Overview
overview
7Static
static
3DisneyClie....5.exe
windows7-x64
7DisneyClie....5.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Adobe.exe
windows7-x64
1Adobe.exe
windows10-2004-x64
1DisneyClient.exe
windows7-x64
7DisneyClient.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
3ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3resources/app.js
windows7-x64
3resources/app.js
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
3vulkan-1.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3Resubmissions
28-05-2024 10:29
240528-mjl2nafe8z 7Analysis
-
max time kernel
134s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 10:29
Static task
static1
Behavioral task
behavioral1
Sample
DisneyClient 1.1.5.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
DisneyClient 1.1.5.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Adobe.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
Adobe.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
DisneyClient.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
DisneyClient.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libEGL.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
libEGL.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
libGLESv2.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral19
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
resources/app.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
resources/app.js
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
swiftshader/libEGL.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral25
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral27
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
vk_swiftshader.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral29
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
vulkan-1.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral31
Sample
vulkan-1.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240508-en
windows7-x64
General
-
Target
DisneyClient.exe
-
Size
112.3MB
-
MD5
dfcfc279ead34abb76dc24d0f5a0fbfc
-
SHA1
bde041a96ad64942543037136b84677b48381e93
-
SHA256
15266b3ee806793d382388e564d30814ad9a257d1f213840f286838cb6b3a92c
-
SHA512
1ac73fd15c228b31eb9231d117de148c45f4ae2c132a07ff57a3c58bff8a016f09076591a9941f81310f30e67898d85e1d3feb261d7e236293751fd0d9da56cf
-
SSDEEP
1572864:XfJBvQqy7wCHw+DqgWucHRifbOsTzVv3V8qekx34mefgprI2wACmucb2M9keuUo2:hBvQbrzMqekphUnCFOec69
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation DisneyClient.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation DisneyClient.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4708 DisneyClient.exe 4708 DisneyClient.exe 3640 DisneyClient.exe 3640 DisneyClient.exe 4476 DisneyClient.exe 4476 DisneyClient.exe 4476 DisneyClient.exe 4476 DisneyClient.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 3376 4880 DisneyClient.exe 85 PID 4880 wrote to memory of 4708 4880 DisneyClient.exe 86 PID 4880 wrote to memory of 4708 4880 DisneyClient.exe 86 PID 4880 wrote to memory of 4708 4880 DisneyClient.exe 86 PID 4880 wrote to memory of 3640 4880 DisneyClient.exe 87 PID 4880 wrote to memory of 3640 4880 DisneyClient.exe 87 PID 4880 wrote to memory of 3640 4880 DisneyClient.exe 87 PID 4880 wrote to memory of 4476 4880 DisneyClient.exe 97 PID 4880 wrote to memory of 4476 4880 DisneyClient.exe 97 PID 4880 wrote to memory of 4476 4880 DisneyClient.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe"C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe"C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe" --type=gpu-process --field-trial-handle=1604,16832797935390340917,8966618333918684522,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1316 /prefetch:22⤵PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe"C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,16832797935390340917,8966618333918684522,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe"C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe" --type=renderer --field-trial-handle=1604,16832797935390340917,8966618333918684522,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe"C:\Users\Admin\AppData\Local\Temp\DisneyClient.exe" --type=gpu-process --field-trial-handle=1604,16832797935390340917,8966618333918684522,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1520 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84