66745a4257b713585ce8e7b16edd8ae00d247f713ad6ea02dc4c39ef94b8c677

Resubmissions

28-05-2024 10:29

240528-mjl2nafe8z 7

Analysis

max time kernel
125s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DisneyClient 1.1.5.exe
Size

50.5MB
MD5

d3c81e630fd6d136a291b43ee3e1b04e
SHA1

e4d155c36431232c227fd702c7143233b8847fd0
SHA256

66745a4257b713585ce8e7b16edd8ae00d247f713ad6ea02dc4c39ef94b8c677
SHA512

046f221cebd6fef5ff951d73de465d3cd656247aa1fabc40b67292fd7cd84dffc053e39dc6cbb70c53800eba464e0c8c37ffac44212d19892f58c24eec67393d
SSDEEP

1572864:R1JcJcidspJJrRZl9wjUwVpsSw6J9yVfGDGWhkU7:RPFicJNnlmHVSSw6MOCcn7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DisneyClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DisneyClient.exe

Executes dropped EXE 5 IoCs

pid	Process
4404	DisneyClient.exe
540	DisneyClient.exe
4296	DisneyClient.exe
4672	DisneyClient.exe
928	DisneyClient.exe

Loads dropped DLL 14 IoCs

pid	Process
4148	DisneyClient 1.1.5.exe
4148	DisneyClient 1.1.5.exe
4148	DisneyClient 1.1.5.exe
4404	DisneyClient.exe
540	DisneyClient.exe
4296	DisneyClient.exe
540	DisneyClient.exe
540	DisneyClient.exe
540	DisneyClient.exe
4672	DisneyClient.exe
928	DisneyClient.exe
928	DisneyClient.exe
928	DisneyClient.exe
928	DisneyClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4296	DisneyClient.exe
4296	DisneyClient.exe
4672	DisneyClient.exe
4672	DisneyClient.exe
928	DisneyClient.exe
928	DisneyClient.exe
928	DisneyClient.exe
928	DisneyClient.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4148	DisneyClient 1.1.5.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4404	4148	DisneyClient 1.1.5.exe	89
PID 4148 wrote to memory of 4404	4148	DisneyClient 1.1.5.exe	89
PID 4148 wrote to memory of 4404	4148	DisneyClient 1.1.5.exe	89
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 540	4404	DisneyClient.exe	90
PID 4404 wrote to memory of 4296	4404	DisneyClient.exe	91
PID 4404 wrote to memory of 4296	4404	DisneyClient.exe	91
PID 4404 wrote to memory of 4296	4404	DisneyClient.exe	91
PID 4404 wrote to memory of 4672	4404	DisneyClient.exe	92
PID 4404 wrote to memory of 4672	4404	DisneyClient.exe	92
PID 4404 wrote to memory of 4672	4404	DisneyClient.exe	92
PID 4404 wrote to memory of 928	4404	DisneyClient.exe	98
PID 4404 wrote to memory of 928	4404	DisneyClient.exe	98
PID 4404 wrote to memory of 928	4404	DisneyClient.exe	98

C:\Users\Admin\AppData\Local\Temp\DisneyClient 1.1.5.exe
"C:\Users\Admin\AppData\Local\Temp\DisneyClient 1.1.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe
  C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe
    "C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe" --type=gpu-process --field-trial-handle=1616,9885644580472195845,1377982254779300549,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1628 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe
    "C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,9885644580472195845,1377982254779300549,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe
    "C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe" --type=renderer --field-trial-handle=1616,9885644580472195845,1377982254779300549,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe
    "C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\DisneyClient.exe" --type=gpu-process --field-trial-handle=1616,9885644580472195845,1377982254779300549,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\chrome_100_percent.pak

Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\chrome_200_percent.pak

Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\config.json

Filesize
131B

MD5
8915da420acdd724f99829c099d15c96

SHA1
a12694bae4f1a1feb30e435e1b7cf82e666a4e5b

SHA256
be4775ce8ed7cd75519adf7b3a63a217f0ff2af82481f5346756351188a58a69

SHA512
be3552a2893eb027bb7dc44121debb6ea366b33eb301f6e262067f4eba2c656434f8a962f1af3815864d51cf551b8dc5b485159f6fc8a7b7260dffeb524421fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\d3dcompiler_47.dll

Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\ffmpeg.dll

Filesize
2.5MB

MD5
4d153867f33b8b517b7a3f8ab6ef6fa5

SHA1
9727614febffbefd66ad70d63a2ad43552d41135

SHA256
76b92fd8be8a585234c446e8bf696758181e3617200d3eca449e1ba3fa150d3a

SHA512
5b4c37479a7dabe6bd85f8050fe2dc36cd9492c419aa5e4225b015befc33bb47fd53ad7fcd91a494f52f55fad90baeef2fc4c7815abd5d50da881ffc8515a127

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\icudtl.dat

Filesize
9.9MB

MD5
80a7528515595d8b0bf99a477a7eff0d

SHA1
fde9a195fc5a6a23ec82b8594f958cfcf3159437

SHA256
6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

SHA512
c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\locales.json

Filesize
1KB

MD5
426efa3d09f5f5ebd3abd15f27a1ddf8

SHA1
17272dabc40601d2cfdbc9bcf0808033b9cdabb2

SHA256
d734fe3363ce8609c5686cc374c57aecf9f63b6c0a31e0059c1c298f553671de

SHA512
805a6d974e812e95faf1b87fc198b4e671fa69ef9ca3278fc7d6ceeff212f3fa6d8731bc3d43d11086e220e01bdb6a8bda2e8182c008cd1d39cdabdfe8169c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\locales\en-US.pak

Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\resources.pak

Filesize
4.9MB

MD5
c400d06430b2a46d484692d4dae60919

SHA1
c7ee7c020058de020554e5831345a5fa52f43a6a

SHA256
b9f84f3b08a7074c66024bb697c50415c57bec778227dfdfecab4c7dcfa4f1bf

SHA512
d9f0d095e509cedd4f5fdecd9476ca3bacf677a8699d898a1be2a23eb0c084cef7922b83b28bbf99bf2f3fa848c229982be9f4c765b305d96971ce3937811394

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\resources\app.asar

Filesize
2.5MB

MD5
17400c88b0ff7c08991f9dfad7338c99

SHA1
2db5e5f723920097c1159cb22cfe3d48b35d9f7b

SHA256
110a8557545cb9d4f50b773ea72c083152a75112ecbaa7e7b8ca4948b253b233

SHA512
51d906ef30047d3c86ac1a0f30691cdd92a762df2ab4b313fbf2ca3c9572ec75d8bc040cbee82b7967f7e535080122f6bf9654de607d7c738bd27d09d860a821

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\swiftshader\libegl.dll

Filesize
366KB

MD5
b14e9a3b571cebb2db5eb64d5274b4e5

SHA1
3a30a13a61f2188c68ffeb83095279aca832eaff

SHA256
998ad01a7ad339373e499cc654a033be61b3796eab8880f34d453bbb774e318a

SHA512
5e1fa9c35ae896393840572f1bcaf26ff18a1d9aafc3504e8a6a1029a0f3e336e8ca06f07ad37371af690989fc4df174f721e9afe7ba7e00e13cbebbb520e808

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\swiftshader\libglesv2.dll

Filesize
2.7MB

MD5
509c301d29ab71a65ee862530c0fdd65

SHA1
26a4c13749b6833635ba3280d319bdedc17f5fcc

SHA256
352448e802fb4947bdf8225844036de01200acbc4d85ae9b9d1eb95a769560af

SHA512
6150289efa7e2939d3f08d568ab2fa540e40fc640acb8919ae215b596905e88a0ee763f126c6de1e39fb5bfa676aa7d7f614020137288cced7d10c727011f4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vpCYdxfiy6GCaONnd5WKiYn24k\v8_context_snapshot.bin

Filesize
161KB

MD5
4bb906e8b19f41c1ca575f2da3aa0729

SHA1
01ec564229031ea344ba14cf0d817022b7ed573c

SHA256
ed19ff0764f3e0a147c6d77a316cb3df5f41b278daa39e630e7f1587c88254e2

SHA512
e35d3c531ebcf550f94695841ecde09af6428d377c9db780900293e4e7b777ce0a9e4d5c95b123363bb3aa3a1a630194b10201025f8443a406f0a0a74953130b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc33B3.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc33B3.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc33B3.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit