Overview

overview

8

Static

static

3

BetterJoyForCemu.exe

windows10-1703-x64

7

Drivers/HI...n).bat

windows10-1703-x64

8

Drivers/HI...n).bat

windows10-1703-x64

1

Drivers/HI...rv.exe

windows10-1703-x64

1

Drivers/HI...on.exe

windows10-1703-x64

1

Drivers/Vi...64.msi

windows10-1703-x64

8

Drivers/Vi...86.msi

windows10-1703-x64

6

Analysis

  • max time kernel
    97s
  • max time network
    86s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/09/2024, 11:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Drivers/ViGEmBusSetup_x86.msi

  • Size

    800KB

  • MD5

    8708fadd862028488351bce03073b6ab

  • SHA1

    f49d2cd9b335dc7a593d447a6717c699cb5f665d

  • SHA256

    e383c1660036fd98719add71aea43fa81818da1a6c7ab9431b4940520a12d1f2

  • SHA512

    0d81115220c0bc2a56e47e674924f6601883d9b105fecd9cd19f6afc7af9830246dcb4a09b006dd465abe58bb27eefeeebc97fd3e9f1da084cb7e24776996243

  • SSDEEP

    12288:4xu6tmkOIYxYhTeDJBvsk8k9QHt3jOZy2KsGU6a4KsBex5VkvSiF:4xu6tXO3Bvsk39wzOE2Z34Kd5kS

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Drivers\ViGEmBusSetup_x86.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2228
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4100
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding F47D0C672B99C68EBA150FBBB01FA3D5 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Program Files (x86)\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe
          "C:\Program Files (x86)\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe" install "C:\Program Files (x86)\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf" Nefarius\ViGEmBus\Gen1
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          PID:1168
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:1952

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf
            Filesize

            3KB

            MD5

            cd0027aa0f5a8a47a6596d880f06964b

            SHA1

            167b62bfd7471179cf68cb5b2f83c8365edf4875

            SHA256

            634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6

            SHA512

            19563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9

            Download Submit

          • C:\Program Files (x86)\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe
            Filesize

            388KB

            MD5

            67ce8912433c04f70292ec5e40d02848

            SHA1

            b028c51a1f9d63f03a9f784af0c47d0ae87081ec

            SHA256

            7376c4114b914d1aa97328b491f99af4ab99d09f46fdd3654a9f8f503a14599f

            SHA512

            88293f8dd0379d4bd6dfe4fab4ae39280aac81cdb605a5d90f17fbaf36e5f864aae7c6e6f0215b076131eb03f87842245b7cbe2ae742be14674d079c929f6e20

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
            Filesize

            471B

            MD5

            8ddeb003f13d0bf5a2d5ee1aa6601927

            SHA1

            1c1118e36d983de957d89f8e1fd930577c4f2962

            SHA256

            5ac1e37e07bd569e42ff58ef00f4ac937679078c6982ac5d960b3ead540a8399

            SHA512

            40055ad4440e38cde769352bf2d107437ab86aec66f1a52fa31f66a9aa00b1694fc99cd9fc9ab7aa8a2e7c8b3851385c65b78d009e1a3ad1e595ade26cad310d

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_9680AC525D270E357A3E938724263431
            Filesize

            471B

            MD5

            ee1a170a41a47cc1cdd299db30664dfd

            SHA1

            121df6d6874c530065e67b1737fd176b580644a1

            SHA256

            5c43b3066115a82e08f0854014bf3b338c89d5586207bf75e562dec1e4cc767c

            SHA512

            444dc5e70cf55bd10edf3f139725211ad4bdd4f6b4b9c4d24cecf5e82dfb24455a1f08043666dbf2a1f8aef5bbcade089d54a6846934cc6fcffa403f757bf064

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
            Filesize

            396B

            MD5

            98c408bb6d12e2f69ff9875543d21fd3

            SHA1

            c85acc5524b8f66fdb9d80950babced2f5bdbee3

            SHA256

            37f662f7ab1423db75a35f12ab92f874042c89099aec060e81f882ddde8dfe7c

            SHA512

            f0dab9522822e7077ddb926341ad1a1ac0b89535f282c957f83a1ea496bbabc4f79184f9186da7e0d71618b2d2ea7e6d289f7d3cd31f9be675b252b0c94b997f

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_9680AC525D270E357A3E938724263431
            Filesize

            408B

            MD5

            8cebf5eae6ee8c81400e3fcc129edcd3

            SHA1

            f020a37284f3b074f9f3b7f972d78ba988126c0d

            SHA256

            8ff7fd039f43439f20ff6462b23876a43431093d071245a84cf010492294c2c9

            SHA512

            8dd112afb57ae74ac04eec0187a782389e66b27dee6d09dd9fb002ae0e8324aff6a0897be60958114df4b48f62591e491d0a3998c4ff2845fbc10bed045dfd53

            Download Submit

          • C:\Windows\Installer\MSIBA45.tmp
            Filesize

            211KB

            MD5

            a3ae5d86ecf38db9427359ea37a5f646

            SHA1

            eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

            SHA256

            c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

            SHA512

            96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

            Download Submit

          • C:\Windows\Installer\e58b8eb.msi
            Filesize

            800KB

            MD5

            8708fadd862028488351bce03073b6ab

            SHA1

            f49d2cd9b335dc7a593d447a6717c699cb5f665d

            SHA256

            e383c1660036fd98719add71aea43fa81818da1a6c7ab9431b4940520a12d1f2

            SHA512

            0d81115220c0bc2a56e47e674924f6601883d9b105fecd9cd19f6afc7af9830246dcb4a09b006dd465abe58bb27eefeeebc97fd3e9f1da084cb7e24776996243

            Download Submit

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
            Filesize

            26.0MB

            MD5

            25d2ffa16e1f748cd2ef34185b701087

            SHA1

            01de4c0aa07429f60016d687991e4c831e93ccd8

            SHA256

            47f0f168087f14f31dd80c2a0f4e56e7d0e3456d8f54fd544017664397f3087f

            SHA512

            a882c962ad970030f1954b0457a2968431f236f4a9135663615f337ba213a6f07b5e8f49245532e168ed633536b112a2253988b4edeaf0a8fe4aa21d8426c5fc

            Download Submit

          • \??\Volume{38fd360b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{37b1b0e9-e291-45e5-b59d-518752dc19d9}_OnDiskSnapshotProp
            Filesize

            5KB

            MD5

            e56d1eba4bdd4cf6c51a7589ed40a845

            SHA1

            0948e51b6cb0c9efdb639e36d0316f4280ab93b8

            SHA256

            b9225b9c312ae9bae87d0897862cc1276f7997d16b79704b16446d50d13f5a54

            SHA512

            24270d7710b9bb96a893e8754e976acb7ea4c140b3423f4d89721e3b639907a38811fa2bfd885fa87b689eaaa98185d87947a129c94489fb4109237ea2d5e06f

            Download Submit