74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829

Analysis

max time kernel
36s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240704-es
resource tags

arch:x64arch:x86image:win10v2004-20240704-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
16-07-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x360ce.exe
Size

14.7MB
MD5

be80f3348b240bcee1aa96d33fe0e768
SHA1

40ea5de9a7a15f6e0d891cd1ba4bca8519bb85ed
SHA256

74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829
SHA512

dfb3b191152981f21180e93597c7b1891da6f10b811db2c8db9f45bbecc9feb54bc032bdd648c7ad1134e9b09e5e2b9705d5e21294e1ae328a4390350745536a
SSDEEP

196608:n+/7/fO/vBSVnf+viDyJBwhsCArf+viDyJBQhsCAaIF/f+viDyJBaF9hsCA6EJ0k:nX/vu0Bwhs8vu0BQhsvFOvu0BaF9hsR

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 34 IoCs

Processes:

x360ce.exe

description	ioc	process
File opened for modification	C:\Windows\INF\volume.PNF	x360ce.exe
File created	C:\Windows\INF\c_volume.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\usbport.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\pci.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\input.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\keyboard.PNF	x360ce.exe
File created	C:\Windows\INF\c_media.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\swenum.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\msmouse.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\disk.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\umbus.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\hdaudbus.PNF	x360ce.exe
File created	C:\Windows\INF\c_monitor.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\compositebus.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\acpi.PNF	x360ce.exe
File created	C:\Windows\INF\c_diskdrive.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\mssmbios.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\rdpbus.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\netrtl64.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\monitor.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\audioendpoint.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\volmgr.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\spaceport.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\vhdmp.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\cpu.PNF	x360ce.exe
File created	C:\Windows\INF\c_processor.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\c_swdevice.PNF	x360ce.exe
File created	C:\Windows\INF\c_display.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\kdnic.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\cdrom.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\vdrvroot.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\printqueue.PNF	x360ce.exe
File opened for modification	C:\Windows\INF\mshdc.PNF	x360ce.exe

Loads dropped DLL 1 IoCs

Processes:

x360ce.exe

pid process

4944 x360ce.exe

pid	process
4944	x360ce.exe

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

x360ce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	x360ce.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

x360ce.exe

pid process

4944 x360ce.exe
4944 x360ce.exe
4944 x360ce.exe
4944 x360ce.exe
4944 x360ce.exe
4944 x360ce.exe
4944 x360ce.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

x360ce.exe

description pid process

Token: SeDebugPrivilege 4944 x360ce.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

x360ce.exe

pid process

4944 x360ce.exe
4944 x360ce.exe
4944 x360ce.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

x360ce.exe

pid process

4944 x360ce.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

x360ce.exe

pid process

4944 x360ce.exe

pid	process
4944	x360ce.exe
4944	x360ce.exe
4944	x360ce.exe
4944	x360ce.exe
4944	x360ce.exe
4944	x360ce.exe
4944	x360ce.exe

description	pid	process
Token: SeDebugPrivilege	4944	x360ce.exe

pid	process
4944	x360ce.exe
4944	x360ce.exe
4944	x360ce.exe

pid	process
4944	x360ce.exe

pid	process
4944	x360ce.exe

C:\Users\Admin\AppData\Local\Temp\x360ce.exe
"C:\Users\Admin\AppData\Local\Temp\x360ce.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X360CE\Temp\ViGEmClient.dll.84A31178\ViGEmClient.dll
Filesize
29KB

MD5
a8781afcba77ccb180939fdbd5767168

SHA1
3cb4fe39072f12309910dbe91ce44d16163d64d5

SHA256
02b50cbe797600959f43148991924d93407f04776e879bce7b979f30dd536ba9

SHA512
8184e22bb4adfcb40d0e0108d2b97c834cba8ab1e60fee5fd23332348298a0b971bd1d15991d8d02a1bc1cc504b2d34729ed1b8fea2c6adb57e36c33ac9559e9

Download Submit
C:\Windows\INF\audioendpoint.PNF
Filesize
5KB

MD5
734a511ddba64d98efb1db46d6bf566f

SHA1
b71e683854136ff8976ad99b5f9b77112cea23a6

SHA256
9ab82ea4d796a7cf5e724b4b6e7c72319810235e4b461e23ef5c6d3bd923c511

SHA512
37f0abf4cfcd65b3a526f178098d576021cc6fcdf3bf5e38a56367e4f73ad8a56cc3a0a818152de82787c9fec43329036d08d8c2bdd80a807601c9114d21a383

Download Submit
C:\Windows\INF\c_swdevice.PNF
Filesize
6KB

MD5
a872d43b5d2101054439247c59b1a93e

SHA1
4fc0792a1f9438a0473581e05d92da45c0b12f66

SHA256
00f84613435b7fb6c3693c84addd523aa6bbcd7435ebf0283b404533f51e2d54

SHA512
9028d9c33e7e003ad03d357729dafa34bae02a3757c7004c99910ccc20e3dad5be7065474d9d4504d8cfcd3f803c49f3fa3c73faac499fc5353a4be56d6fa3a6

Download Submit
C:\Windows\INF\cdrom.PNF
Filesize
11KB

MD5
81f29e6f17d989f29cf277112322f45f

SHA1
21ff3ff30888eb96bc71346bf962b4bd92dd2540

SHA256
96cfaf877320a9d1edb5bc3b6ba4fc02c2e819a6bcdf18566be1c08a801af09a

SHA512
6a724ccc02e4c381222d58109c37f4bf8449b9efaf345e5348c3b487ff4759b9acb0acfc7a11ba3227c44a4c3dc2056c71e6b0fddfa598cf4b7dd3f25daf84b7

