413f106555a4bc9147878a7bec9bd32983da07a8c4d8cd898055f7d83c94137d

General

Target

dosbox.zip
Size

16.5MB
MD5

6ec5969d9c1d679a4e016d1f4c12025d
SHA1

dd288b32a3ea5c2c03dc0f7c55a69e1da0242004
SHA256

413f106555a4bc9147878a7bec9bd32983da07a8c4d8cd898055f7d83c94137d
SHA512

26271b6007746bc46f09c02b57238b20f4c2da6f0a1b78e5910802a034b587e8daa14a4aa8fe88d9c00a1260945155052005d030e9a6232d68345dfe3d421411
SSDEEP

393216:98I8UrsYKPsx9UDBxLmYoPQwHw+JEAkBS5J+/8FAX4DN+dVfNG3FZ:GtG94IhHzJcBS7+EqIDN+5o

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	DOSBox.exe
File opened (read-only)	\??\Q:	DOSBox.exe
File opened (read-only)	\??\V:	DOSBox.exe
File opened (read-only)	\??\A:	DOSBox.exe
File opened (read-only)	\??\B:	DOSBox.exe
File opened (read-only)	\??\I:	DOSBox.exe
File opened (read-only)	\??\N:	DOSBox.exe
File opened (read-only)	\??\O:	DOSBox.exe
File opened (read-only)	\??\P:	DOSBox.exe
File opened (read-only)	\??\S:	DOSBox.exe
File opened (read-only)	\??\T:	DOSBox.exe
File opened (read-only)	\??\G:	DOSBox.exe
File opened (read-only)	\??\R:	DOSBox.exe
File opened (read-only)	\??\U:	DOSBox.exe
File opened (read-only)	\??\W:	DOSBox.exe
File opened (read-only)	\??\X:	DOSBox.exe
File opened (read-only)	\??\E:	DOSBox.exe
File opened (read-only)	\??\J:	DOSBox.exe
File opened (read-only)	\??\K:	DOSBox.exe
File opened (read-only)	\??\L:	DOSBox.exe
File opened (read-only)	\??\Y:	DOSBox.exe
File opened (read-only)	\??\Z:	DOSBox.exe
File opened (read-only)	\??\H:	DOSBox.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOSBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOSBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CHOICE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOSBox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4392	DOSBox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5304	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5304	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
4392	DOSBox.exe
3704	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2960	1204	cmd.exe	95
PID 1204 wrote to memory of 2960	1204	cmd.exe	95
PID 1204 wrote to memory of 2960	1204	cmd.exe	95
PID 3548 wrote to memory of 4864	3548	cmd.exe	98
PID 3548 wrote to memory of 4864	3548	cmd.exe	98
PID 3548 wrote to memory of 4864	3548	cmd.exe	98

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dosbox.zip
1⤵
PID:3364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\dosbox\dosbox\Reset Options.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\Desktop\dosbox\dosbox\DOSBox.exe
  DOSBox.exe -resetconf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\dosbox\dosbox\Reset KeyMapper.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\Desktop\dosbox\dosbox\DOSBox.exe
  DOSBox.exe -resetmapper
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4864

C:\Users\Admin\Desktop\dosbox\dosbox\CHOICE.EXE
"C:\Users\Admin\Desktop\dosbox\dosbox\CHOICE.EXE"
1⤵
- System Location Discovery: System Language Discovery
PID:2600

C:\Users\Admin\Desktop\dosbox\dosbox\DOSBox.exe
"C:\Users\Admin\Desktop\dosbox\dosbox\DOSBox.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5304

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3704

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
a9a288bff6bdbb5c7171c79ccc6fccfd

SHA1
fc9bbb7f4b4ba4920663039b7007aa0c260c0538

SHA256
b33c8d83d4c00cbbf4a8d632cbd2d08a97bf3e757e0ac895ce8724f8183680d6

SHA512
2ca23a5512e42feb0378701a23c6ba8f021f286983f8205a713a21a806ec3aef1c0dfa6ed6f64772a49042349bbde272516cb27d716245a9ebc4b3e1a5178715

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
4c59260dac603cc79d2cb37acd26e0e0

SHA1
394adcf63994f791c79ace544e819c9c2b93fc30

SHA256
010ad0c0af2253e443ed3e194c91d0f40372b0897a59c3ea033774d0e6b79ddb

SHA512
3a115df73930be138b0a13b99b21024f729c3c4b08ef00f4b69edadd598c62d193b0ad88e7dbb20c662a8085bc5f791a7258ca23a309d4040bb0a7a55d5d1764

Download Submit
memory/2960-2-0x0000000067C00000-0x0000000067C0A000-memory.dmp

Filesize
40KB

Download
memory/2960-1-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/2960-0-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-21-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-27-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-9-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-8-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-11-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-15-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-14-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-18-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-17-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-38-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-20-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-24-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-23-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-10-0x0000000067C00000-0x0000000067C0A000-memory.dmp

Filesize
40KB

Download
memory/4392-26-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-29-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-33-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-32-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-36-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-35-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4392-39-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4392-40-0x0000000067C00000-0x0000000067C0A000-memory.dmp

Filesize
40KB

Download
memory/4864-3-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download
memory/4864-4-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/4864-5-0x0000000067C00000-0x0000000067C0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing