Overview

overview

7

Static

static

3

XMouseButt...1).exe

windows10-2004-x64

7

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

BugTrapU-x64.dll

windows10-2004-x64

1

XMouseButt...ol.exe

windows10-2004-x64

1

XMouseButtonHook.dll

windows10-2004-x64

1

uninstaller.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XMouseButtonControlSetup.2.20.5 (1).exe

  • Size

    2.9MB

  • MD5

    2e9725bc1d71ad1b8006dfc5a2510f88

  • SHA1

    6e1f7d12881696944bf5e030a7d131b969de0c6c

  • SHA256

    2240bf5fb5d80938b0676c46ef9f84bc1739c32f60c473ff85e530ae0eca2818

  • SHA512

    62bd9cde806f83f911f1068b452084ef2adc01bc0dec2d0f668a781cc0d94e39f6e35618264d8796ca205724725abd40429f463017e6ca5caf7d683429f82d39

  • SSDEEP

    49152:n65SJw48kZN+nCYk7c44+Y0hdwn4Km2A5aT/pVE0hYYajihV2Qso0SWMrboF:tfpeno4oY0QZm2dlNJsrHM4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 8 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 33 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\XMouseButtonControlSetup.2.20.5 (1).exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    PID:3180
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.highrez.co.uk/scripts/postinstall.asp?package=XMouse&major=2&minor=20&build=5&revision=0&platform=x64
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe068c46f8,0x7ffe068c4708,0x7ffe068c4718
      2⤵
        PID:5032
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        2⤵
          PID:964
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3340
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
          2⤵
            PID:4880
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
            2⤵
              PID:3280
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
              2⤵
                PID:2156
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
                2⤵
                  PID:4136
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
                  2⤵
                    PID:1528
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5462906136541334669,8685782091921606945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1540
                • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
                  "C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe" /Installed /notportable
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:2564
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4084
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:4580

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\BugTrapU-x64.dll
                      Filesize

                      364KB

                      MD5

                      80d5f32b3fc515402b9e1fe958dedf81

                      SHA1

                      a80ffd7907e0de2ee4e13c592b888fe00551b7e0

                      SHA256

                      0ab8481b44e7d2f0d57b444689aef75b61024487a5cf188c2fc6b8de919b040a

                      SHA512

                      1589246cd480326ca22c2acb1129a3a90edf13b75031343061f0f4ed51580dfb890862162a65957be9026381bb24475fec6ddcb86692c5961a24b18461e5f1f0

                      Download Submit

                    • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
                      Filesize

                      1.7MB

                      MD5

                      bb632bc4c4414303c783a0153f6609f7

                      SHA1

                      eb16bf0d8ce0af4d72dff415741fd0d7aac3020e

                      SHA256

                      7cc348f8d2ee10264e136425059205cf2c17493b4f3f6a43af024aecb926d8c8

                      SHA512

                      15b34efe93d53e54c1527705292fbf145d6757f10dd87bc787dc40bf02f0d641468b95c571f7037417f2f626de2afcd68b5d82214e27e9e622ab0475633e9de5

                      Download Submit

                    • C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonHook.dll
                      Filesize

                      1.0MB

                      MD5

                      d62a4279ebba19c9bf0037d4f7cbf0bc

                      SHA1

                      5257d9505cca6b75fe55dfdaf2ea83a7d2d28170

                      SHA256

                      c845e808dc035329a7c95c846413a7afb9976f09872ba3c05dfa5f492156eef0

                      SHA512

                      6895a12cddc41bf516279b1235fca238b0b3b0cef2cc25abe14a9160ed23f5bde3d476f885d674537febc7de7eb58b0824d96153c626e1563a5a8a1887fb5323

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      34d2c4f40f47672ecdf6f66fea242f4a

                      SHA1

                      4bcad62542aeb44cae38a907d8b5a8604115ada2

                      SHA256

                      b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                      SHA512

                      50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      8749e21d9d0a17dac32d5aa2027f7a75

                      SHA1

                      a5d555f8b035c7938a4a864e89218c0402ab7cde

                      SHA256

                      915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                      SHA512

                      c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                      Filesize

                      168B

                      MD5

                      73a8b53c167e01a4274a43e9539ebdd1

                      SHA1

                      77d4bd20c80e1002cb0f6915f71b07344ba2cdc6

                      SHA256

                      510ca48979b5391c898e0852c201bcc316a365a65c0ebf2587fb970168611226

                      SHA512

                      54d3383a4acc5230ed33e024cadbf7486e461369a59fffe6110049e97b1a1f5ef0d91a37ae4f334f318ba3eb29ce64539cbd1ca1853126ff5b9e363af6066d4e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                      Filesize

                      1KB

                      MD5

                      36d6c20295101cfe623b92f83106ee0b

                      SHA1

                      9e75a8c49f43712b30798261d8838369d8ffb37d

                      SHA256

                      3eb257a8f132d86af0daf313c058b53879db166d23c24a89f3f7c0ff45b78023

                      SHA512

                      a32d4ec12ca53a8cbedb896fc72acfca2b46f3ae3d9d4f5fa59cae10e396c1294b706979682914422731662a0725aa6384fe11f3ecf7ab1ee046610a127b7dbc

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      6KB

                      MD5

                      1dcac97767f696a7cc6acb0e85c9fbe4

                      SHA1

                      a8ab95a419fa5959c05716c399b23ca435cd678d

                      SHA256

                      ca3148844a1ec97f5c043abe7de55afa1e32e8a910eb244ca0807af33fdfb9da

                      SHA512

                      589b73dfa199e5813e186ae3359336316b8d34d2f080a14d6e1856c0e9bc0d46d35101abd55fb2a984b4851a8de21177b6c9fa38e7295d03bf71f60dbb277260

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      6KB

                      MD5

                      9d6d915417e5808b2fe8e6e5ef2cc0c6

                      SHA1

                      3161173fcae6ed9a0b3c56c5cb51d74067b8163b

                      SHA256

                      81ea74338070edc5bf18fb48ec5928be40503621011ce60bdebfb32481b29396

                      SHA512

                      470feec45b7c354bb8498812d6cfd16605f00d84a0ef06c34e2a17137fd0dccb810383ff0b72182edbcabd843cc8b9e1a9ca1bbd80c25bb2e6ff75db0b0b3a85

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                      Filesize

                      16B

                      MD5

                      6752a1d65b201c13b62ea44016eb221f

                      SHA1

                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                      SHA256

                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                      SHA512

                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      10KB

                      MD5

                      ca369086509c2853da780f66f0595a70

                      SHA1

                      689d80c332664962c2866c2a66f77ef8e757ffda

                      SHA256

                      78732a6736468788e4dd72534551ee4b47e8dd847b1fb647f3caa6a7e742b815

                      SHA512

                      23e588bfeb020846ae8fc9910d17208bb4c7cbcccef78018b6fd2e22e110e82029e40fd19fce4065240e524f2b78603ddcf7362b956a116381bbc77c1f3a4f8f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\InstallOptions.dll
                      Filesize

                      14KB

                      MD5

                      d753362649aecd60ff434adf171a4e7f

                      SHA1

                      3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

                      SHA256

                      8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

                      SHA512

                      41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\ShellExecAsUser.dll
                      Filesize

                      7KB

                      MD5

                      86a81b9ab7de83aa01024593a03d1872

                      SHA1

                      8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

                      SHA256

                      27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

                      SHA512

                      cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\System.dll
                      Filesize

                      10KB

                      MD5

                      56a321bd011112ec5d8a32b2f6fd3231

                      SHA1

                      df20e3a35a1636de64df5290ae5e4e7572447f78

                      SHA256

                      bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

                      SHA512

                      5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\ioSpecial.ini
                      Filesize

                      696B

                      MD5

                      b78bad04e4ced122d83f776fcf046bc5

                      SHA1

                      8744abe0cfaccd0b0f78853bd7aff918c431d811

                      SHA256

                      24fbda128efc1f8a2f437e720b5d47a2cf17676dfd7c69a4eb7e336a6a331161

                      SHA512

                      f5c1314db6c4563ea19ef8ab03b2179b165309dcf4e3cea821fe4c501ae4d041c641a4ae8ab9a447f30082782355a469e07046b46aa787d5047c5d0aa1646cc9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\ioSpecial.ini
                      Filesize

                      710B

                      MD5

                      a0cd1848406d14e9759c0f68942ab43f

                      SHA1

                      51647229d835eea603fbb75bf45d9cef2ec64e5c

                      SHA256

                      f94e7d6447717c337d681c9903c723e7a54ab68eb1beac13f00b595232b80882

                      SHA512

                      4478cd5f9aa4b8d3b5a614bb3072b90c1fa6355d25c668eefc44800f7668beffd8eee4d5b7ca23731139a4a557b99af29b73e4c6c5afc891a6290111ae822594

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\ioSpecial.ini
                      Filesize

                      765B

                      MD5

                      67968913f093011778a758a73d74e98e

                      SHA1

                      67c9a8c10f1e6f495c4abd5b14b3e893ae8ac257

                      SHA256

                      253268a4c11ecd5ba8a9166dbd230237b3d974a48087edc6654b9bb2e790b64b

                      SHA512

                      89e5dec9ad4489ab6d93fe9efd533165bd3cae975f79e275f9757417df4c6ad9eab5a5d73efbb5b78655185967a7d407eccc8b3c9d5d6bc238a693d39bef1655

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\nsrD795.tmp\nsDialogs.dll
                      Filesize

                      9KB

                      MD5

                      f832e4279c8ff9029b94027803e10e1b

                      SHA1

                      134ff09f9c70999da35e73f57b70522dc817e681

                      SHA256

                      4cd17f660560934a001fc8e6fdcea50383b78ca129fb236623a9666fcbd13061

                      SHA512

                      bf92b61aa267e3935f0ea7f47d8d96f09f016e648c2a7e7dcd5ecc47da864e824c592098c1e39526b643bd126c5c99d68a7040411a4cf68857df629f24d4107d

                      Download Submit