886bd0919e0a4896ed7914200ac9f1fbbf88ea69217c70c2586dadc181bccae0

Analysis

max time kernel
17s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20/11/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virtual Controller v1072 Setup.exe
Size

4.5MB
MD5

cf3fe170991d616c77a873e18563174f
SHA1

86e34de7fd7fc436c9a01b4e7f5322a370fb6853
SHA256

886bd0919e0a4896ed7914200ac9f1fbbf88ea69217c70c2586dadc181bccae0
SHA512

2cc62d427d239fbc3108dba48e9110f57fed4fe758b469b45ab24f38e19fb0a8172b380c63d08de6afe81292647857562c73f01d54f3ec6deb32cf7dc46b974e
SSDEEP

98304:Z9JGs4heeLD+tq/rPDuBFhszHbIhYHbis2uLUg03p6H6tCOOJwG1X:/J6f+tWPDuBOHbIhCbis3Y3pzUOWwGB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1172	Virtual Controller v1072 Setup.tmp
3452	_setup64.tmp
3352	VirtualController.exe

Loads dropped DLL 2 IoCs

pid	Process
3352	VirtualController.exe
3352	VirtualController.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Virtual Controller\ScpVBus\WdfCoinstaller01009.dll	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\vGenInterface.dll	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-EN9L9.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-BO0E2.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-M5F1A.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-JJ7U7.tmp	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\SharpDX.XInput.dll	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\WindowsHookLib.dll	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\SharpDX.dll	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\unins000.dat	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-2IN7I.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-TEOKA.tmp	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\unins000.dat	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\LockHook.dll	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\VirtualController.System.dll	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\vJoyInterface.dll	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-8JEUP.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-CMU64.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\ScpVBus\is-SEMJI.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\ScpVBus\is-P7KJO.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-P0CCC.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-Q7KV5.tmp	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\VirtualController.UI.dll	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\ScpVBus\is-6DH0V.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\ScpVBus\is-BET50.tmp	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\ScpVBus\devcon.exe	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\SendInput.dll	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\SharpDX.DirectInput.dll	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\ScpVBus\is-GPFLN.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-PGVB5.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-TCLFV.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-TMJH9.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-6A276.tmp	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\VirtualController.exe	Virtual Controller v1072 Setup.tmp
File opened for modification	C:\Program Files\Virtual Controller\RawInput.dll	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-UJNBR.tmp	Virtual Controller v1072 Setup.tmp
File created	C:\Program Files\Virtual Controller\is-1O1LJ.tmp	Virtual Controller v1072 Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virtual Controller v1072 Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virtual Controller v1072 Setup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1172	Virtual Controller v1072 Setup.tmp
1172	Virtual Controller v1072 Setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1172	Virtual Controller v1072 Setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3352	VirtualController.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 1172	3160	Virtual Controller v1072 Setup.exe	77
PID 3160 wrote to memory of 1172	3160	Virtual Controller v1072 Setup.exe	77
PID 3160 wrote to memory of 1172	3160	Virtual Controller v1072 Setup.exe	77
PID 1172 wrote to memory of 3452	1172	Virtual Controller v1072 Setup.tmp	78
PID 1172 wrote to memory of 3452	1172	Virtual Controller v1072 Setup.tmp	78
PID 1172 wrote to memory of 3352	1172	Virtual Controller v1072 Setup.tmp	80
PID 1172 wrote to memory of 3352	1172	Virtual Controller v1072 Setup.tmp	80

C:\Users\Admin\AppData\Local\Temp\Virtual Controller v1072 Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Virtual Controller v1072 Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\is-LV4MV.tmp\Virtual Controller v1072 Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LV4MV.tmp\Virtual Controller v1072 Setup.tmp" /SL5="$6028A,4493546,58368,C:\Users\Admin\AppData\Local\Temp\Virtual Controller v1072 Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\is-06L9I.tmp\_isetup\_setup64.tmp
    helper 105 0x360
    3⤵
    - Executes dropped EXE
    PID:3452
- - C:\Program Files\Virtual Controller\VirtualController.exe
    "C:\Program Files\Virtual Controller\VirtualController.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Virtual Controller\RawInput.dll

Filesize
36KB

MD5
0c2c17339d7c3c0fc1788818dfd3ec91

SHA1
c2d4bf72e38e6970c19f8019e2c7d17c6b2713a1

SHA256
1516b2a6995b061f94ba18b8c335ab73a36464389c506a3bf9335e2daa05c5f2

SHA512
86355d93193fc27e91d727ff3ed57b404777a5d0b2185fbc4e5136622e41ab860ecee6f652f6d1a82b83b26a2166a026289d38aa0b19f83a8b93906129f97d9d

Download Submit
C:\Program Files\Virtual Controller\SharpDX.DirectInput.dll

Filesize
153KB

MD5
19db953ca3100eefcd9f86fcbbfd0db9

SHA1
e208c20c8f806696a713b096d405c02392b97780

SHA256
10ae5b76648dfe3f13283e290b8e9654248f49287b5ab9861f06b24407bd87e3

SHA512
ddf3daffc0da8b070cd015111c32c6b47bb02761df6ea9a65eb7e3aa05b7d4b16dff0c87d53e34e5da7be65cd29daf10e9c5beed7cc766205ca7049397555d58

Download Submit
C:\Program Files\Virtual Controller\SharpDX.XInput.dll

Filesize
13KB

MD5
3a9e2e049233f5f5b76ed76cfaeff0fe

SHA1
9f811a73c8538a38919471d671f19378bb991bc8

SHA256
bdf173ca59ec25149fe0f4b6ced7b880f5d6e06e61121ac93d64f8b43c6e811c

SHA512
a49051f03edb8005bc56003ca8a0390a9be6d45f963964187b646062545a38e0347575dd787ac7846d15e48213917dd45d390d9541eaf83b6e388eb00cc038c1

