Overview

overview

7

Static

static

3

XMouse_But....5.exe

windows11-21h2-x64

7

$PLUGINSDI...md.dll

windows11-21h2-x64

3

$PLUGINSDI...ns.dll

windows11-21h2-x64

3

$PLUGINSDI...er.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...al.ini

windows11-21h2-x64

3

$PLUGINSDI...rd.bmp

windows11-21h2-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

BugTrapU-x64.dll

windows11-21h2-x64

1

XMouseButt...ol.exe

windows11-21h2-x64

1

XMouseButtonHook.dll

windows11-21h2-x64

1

uninstaller.exe

windows11-21h2-x64

7

$PLUGINSDI...md.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    78s
  • max time network
    82s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-09-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XMouse_Button_Control_V2.20.5.exe

  • Size

    2.9MB

  • MD5

    2e9725bc1d71ad1b8006dfc5a2510f88

  • SHA1

    6e1f7d12881696944bf5e030a7d131b969de0c6c

  • SHA256

    2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

  • SHA512

    62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39

  • SSDEEP

    49152:n65SJw48kZN+nCYk7c44+Y0hdwn4Km2A5aT/pVE0hYYajihV2Qso0SWMrboF:tfpeno4oY0QZm2dlNJsrHM4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 33 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XMouse_Button_Control_V2.20.5.exe
    "C:\Users\Admin\AppData\Local\Temp\XMouse_Button_Control_V2.20.5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    PID:4844
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffab8983cb8,0x7ffab8983cc8,0x7ffab8983cd8
      2⤵
        PID:1032
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
        2⤵
          PID:4076
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3688
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
          2⤵
            PID:2336
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
            2⤵
              PID:2244
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
              2⤵
                PID:3604
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                2⤵
                  PID:4088
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,13688794588875679071,1929994225474719022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:412
              • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
                "C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:3312
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:3580
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:2616
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:4352

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll
                      Filesize

                      364KB

                      MD5

                      80d5f32b3fc515402b9e1fe958dedf81

                      SHA1

                      a80ffd7907e0de2ee4e13c592b888fe00551b7e0

                      SHA256

                      0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

                      SHA512

                      1589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0

                      Download Submit

                    • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
                      Filesize

                      1.7MB

                      MD5

                      bb632bc4c4414303c783a0153f6609f7

                      SHA1

                      eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

                      SHA256

                      7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

                      SHA512

                      15b34efe93d53e54c1527705292fbf145d6757f10dd87bc787dc40bf02f0d641468b95c571f7037417f2f626de2afcd68b5d82214e27e9e622ab0475633e9de5

                      Download Submit

                    • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll
                      Filesize

                      1.0MB

                      MD5

                      d62a4279ebba19c9bf0037d4f7cbf0bc

                      SHA1

                      5257d9505cca6b75fe55dfdaf2ea83a7d2d28170

                      SHA256

                      c845e808dc035329a7c95c846413a7afb9976f09872ba3c05dfa5f492156eef0

                      SHA512

                      6895a12cddc41bf516279b1235fca238b0b3b0cef2cc25abe14a9160ed23f5bde3d476f885d674537febc7de7eb58b0824d96153c626e1563a5a8a1887fb5323

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      c4a10f6df4922438ca68ada540730100

                      SHA1

                      4c7bfbe3e2358a28bf5b024c4be485fa6773629e

                      SHA256

                      f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

                      SHA512

                      b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      4c3889d3f0d2246f800c495aec7c3f7c

                      SHA1

                      dd38e6bf74617bfcf9d6cceff2f746a094114220

                      SHA256

                      0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

                      SHA512

                      2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                      Filesize

                      168B

                      MD5

                      9120b0d9cface1a0520a45dfc0af49b7

                      SHA1

                      39f472b05fd7bd01aba0956b98a5494645a12e5d

                      SHA256

                      7b92acd0fb5fd523fa4c495b328e0b8232597a233e02a8fe1a7d899c31a8c558

                      SHA512

                      c3b795e18b60a20d1f297b7d41f9cb3729e64e3edb1d9ca3f8e08b272e672dae44b9295a47d6d6119891fcd0e89a88b72e57dd4284d0ea6da366be8ae3a22b3c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                      Filesize

                      1KB

                      MD5

                      b5ce2a3abda10e11f0f0da84dc2f0fd5

                      SHA1

                      31dae490af605b839e20a01e64d11c064ab84e0a

                      SHA256

                      ff3c39c8ddb8ddce51c7f865c7abb7f2296834d66e595d132d6a075105a05397

                      SHA512

                      da114327b6cad9f0c5a17a54066e31a1069daff852ebc050dbcf1cbd56210e88d87f0ea9e670d083f4dc8fcb59b600f1db70791918c7afb9c23484cd5aedc471

