Overview
overview
7Static
static
3dolphin-x64-5.0.exe
windows10-1703-x64
7$PLUGINSDI...ns.dll
windows10-1703-x64
3$PLUGINSDI...LL.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3infinst.exe
windows10-1703-x64
4xinput1_3.dll
windows10-1703-x64
1xinput1_3.dll
windows10-1703-x64
1$TEMP/dxre...UP.dll
windows10-1703-x64
4$TEMP/dxre...UP.exe
windows10-1703-x64
4$TEMP/dxre...32.dll
windows10-1703-x64
4dxupdate.dll
windows10-1703-x64
3$TEMP/vcre...64.exe
windows10-1703-x64
7Dolphin.exe
windows10-1703-x64
6OpenAL32.dll
windows10-1703-x64
1Sys/GameSe...r2.ps1
windows10-1703-x64
1Sys/GameSe...01.ps1
windows10-1703-x64
1Analysis
-
max time kernel
63s -
max time network
86s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11-04-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
dolphin-x64-5.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
infinst.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
xinput1_3.dll
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
xinput1_3.dll
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
$TEMP/dxredist/DSETUP.dll
Resource
win10-20240319-en
Behavioral task
behavioral9
Sample
$TEMP/dxredist/DXSETUP.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
$TEMP/dxredist/dsetup32.dll
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
dxupdate.dll
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
$TEMP/vcredist/vc_redist.x64.exe
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
Dolphin.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
OpenAL32.dll
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
Sys/GameSettings/GALE01r2.ps1
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Sys/GameSettings/GZ2J01.ps1
Resource
win10-20240404-en
General
-
Target
$TEMP/dxredist/dsetup32.dll
-
Size
1.5MB
-
MD5
d8fa7bb4fe10251a239ed75055dd6f73
-
SHA1
76c4bd2d8f359f7689415efc15e3743d35673ae8
-
SHA256
fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8
-
SHA512
73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4
-
SSDEEP
24576:CIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXi+:CIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXf
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DXError.log rundll32.exe File opened for modification C:\Windows\Logs\DirectX.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeBackupPrivilege 512 vssvc.exe Token: SeRestorePrivilege 512 vssvc.exe Token: SeAuditPrivilege 512 vssvc.exe Token: SeBackupPrivilege 4400 srtasks.exe Token: SeRestorePrivilege 4400 srtasks.exe Token: SeSecurityPrivilege 4400 srtasks.exe Token: SeTakeOwnershipPrivilege 4400 srtasks.exe Token: SeBackupPrivilege 4400 srtasks.exe Token: SeRestorePrivilege 4400 srtasks.exe Token: SeSecurityPrivilege 4400 srtasks.exe Token: SeTakeOwnershipPrivilege 4400 srtasks.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2132 1320 rundll32.exe 74 PID 1320 wrote to memory of 2132 1320 rundll32.exe 74 PID 1320 wrote to memory of 2132 1320 rundll32.exe 74 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#12⤵
- Drops file in Windows directory
PID:2132
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD502327c6eed465863afc36380f4867fe4
SHA1e990c7f55e76da83b6fbf8755204a2878dff0ccd
SHA25660dd6f83166a117297a4225f124feb7d472a8d27faaa82ad16d1ad59259760f0
SHA512ba5a78985a4c1120f0fc8c2f4614246a5aa468d13d3ecca1c7f75bf28efe32500c0c496b53f2b06cfb21074ffc9e9bc94a99053ce230e5b7732947bd21fd85e2
-
Filesize
517B
MD539ebf18bdf1b8ab3ded46b38ef075fb4
SHA1d345595be2922b8ed5826361db2112ba264efb8f
SHA256f99f9f7199c37713905cb852512900cd61c0eaf6b2c23d0710a50ae21ad706c0
SHA51289509d380462b0725cce930c04f34555b0855f69ff3d06259499b5730c63d51756eec19e4f5e16732cfb26a15b8630a60ac599e64aced907bcf9d4ae1aa771ba