Download Submit
C:\Program Files\Virtual Controller\SharpDX.dll

Filesize
272KB

MD5
03cd03b818664e01c64f029298bbca71

SHA1
ba364f3751085624c048fbd3723ffb4739b80588

SHA256
12df7ddd1e8b5f159c2c21ecdb7ae639d9b6503b854d84fe2f1c87c9dc0a4e52

SHA512
0cb00f81c3f9987cab14dfbd86a8975d855d44ecb6fd0f7ca4442b962e3cf5d312bdd7ae7ce9b5f5cc41fd8a5b83acf0a27598b6b78d71ba8ee711ba8cdd2d4f

Download Submit
C:\Program Files\Virtual Controller\VirtualController.System.dll

Filesize
246KB

MD5
f869f9ff427a90ee09799437ba928262

SHA1
efdb1e2c611e1d0b111ad4905e1e4f0b2a15d91b

SHA256
e76bf65cb8f390c12d66726a580ee26720d94b675c88e3bc758e8601524224d0

SHA512
6a0b257bbf166a3a279203887d1c9f1ba7ea8262b5f5ef2eebc7994ab088c8dbd04b397b1bae98a763596f2dc120f300dce5245548716f2e10c2828c8a290a6d

Download Submit
C:\Program Files\Virtual Controller\VirtualController.UI.dll

Filesize
947KB

MD5
ead0b968768a28a1d3e32531871433d2

SHA1
9a9d4d1058f179eb567a25c5710864eaed7e813e

SHA256
7ffe2a39fedd878e1e167da9ef011ae755a06144274c31b9634298b79b00197a

SHA512
cf1e5d9b252374dca8515303ef3809bfe397922d1685a588c848c7563fa43931c0efc0ad309ae86b70f6aad3ff0453ddd38f10e6bc00e034dd35338f42aff47d

Download Submit
C:\Program Files\Virtual Controller\VirtualController.exe

Filesize
290KB

MD5
4cda0c6af8f79b0582dfbce2b03148ac

SHA1
f84843df6c2229d981642469a6c753e3438d2504

SHA256
6e7add3b9d947d3593979d47651b5c7c6292420b52dd123b2dd767d2c2990a88

SHA512
02767620247721669881266d390c7ad9aa37cbd8cdaeafef854b927640750f261c879c81b2141d4ea5d97943077e6ce34ccefc84e63c9d63383bff9279c2c66a

Download Submit
C:\Program Files\Virtual Controller\WindowsHookLib.dll

Filesize
33KB

MD5
ac9127781eae8bc255a14d927195b866

SHA1
430da7ccdffa8c280f8b101f175c91e847f79194

SHA256
67cff13ac5fc8dc59cef156a34d2685d9e66f319dec6671b3029e8614275d88c

SHA512
ef9f8f7f0897f93bb30ebc7b81386d253635a809211b03c08940f2f7fdae910a33df36687d49d50288db9e39679c83f56795949feadfc16b544102832e900e20

Download Submit
C:\Program Files\Virtual Controller\vGenInterface.dll

Filesize
376KB

MD5
daba16b3eba5ecc4dea5c6321bbb8c5f

SHA1
11c51b70b2644a72b6449165b7364af828af9236

SHA256
e870455286ed0f065706102bff5bed15fb524b221566276d8a457e66f05eaf08

SHA512
f01fa3cfcf4ffbf970bc7d558a0796e88fe8e643a856d02b69999f56417b9ca6e87ee7041d3c9208542afb333dc6d60c636f483d677ae3902294876a4efa3ed5

Download Submit
C:\Program Files\Virtual Controller\vJoyInterface.dll

Filesize
175KB

MD5
7cd5efe9aaaaa1646d555472daa0d4f5

SHA1
4c1c3ee6b3f63792ca6d5f8ddc9f4aedf0b575a7

SHA256
4e28fdbb8e92087bd9bdb8943330d3118cc91c6ac77e7b100bd352dada077b71

SHA512
f244f3d21e7b76fa1c4d128b03a4881805c36e84d0b8fd6f38eb023182f87ea19f5ad59f1273cbc1886a291d36112b2fcac0038a95a6039ce6ca93d644ef4acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-06L9I.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LV4MV.tmp\Virtual Controller v1072 Setup.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1172-81-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1172-6-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3160-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3160-84-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3160-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3352-75-0x000000001DF90000-0x000000001DFBC000-memory.dmp

Filesize
176KB

Download
memory/3352-65-0x000000001B560000-0x000000001B654000-memory.dmp

Filesize
976KB

Download
memory/3352-73-0x000000001DF50000-0x000000001DF5E000-memory.dmp

Filesize
56KB

Download
memory/3352-77-0x000000001E010000-0x000000001E05A000-memory.dmp

Filesize
296KB

Download
memory/3352-79-0x000000001DF40000-0x000000001DF4A000-memory.dmp

Filesize
40KB

Download
memory/3352-62-0x00007FFDD1B53000-0x00007FFDD1B55000-memory.dmp

Filesize
8KB

Download
memory/3352-67-0x000000001B860000-0x000000001B8A4000-memory.dmp

Filesize
272KB

Download
memory/3352-63-0x00000000008A0000-0x00000000008EE000-memory.dmp

Filesize
312KB

Download
memory/3352-70-0x000000001DF30000-0x000000001DF40000-memory.dmp

Filesize
64KB

Download
memory/3352-87-0x00007FFDD1B53000-0x00007FFDD1B55000-memory.dmp

Filesize
8KB

Download