Analysis
-
max time kernel
137s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 02:41
Static task
static1
Behavioral task
behavioral1
Sample
Papers Please De SmoggyBox7636/Papers Please -Survarium100/redist/dx_setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Papers Please De SmoggyBox7636/Papers Please -Survarium100/redist/dx_setup.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Papers Please De SmoggyBox7636/Papers Please -Survarium100/setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Papers Please De SmoggyBox7636/Papers Please -Survarium100/setup.exe
Resource
win10v2004-20230220-en
General
-
Target
Papers Please De SmoggyBox7636/Papers Please -Survarium100/redist/dx_setup.exe
-
Size
281KB
-
MD5
fd6057b33e15a553ddc5d9873723ce8f
-
SHA1
f90efb623b5abea70af63c470daa8674444fb1df
-
SHA256
111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288
-
SHA512
d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d
-
SSDEEP
6144:pWK8EGMUjp5cGQ3Mek1B3B9h8Ins3i8AEYBSawz1YSc:JGvjp5cj35kDB9hrs3zARBSaJSc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dxwsetup.exepid process 988 dxwsetup.exe -
Loads dropped DLL 2 IoCs
Processes:
dxwsetup.exepid process 988 dxwsetup.exe 988 dxwsetup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dx_setup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce dx_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dx_setup.exe -
Drops file in System32 directory 7 IoCs
Processes:
dxwsetup.exedescription ioc process File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9976.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET9976.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SET9986.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET9986.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup dxwsetup.exe -
Drops file in Windows directory 1 IoCs
Processes:
dxwsetup.exedescription ioc process File opened for modification C:\Windows\Logs\DirectX.log dxwsetup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
dx_setup.exedescription pid process target process PID 1444 wrote to memory of 988 1444 dx_setup.exe dxwsetup.exe PID 1444 wrote to memory of 988 1444 dx_setup.exe dxwsetup.exe PID 1444 wrote to memory of 988 1444 dx_setup.exe dxwsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Papers Please De SmoggyBox7636\Papers Please -Survarium100\redist\dx_setup.exe"C:\Users\Admin\AppData\Local\Temp\Papers Please De SmoggyBox7636\Papers Please -Survarium100\redist\dx_setup.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dllFilesize
87KB
MD50a23038ea472ffc938366ef4099d6635
SHA16499d741776dc4a446c22ea11085842155b34176
SHA2568f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllFilesize
1.7MB
MD57672509436485121135c2a0e30b9e9ff
SHA1f557022a9f42fe1303078093e389f21fb693c959
SHA256d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
487KB
MD5eaa6b5ee297982a6a396354814006761
SHA1780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
487KB
MD5eaa6b5ee297982a6a396354814006761
SHA1780bf9a61c080a335e8712c5544fcbf9c7bdcd72
SHA256d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee
SHA512ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.infFilesize
477B
MD5ad8982eaa02c7ad4d7cdcbc248caa941
SHA14ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA5125c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28
-
C:\Windows\SysWOW64\directx\websetup\dsetup.dllFilesize
87KB
MD50a23038ea472ffc938366ef4099d6635
SHA16499d741776dc4a446c22ea11085842155b34176
SHA2568f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88
-
C:\Windows\SysWOW64\directx\websetup\dsetup.dllFilesize
87KB
MD50a23038ea472ffc938366ef4099d6635
SHA16499d741776dc4a446c22ea11085842155b34176
SHA2568f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a
SHA512dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88
-
C:\Windows\SysWOW64\directx\websetup\dsetup32.dllFilesize
1.7MB
MD57672509436485121135c2a0e30b9e9ff
SHA1f557022a9f42fe1303078093e389f21fb693c959
SHA256d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863
-
C:\Windows\SysWOW64\directx\websetup\dsetup32.dllFilesize
1.7MB
MD57672509436485121135c2a0e30b9e9ff
SHA1f557022a9f42fe1303078093e389f21fb693c959
SHA256d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea
SHA512e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863