Download Submit
C:\Windows\INF\cpu.PNF
Filesize
20KB

MD5
46e677419459bfde02b2be95ad3e55e7

SHA1
2faf418195d9a41ba9dd732d9044cf7d5ce41a15

SHA256
3a343a4f9da704c21e489beaee8d59b53b4cb666bad8aeaa53e1c829664388fb

SHA512
fba46219f03cd021cd204473e4eb4fe59cc83623e31358e0949e40ccd3bbf81e74e60376846890ce2d25cd347efacd991557155626551b9f81ac5c525e913285

Download Submit
C:\Windows\INF\mshdc.PNF
Filesize
69KB

MD5
a30a3ec05ad2b7046c268061eb507fb7

SHA1
89b644647ac1d28e07f6549f92f22325329d1125

SHA256
e73550012026184308c5d694993997d2cbf17380b0f954d5ef03de1074df0114

SHA512
fe6c4276c95bb6e43184c56bb73ebadffa97f5b91dca842188eb6ee4eb6257e633c43842818c35f2ce10357c413fc02579213eb47860fe20e0612833ec61a220

Download Submit
C:\Windows\INF\msmouse.PNF
Filesize
94KB

MD5
3af4e2017409b0663e94aa0d79758276

SHA1
ab47b54b5071add018e8888bea3d7b1bd77836a5

SHA256
11d48afb148a3d5f25ea457dc4f93a7996a99049161abc3867f1bad3d6617204

SHA512
a8dc6c4f18ac35f40a371c6cf3282368403ab0ea390953f9a4c601888bf5c560fd8638ae493177ea870927a0db06a0d44b57387e760ac4e02f8cb46a6d588bda

Download Submit
C:\Windows\INF\printqueue.PNF
Filesize
7KB

MD5
4c6380f896b1ef852934f1c342bdbfec

SHA1
91d913da4b98f62aa7a9a64fd43f35d37beed9e5

SHA256
57a38eea5bed559329dcbc7c2d9503627e1a9fd7d652760209533891c5af1097

SHA512
8f37e25af312b7ca22faf703df59b7001af5e1b873009434c3dc702a766fa30738b8dacb731f2448cc0649074924ef4ca90983ae260712b0f1ce9fec211e764c

Download Submit
C:\Windows\INF\usbport.PNF
Filesize
153KB

MD5
07f2ce479330248f40dd7eb5b14bb70e

SHA1
a59c376ce402209cdc24989b66026bcda8c9516d

SHA256
b2ce6015288a161d8b5c9114acfc48f049a3f7e2b13207562d90bfb21b8d79be

SHA512
99a3314f5fd6e5cc27bf6a00a90a21c96281400966f70ce8d6e825fee5601aa54fd58952de497078ba1466546f0c7104b9e5ef90cde2063f9edf8a965a025b5a

Download Submit
C:\Windows\INF\volume.PNF
Filesize
5KB

MD5
53b3c3c9f6ede08cd514aa98debda0d8

SHA1
ff64c4738b8b015ba07e562b225e96bcdb35e01a

SHA256
0c61da3f6c36c046e4fdd0745c0f85f5ca51abbc8f35cf13033bc33033c9679b

SHA512
2c08d0a652c371fdf04394afd9442ab9c3968f92aa33eaa190e970a58bad3a0025936ddf22137b58deb7929e6c64daab122e59e9caf1e48a8b48184b48aaf8ea

Download Submit
memory/4944-13-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-9-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-26-0x00000136F9AF0000-0x00000136F9B3A000-memory.dmp

Filesize
296KB

Download
memory/4944-25-0x00000136F9A90000-0x00000136F9ABC000-memory.dmp

Filesize
176KB

Download
memory/4944-27-0x00000136F9B70000-0x00000136F9B92000-memory.dmp

Filesize
136KB

Download
memory/4944-28-0x00000136F9CB0000-0x00000136F9DB2000-memory.dmp

Filesize
1.0MB

Download
memory/4944-29-0x00000136F9BF0000-0x00000136F9C36000-memory.dmp

Filesize
280KB

Download
memory/4944-30-0x00000136F9BD0000-0x00000136F9BD8000-memory.dmp

Filesize
32KB

Download
memory/4944-31-0x00000136F9C60000-0x00000136F9C80000-memory.dmp

Filesize
128KB

Download
memory/4944-32-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-23-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-0-0x00007FF95A4E3000-0x00007FF95A4E5000-memory.dmp

Filesize
8KB

Download
memory/4944-10-0x00000136FB7E0000-0x00000136FB800000-memory.dmp

Filesize
128KB

Download
memory/4944-24-0x00000136F9AC0000-0x00000136F9ADC000-memory.dmp

Filesize
112KB

Download
memory/4944-8-0x00000136FB820000-0x00000136FB9AA000-memory.dmp

Filesize
1.5MB

Download
memory/4944-6-0x00000136F8810000-0x00000136F885A000-memory.dmp

Filesize
296KB

Download
memory/4944-4-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-3-0x00000136F8AA0000-0x00000136F8E7A000-memory.dmp

Filesize
3.9MB

Download
memory/4944-2-0x00000136F83C0000-0x00000136F8552000-memory.dmp

Filesize
1.6MB

Download
memory/4944-1-0x00000136DD000000-0x00000136DDEC2000-memory.dmp

Filesize
14.8MB

Download
memory/4944-227-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-228-0x00007FF95A4E3000-0x00007FF95A4E5000-memory.dmp

Filesize
8KB

Download
memory/4944-229-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-230-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-231-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-244-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-245-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-246-0x00007FF95A4E0000-0x00007FF95AFA1000-memory.dmp

Filesize
10.8MB

Download