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      9ccea125b01c4943d3ac098d3b71220a

                      SHA1

                      ef7e42836058814ec775acd3e02212ea091fb280

                      SHA256

                      16639c66fb6cfa08df255b030d5a2c67017b06a7ff1f3e67fcff52c30357a2fd

                      SHA512

                      87f7026298855f8540229b56597af339a01ff335129a54bd546a0a6ac7dfb1bbb5d201fbd9ff24f5e0ac6064d6bd43d592401f8a548bddcce6d1c2a7d24cd796

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      6KB

                      MD5

                      a7187c85c33331efa584ef5a58887c59

                      SHA1

                      ec3a4641f135a4efb1141d032946973ee4fdf753

                      SHA256

                      b26890214a626b0fdd9150eca4057fee2af7a2a9d6b19acfc0960c361281f9f7

                      SHA512

                      db8b707f1c4efa8411e922fe2cd4f1bd31314a1f3735298b259b321de6fa45c21cb83e20c0559e882a550d7f9927abaeaa143d6eb441e2efa58371b276bdf913

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      10KB

                      MD5

                      c728da7faf7f0e582fe0138b9401dbed

                      SHA1

                      820ec3ffab54ddb6f5db95c6e4fb6c2b6bb185d5

                      SHA256

                      29c3bbb1f3297e742440823170dfbc8f7b21dfcd0efd23e6adc6cb0605699b2b

                      SHA512

                      349b653c7845fe2912a5ef7275bbc4eb8bb7db5b26bbed5260f0c517ea8019bafc5af27a105309a35d8764f87cb337479da33b86e781e95dc355b66d324ffe76

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\InstallOptions.dll
                      Filesize

                      14KB

                      MD5

                      d753362649aecd60ff434adf171a4e7f

                      SHA1

                      3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

                      SHA256

                      8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

                      SHA512

                      41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\ShellExecAsUser.dll
                      Filesize

                      7KB

                      MD5

                      86a81b9ab7de83aa01024593a03d1872

                      SHA1

                      8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

                      SHA256

                      27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

                      SHA512

                      cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\System.dll
                      Filesize

                      10KB

                      MD5

                      56a321bd011112ec5d8a32b2f6fd3231

                      SHA1

                      df20e3a35a1636de64df5290ae5e4e7572447f78

                      SHA256

                      bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

                      SHA512

                      5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\ioSpecial.ini
                      Filesize

                      696B

                      MD5

                      20d27ba5b765e107e52a088f0e2c7bc3

                      SHA1

                      40d982e7c8274abb5633914e797db59c82b7a4b7

                      SHA256

                      b09dd11ad578e6a8f63a372932f6d2ed23966430553c76e840dea35e6c6d0b71

                      SHA512

                      229d231c665e102dd9b46ffee53b47fc2d2f2c1d718e5411dc9da0ba226d041a2473ada691519679a799176ca2a347bae9076a6dd8b5598ab182ebc112a63547

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\ioSpecial.ini
                      Filesize

                      709B

                      MD5

                      94c69563e51169df2f987d18517a4b59

                      SHA1

                      dc7e08babd4621bed986dc587718038f3c0346b6

                      SHA256

                      8348744c8a3724b32547a3862667bb2924490f0b1e3fac0f3985aeed25360ee1

                      SHA512

                      5c37e7273c9c67c37f8d4ff1b30fcfb4917337c1d2c19236d95e16c441f7d9fd7029cacd5e77327efa286f6a9dd7cf592221ded5adf9dcca5c9d576d1f3e3c8b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\ioSpecial.ini
                      Filesize

                      726B

                      MD5

                      b00f6ee19525044687aeafeadd38779b

                      SHA1

                      290684783bd4f073552272eb756f34ea68a040c1

                      SHA256

                      eadd3951d7794eb4274d021035b29c18121bb878867bccabd859502530e0d363

                      SHA512

                      fc972d14eb25ae8cc0dc6e3e39b6a7065aae123997a98b33ad38cdc0c1a7897b9aa65ec41f37764a1cebe455bc501a44e522d926c407aa6c673d9134cd3f4499

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nso832C.tmp\nsDialogs.dll
                      Filesize

                      9KB

                      MD5

                      f832e4279c8ff9029b94027803e10e1b

                      SHA1

                      134ff09f9c70999da35e73f57b70522dc817e681

                      SHA256

                      4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

                      SHA512

                      bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

                      Download Submit