345a7c0d6a3e33d8600fe3200882c7581ff50

SHA512
47efc990c9d1e5ad7234636d6a30f00e6f0fda8ba67975f3d9030e1299c29356d3d3fa4e0c4d91f350312cf74b9789621a1d8421aa78fec7182fb7844e26633a

Download Submit
C:\Windows\INF\mshdc.PNF
Filesize
69KB

MD5
92223ae5c30cb699746c0a5e9c69799c

SHA1
8230d0462c587c34a6a4cbc8ff72cf6f0db09490

SHA256
b701a9c4088845875e16696b13c7275337adb11bd178edde53dd8286ba6263d9

SHA512
9d7e65345afe03122db85a94be297facb1bf2e36326353000b9bed85fc9bebd7608deccba0b11d37209e7098e27da6faa6a744d70ff97f2e7f985afceefc7056

Download Submit
C:\Windows\INF\msmouse.PNF
Filesize
94KB

MD5
e6f36eec4b0477435d0e60d891569820

SHA1
2b01ce1f4ed15c4211b88eb8633802f5b6949ffb

SHA256
12c2a0e8d3f725847720ae999b7a4d08d8b990595cb3e6cd917bbbc24368cc57

SHA512
67b87fb253e81d30214699b89fd5cdabb34e6872c75b396d820520d757bd0aba5d926203a180b981fbbdf17091ecd9fd98c7d921049206120111fa4eb75fa518

Download Submit
C:\Windows\INF\printqueue.PNF
Filesize
7KB

MD5
75e98b590a8cc094afed54d38d97c24c

SHA1
36706ff55b25b825df178dca1143028005ff0225

SHA256
b471379d3655bc1491dac843d113eb02fcf36cab31c87c5995f6784e79ddbf22

SHA512
ccd0ff69db1f86c33e67e79ddf23452bc0cc279a4f8564e0013739e8d33a8763f605717b1ece8299be3794b7ac7492dab4978a2deb5e5791342e6a1b6cb61f12

Download Submit
C:\Windows\INF\usbport.PNF
Filesize
153KB

MD5
65b05034d0c40c3d51f34634cb6c4391

SHA1
20eea4fe7a83bc9d033a8ea8f31855ff7b780db5

SHA256
0de50ab370e478a1b49491cf4cb293982688481fb95511643f415ebdf20079fb

SHA512
bc143118152bd34856f7ecfdbcabd9b0a887332778e044ac6c2b6466d817f635556ec4bea1d52e47d6a25830628a0dead7b1072510fba71fade1e58dee172574

Download Submit
C:\Windows\INF\volume.PNF
Filesize
5KB

MD5
ba210a2361ef05a21ab69c6d36a13c37

SHA1
f26316c3004ecb09e54ebcae057176b74c291a54

SHA256
4c4847f5d2eafeb2cf2738a980c523e59afa6de5e48d65e3f90da15d8661b45c

SHA512
e06191146d9ee358b5d9ca26f6ca35d9a5d43773c667908dbe1489bf55cfb6614170765e50b317ccec1477c53b2cb28be2a4ac9d694d1e9e66ad9d86c5d0d27c

Download Submit
memory/2828-22-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-8-0x000001DB53CB0000-0x000001DB53E3A000-memory.dmp

Filesize
1.5MB

Download
memory/2828-25-0x000001DB53C50000-0x000001DB53C9A000-memory.dmp

Filesize
296KB

Download
memory/2828-26-0x000001DB54EC0000-0x000001DB54EE2000-memory.dmp

Filesize
136KB

Download
memory/2828-27-0x000001DB53F50000-0x000001DB54052000-memory.dmp

Filesize
1.0MB

Download
memory/2828-28-0x000001DB53E90000-0x000001DB53ED6000-memory.dmp

Filesize
280KB

Download
memory/2828-29-0x000001DB51FA0000-0x000001DB51FA8000-memory.dmp

Filesize
32KB

Download
memory/2828-30-0x000001DB53E70000-0x000001DB53E90000-memory.dmp

Filesize
128KB

Download
memory/2828-31-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-23-0x000001DB51F70000-0x000001DB51F8C000-memory.dmp

Filesize
112KB

Download
memory/2828-0-0x00007FFFC48B0000-0x00007FFFC5371000-memory.dmp

Filesize
10.8MB

Download
memory/2828-10-0x000001DB52140000-0x000001DB52160000-memory.dmp

Filesize
128KB

Download
memory/2828-9-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-24-0x000001DB522B0000-0x000001DB522DC000-memory.dmp

Filesize
176KB

Download
memory/2828-6-0x000001DB51280000-0x000001DB512CA000-memory.dmp

Filesize
296KB

Download
memory/2828-4-0x000001DB51470000-0x000001DB5184A000-memory.dmp

Filesize
3.9MB

Download
memory/2828-2-0x000001DB50D30000-0x000001DB50EC2000-memory.dmp

Filesize
1.6MB

Download
memory/2828-3-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-1-0x000001DB35940000-0x000001DB36802000-memory.dmp

Filesize
14.8MB

Download
memory/2828-226-0x00007FFFC48B0000-0x00007FFFC5371000-memory.dmp

Filesize
10.8MB

Download
memory/2828-227-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-228-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-229-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-230-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-231-0x000001DB50F10000-0x000001DB50F20000-memory.dmp

Filesize
64KB

Download
memory/2828-232-0x00007FFFC48B0000-0x00007FFFC5371000-memory.dmp

Filesize
10.8MB

Download