6087004fc16d11ff78f73284741e3ee39d74ce6a64f7546046a155c6404c7865

Resubmissions

26/10/2022, 00:25

221026-aqw4zsecb8 8

26/10/2022, 00:18

221026-allsfseca9 8

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2022, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

17.5MB
MD5

61659f366a57a43102f9b69ac00e3aa1
SHA1

07aa4f66688ff2e5466d61e947eb0bd2a607910b
SHA256

6087004fc16d11ff78f73284741e3ee39d74ce6a64f7546046a155c6404c7865
SHA512

9b668c1fb3571962ef5cf9de6f427946bfccc53e3f14a24a3ae317d7768f998e80507b868f851c9bfc282486a458fe304671cbb8391c320a86bf301b9e9852c9
SSDEEP

393216:Olsw8RwUfNSyBpg0kN+/UGHDHdSP8KBwIcA:Et86UVSweBqUGHDcPV99

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3488	setup.tmp
2952	AsClientGw.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsClientGw = "C:\\Program Files (x86)\\ASClientGW\\AsClientGw.exe"	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ASClientGW\is-4Q3R7.tmp	setup.tmp
File created	C:\Program Files (x86)\ASClientGW\is-I0HPJ.tmp	setup.tmp
File created	C:\Program Files (x86)\ASClientGW\is-UR3NU.tmp	setup.tmp
File created	C:\Program Files (x86)\ASClientGW\is-LPCNT.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\ASClientGW\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\ASClientGW\StyxClient-install-2.6.5.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\ASClientGW\ePass 2003.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\ASClientGW\StyxCNG.exe	setup.tmp
File created	C:\Program Files (x86)\ASClientGW\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\ASClientGW\is-KHSIJ.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\ASClientGW\AsClientGw.exe	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{73A30BEA-32E2-4CE4-93E0-2D4254A85B0A}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{C2C49C4E-213E-4107-98E8-4AD42A541ADA}	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3488	setup.tmp
3488	setup.tmp
4396	mspaint.exe
4396	mspaint.exe
2664	dxdiag.exe
2664	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	dxdiag.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3488	setup.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4396	mspaint.exe
1052	OpenWith.exe
2664	dxdiag.exe
2664	dxdiag.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3488	976	setup.exe	82
PID 976 wrote to memory of 3488	976	setup.exe	82
PID 976 wrote to memory of 3488	976	setup.exe	82
PID 3488 wrote to memory of 2952	3488	setup.tmp	90
PID 3488 wrote to memory of 2952	3488	setup.tmp	90
PID 3488 wrote to memory of 2952	3488	setup.tmp	90

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\is-64STE.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-64STE.tmp\setup.tmp" /SL5="$701CE,17564147,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Program Files (x86)\ASClientGW\AsClientGw.exe
    "C:\Program Files (x86)\ASClientGW\AsClientGw.exe"
    3⤵
    - Executes dropped EXE
    PID:2952

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\NewUnblock.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\system32\dxdiag.exe
"C:\Windows\system32\dxdiag.exe"
1⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ASClientGW\AsClientGw.exe

Filesize
438KB

MD5
1ef4e79a7448605ca4ce722b9dd294cd

SHA1
2f6d07f645a28abe75f3c4090fee6dffaeea6158

SHA256
11924a1a550f9245283d92514c92e391bb81bd516c63a0d669fb529eddf2f8e8

SHA512
5d27c642fd75607591b6e19cad5ffb267823e723a4fda1f5d4dd4ba6d1fa6003c66d979a77d5955a4dfb56f988f000c8b5940cfabf2ba1be3d0f7e6059c97ed6

Download Submit
C:\Program Files (x86)\ASClientGW\AsClientGw.exe

Filesize
438KB

MD5
1ef4e79a7448605ca4ce722b9dd294cd

SHA1
2f6d07f645a28abe75f3c4090fee6dffaeea6158

SHA256
11924a1a550f9245283d92514c92e391bb81bd516c63a0d669fb529eddf2f8e8

SHA512
5d27c642fd75607591b6e19cad5ffb267823e723a4fda1f5d4dd4ba6d1fa6003c66d979a77d5955a4dfb56f988f000c8b5940cfabf2ba1be3d0f7e6059c97ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-64STE.tmp\setup.tmp

Filesize
3.0MB

MD5
51a7fbe68243ac1875f31d08e8cca74d

SHA1
d5595fab17d6a09b638e166f3b4945a2f0c9e540

SHA256
4e1a51f79e656bde98b3b8502c8000509c52ec7eac3a1d2f13e10d3a89b227ad

SHA512
4db557b8e08b78252a704bd5b25c179dc69d1c9c815c6443daf398085b8cd15dce8a6bb8cc537ebbd988d9b66b1f92eceebff17ed29a261ad684076977f5fc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-64STE.tmp\setup.tmp

Filesize
3.0MB

MD5
51a7fbe68243ac1875f31d08e8cca74d

SHA1
d5595fab17d6a09b638e166f3b4945a2f0c9e540

SHA256
4e1a51f79e656bde98b3b8502c8000509c52ec7eac3a1d2f13e10d3a89b227ad

SHA512
4db557b8e08b78252a704bd5b25c179dc69d1c9c815c6443daf398085b8cd15dce8a6bb8cc537ebbd988d9b66b1f92eceebff17ed29a261ad684076977f5fc77

Download Submit
memory/976-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/976-136-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/976-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4140-142-0x0000019543D60000-0x0000019543D70000-memory.dmp

Filesize
64KB

Download
memory/4140-143-0x0000019543DA0000-0x0000019543DB0000-memory.dmp

Filesize
64KB

Download