a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030

Analysis

max time kernel
151s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
Size

2.3MB
MD5

5ef0c7bb541963f3d65be996fe46509a
SHA1

eb80a5219de04c56ba6676c143e4eaa9a819d3e8
SHA256

a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030
SHA512

57859f7a1fcf05b1e4fc051c340c7844b33f64bf2508889ebf3e830505b00edbeeb849ecafa1896f67632450d278ec57bef21967242b2716ab4c5c99280e9b49
SSDEEP

49152:m0tu52BFGSq465jEAE7nHNujk5KmmRZR09dCu/tnRKShKg2Ag:m0UYtP6ont5DmROdp1nQ89dg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1716	dx9.0.exe
4476	dxwsetup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe

Loads dropped DLL 2 IoCs

pid	Process
4476	dxwsetup.exe
4476	dxwsetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dx9.0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dx9.0.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETAE80.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETAE80.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETAE81.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETAE81.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 1716	3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe	83
PID 3876 wrote to memory of 1716	3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe	83
PID 3876 wrote to memory of 1716	3876	a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe	83
PID 1716 wrote to memory of 4476	1716	dx9.0.exe	84
PID 1716 wrote to memory of 4476	1716	dx9.0.exe	84
PID 1716 wrote to memory of 4476	1716	dx9.0.exe	84

C:\Users\Admin\AppData\Local\Temp\a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe
"C:\Users\Admin\AppData\Local\Temp\a890ba07883c905f6769df4bc6e4303ae6673e932ce870e86a6ae8d730439030.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\dx9.0.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\dx9.0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
87KB

MD5
0a23038ea472ffc938366ef4099d6635

SHA1
6499d741776dc4a446c22ea11085842155b34176

SHA256
8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a

SHA512
dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.7MB

MD5
7672509436485121135c2a0e30b9e9ff

SHA1
f557022a9f42fe1303078093e389f21fb693c959

SHA256
d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea

SHA512
e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
487KB

MD5
eaa6b5ee297982a6a396354814006761

SHA1
780bf9a61c080a335e8712c5544fcbf9c7bdcd72

SHA256
d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee

SHA512
ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
487KB

MD5
eaa6b5ee297982a6a396354814006761

SHA1
780bf9a61c080a335e8712c5544fcbf9c7bdcd72

SHA256
d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee

SHA512
ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\dx9.0.exe

Filesize
281KB

MD5
fd6057b33e15a553ddc5d9873723ce8f

SHA1
f90efb623b5abea70af63c470daa8674444fb1df

SHA256
111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288

SHA512
d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\dx9.0.exe

Filesize
281KB

MD5
fd6057b33e15a553ddc5d9873723ce8f

SHA1
f90efb623b5abea70af63c470daa8674444fb1df

SHA256
111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288

SHA512
d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
87KB

MD5
0a23038ea472ffc938366ef4099d6635

SHA1
6499d741776dc4a446c22ea11085842155b34176

SHA256
8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a

SHA512
dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.7MB

MD5
7672509436485121135c2a0e30b9e9ff

SHA1
f557022a9f42fe1303078093e389f21fb693c959

SHA256
d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea

SHA512
e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Download Submit
memory/1716-136-0x0000000000000000-mapping.dmp

Download
memory/3876-139-0x0000000000400000-0x0000000000B7F000-memory.dmp

Filesize
7.5MB

Download
memory/3876-132-0x0000000000400000-0x0000000000B7F000-memory.dmp

Filesize
7.5MB

Download
memory/3876-135-0x0000000000400000-0x0000000000B7F000-memory.dmp

Filesize
7.5MB

Download
memory/3876-134-0x0000000000400000-0x0000000000B7F000-memory.dmp

Filesize
7.5MB

Download
memory/3876-133-0x0000000000400000-0x0000000000B7F000-memory.dmp

Filesize
7.5MB

Download
memory/4476-140-0x0000000000000000-mapping.dmp

Download