c1eb62270d4d2b234e6b2436a535f5013574d0419e05b0bae87b64e55f968200

Analysis

max time kernel
1120s
max time network
1127s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/07/2024, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bsso_launcher_v1.exe
Size

2.6MB
MD5

6a60f6fbd451bfb11d0c943706ceda0a
SHA1

15afe57c61dc29db351b04f64fd494796ef07e37
SHA256

82c2f0af2f595ff2656f3c418246ffd7f8daa22d0cc38605977def4e42fd32bd
SHA512

482a4bbba229d2b3cfcd88083cd4fdd03d6fc493cc12ee5d2750b99c58880a647f933a657cabe2ae3d7998963909352eafdf2ebd851c74e403085b51348ae237
SSDEEP

49152:BYdvcy8kcu0RxBU+89fH341MhWCDlRA6BXuhb4cFxcuUo:BYdcl/3RxeH3dhV4LhUcFxcuUo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
216	bsso_tor.exe
4904	PXStudioRuntimeMMO.exe

Loads dropped DLL 2 IoCs

pid	Process
4904	PXStudioRuntimeMMO.exe
4904	PXStudioRuntimeMMO.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	87.236.195.203

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4452	GameBarPresenceWriter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3952	4904	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PXStudioRuntimeMMO.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4904	PXStudioRuntimeMMO.exe
4904	PXStudioRuntimeMMO.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
236	bsso_launcher_v1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
236	bsso_launcher_v1.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 216	236	bsso_launcher_v1.exe	74
PID 236 wrote to memory of 216	236	bsso_launcher_v1.exe	74
PID 236 wrote to memory of 4904	236	bsso_launcher_v1.exe	76
PID 236 wrote to memory of 4904	236	bsso_launcher_v1.exe	76
PID 236 wrote to memory of 4904	236	bsso_launcher_v1.exe	76

C:\Users\Admin\AppData\Local\Temp\bsso_launcher_v1.exe
"C:\Users\Admin\AppData\Local\Temp\bsso_launcher_v1.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\bsso_tor.exe
  "C:\Users\Admin\AppData\Local\Temp\\bsso_tor.exe"
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Users\Admin\AppData\Local\Temp\horse_dir\PXStudioRuntimeMMO.exe
  "horse_dir\PXStudioRuntimeMMO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 864
    3⤵
    - Program crash
    PID:3952

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4452

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 00000000000202EE /startuptips
1⤵
PID:4984

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:1052

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000040248 /startuptips
1⤵
- Checks SCSI registry key(s)
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bsso_tor.exe

Filesize
8.6MB

MD5
a46913ab31875cf8152c96bd25027b4d

SHA1
99e9c857a9bcca65e727773b40595478c38e7a75

SHA256
66fd723d0dd219807c6d7dcc331e25c8d05adccf4a66312928fbe1d0e45670ed

SHA512
ce33b5a153f4b095a78e33044fd6648770e2ff1e9949b7d1ee3b4ac869efeb8a404e6c62e6ae0e3766d8aa532e8b41ab04d880f014a9fd3f3b8a5148e31d6b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\horse_dir\Data.ccx

Filesize
1.8MB

MD5
4a95c282659bc5d34d17356d8a7cbe35

SHA1
2964da40c3423d7b501db1962f8952b801c1478b

SHA256
9e4840931a5b0e33a4d875e5901d155bb7baef60c63deec35da181b3bae8df2e

SHA512
ba15db3c4a9013233e7cd569596c6b1575bcb4e7355ce8ab49e9438069034896af41415d060797df10354f0469c1e209ce3a3e63d5684d5fb61cbee02e20bb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\horse_dir\Data\Settings.pxo

Filesize
2KB

MD5
da9bcbf9a2963cd4ace43a5d85ca178e

SHA1
82ded77820d37d05d1b76dcac536d106b0971429

SHA256
5aea25d57edd7e1d913fe77da741a703c316039948af67796c427c12978b3c40

SHA512
78d2edaf339b5c6fb41ee6ae8ebe1cea29bfb30b416df57c0e9199553f4c08050de375272bcbf816fd941eb997fd3c49fc0190693da81e52268d6cec9a89bfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\horse_dir\PXStudioRuntimeMMO.exe

Filesize
4.2MB

MD5
7bc39b65f1c4ab577a0c07cfc124a1e5

SHA1
44221173fcb202e5dd60fc5092c2a61362501a8d

SHA256
e87d0e3707b25c1c7a973d17fd68202b7b60f339db9572844700aa5e03be8e7b

SHA512
45584ef3630a115af9a5906f7a14e5b8de61746174d997c77bfe5e9a17ffe42d63f1512b0e560ba6b262410475672c664ac4897d428118076ddd18c4e06b028e

Download Submit
C:\Users\Admin\AppData\Local\Temp\horse_dir\fmodstudio.dll

Filesize
1.3MB

MD5
0f12d82f9b45569d9c177195d4d8b4b4

SHA1
3c64924fb8f08c8a7fa075d4a4595ed654def358

SHA256
1072879080a4a11309d5f430a2ecb6d3a4831580febdf761ae14ef1977cdf066

SHA512
9361e4c46dcf949714afdc3e305b303760fb813d667fab54670e4809e5c7b8154ae9b97d1b9fa5b3e004e1ffaec56d8e1d06aa4234593f937783eeba25c0538c

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
db32cba398d7da0c4ca37058c0d37f46

SHA1
b15c4530b8b60970b5faae21b94a96294b3a41ca

SHA256
d3672681eea18b8bb8845790120539720e42c5ae84c3e5ef24d1a8e9f1a93acf

SHA512
01828c702cb4e7579ea96f44c06987bd2b70cca0abff511cd0aae3887b57c49c436136aa08c314bae6471ba9aed0f25624f06db707a372c9f7f0614d41dcc518

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
8.2MB

MD5
151983a93dab5675ac212c3d29e4da1e

SHA1
1bc62321f407d1978561a82d74d390eb9db960f1

SHA256
ca00e25c91791d4c49765dc15a454f7786e263f73a15f74ed9f3dbdc290c921c

SHA512
7feef5b433ce9f1702aa5c7edbbb4fda581f089a996709b23fdb16e8527e896cbd83da964a8793ee7825d0794e94ba050d707d6a43cc74aded4486373a10fa07

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
\Users\Admin\AppData\Local\Temp\horse_dir\fmod.dll

Filesize
1.4MB

MD5
ddd1acff00ee1f2cd8d3f03c003f9f19

SHA1
eb5bb863f353a288d26d1df87ea1cf94ad9fcf74

SHA256
16b29431928abc2314edb0175aab9f1b31515648b5cf634e8fbe1ec038bda404

SHA512
e6631f7af440e4ded24b9a33cbd11642638d93426fe50161f0342f873cc2333d14aa755f270c335a6f032046ebc2e7acc8c1806350e45fbe511c159f09766158

Download Submit