Overview
overview
10Static
static
3Burst Roya...le.exe
windows7-x64
3Burst Roya...le.exe
windows10-2004-x64
10infinst.exe
windows7-x64
4infinst.exe
windows10-2004-x64
4xinput1_3.dll
windows7-x64
1xinput1_3.dll
windows10-2004-x64
1xinput1_3.dll
windows7-x64
3xinput1_3.dll
windows10-2004-x64
3Burst Roya...UP.dll
windows7-x64
4Burst Roya...UP.dll
windows10-2004-x64
4Burst Roya...UP.exe
windows7-x64
4Burst Roya...UP.exe
windows10-2004-x64
4Burst Roya...32.dll
windows7-x64
4Burst Roya...32.dll
windows10-2004-x64
4dxdllreg.exe
windows7-x64
4dxdllreg.exe
windows10-2004-x64
4dxupdate.dll
windows7-x64
3dxupdate.dll
windows10-2004-x64
3Burst Roya...ry.pdf
windows7-x64
3Burst Roya...ry.pdf
windows10-2004-x64
3Burst Roya...ry.pdf
windows7-x64
3Burst Roya...ry.pdf
windows10-2004-x64
3Burst Roya...nd.pdf
windows7-x64
3Burst Roya...nd.pdf
windows10-2004-x64
3Burst Roya...ent.js
windows7-x64
3Burst Roya...ent.js
windows10-2004-x64
3Burst Roya...ent.js
windows7-x64
3Burst Roya...ent.js
windows10-2004-x64
3Burst Roya...ons.js
windows7-x64
3Burst Roya...ons.js
windows10-2004-x64
3Burst Roya...r.html
windows7-x64
3Burst Roya...r.html
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:27
Static task
static1
Behavioral task
behavioral1
Sample
Burst Royale 0.9/BurstRoyale.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Burst Royale 0.9/BurstRoyale.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
infinst.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
infinst.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
xinput1_3.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
xinput1_3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
xinput1_3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
xinput1_3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Burst Royale 0.9/DirectX/DSETUP.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Burst Royale 0.9/DirectX/DSETUP.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Burst Royale 0.9/DirectX/DXSETUP.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
Burst Royale 0.9/DirectX/DXSETUP.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Burst Royale 0.9/DirectX/dsetup32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
Burst Royale 0.9/DirectX/dsetup32.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
dxdllreg.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral16
Sample
dxdllreg.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
dxupdate.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
dxupdate.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Burst Royale 0.9/Engine/CompareTamplateFile/new summary.pdf
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
Burst Royale 0.9/Engine/CompareTamplateFile/new summary.pdf
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Burst Royale 0.9/Engine/CompareTamplateFile/old summary.pdf
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Burst Royale 0.9/Engine/CompareTamplateFile/old summary.pdf
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Burst Royale 0.9/Engine/CompareTamplateFile/summary Legend.pdf
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
Burst Royale 0.9/Engine/CompareTamplateFile/summary Legend.pdf
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Burst Royale 0.9/Engine/FxCEF/cef_100_percent.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Burst Royale 0.9/Engine/FxCEF/cef_100_percent.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Burst Royale 0.9/Engine/FxCEF/cef_200_percent.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Burst Royale 0.9/Engine/FxCEF/cef_200_percent.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Burst Royale 0.9/Engine/FxCEF/cef_extensions.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
Burst Royale 0.9/Engine/FxCEF/cef_extensions.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Burst Royale 0.9/Engine/FxCEF/error/en-US/error.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
Burst Royale 0.9/Engine/FxCEF/error/en-US/error.html
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Burst Royale 0.9/DirectX/dsetup32.dll
-
Size
1.7MB
-
MD5
0f58ccd58a29827b5d406874360e4c08
-
SHA1
ba804292580be6186774e7f92e6dfb104e46bf25
-
SHA256
642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb
-
SHA512
3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4
-
SSDEEP
49152:MjnIXtNeOOOOOOOOOOOOOOOOOiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWeXiWq:YIjma
Malware Config
Signatures
-
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DXError.log rundll32.exe File opened for modification C:\Windows\Logs\DirectX.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeBackupPrivilege 2320 vssvc.exe Token: SeRestorePrivilege 2320 vssvc.exe Token: SeAuditPrivilege 2320 vssvc.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeLoadDriverPrivilege 2536 DrvInst.exe Token: SeLoadDriverPrivilege 2536 DrvInst.exe Token: SeLoadDriverPrivilege 2536 DrvInst.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 PID 3000 wrote to memory of 3012 3000 rundll32.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Burst Royale 0.9\DirectX\dsetup32.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Burst Royale 0.9\DirectX\dsetup32.dll",#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "0000000000000594"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD5b3308870eca57de40bd914b4231ba60e
SHA13ab8ac70da3d4e949a43fe44e121888e52cd78a3
SHA2568a01e3eab1e7eb7734361ec0ca297f800e3b7d1a5ac7c0c7274e408a679879eb
SHA512b041df27231936696c067cabbebb1c99279cced90a71ae9b6131765b2324c7a5886e0992130c4e8bd9c68681ee79b920640fedc59342f124220f1fe723fbb99c
-
Filesize
515B
MD5e467013b25a608f63c81352818e3dad9
SHA1ec0deab22468582024341c561428fd03ee51cb05
SHA25627ec1fff6a73a54ff34b4aab9dfd3bbed0f49bbc6b570e10ae56660c9fbec703
SHA51240fc26cdb033086cc2679ec1866cc992cf9747b91fa33697e685002074a5bd63850d09f69d00ff4b60616975a5ae09f551c5531b94b8f2631f39caa1a9404ced