Overview
overview
10Static
static
10Smartphone...MT.rar
windows7-x64
3Smartphone...MT.rar
windows10-2004-x64
3Smartphone...OM.url
windows7-x64
1Smartphone...OM.url
windows10-2004-x64
1Smartphone...OM.url
windows7-x64
1Smartphone...OM.url
windows10-2004-x64
1Smartphone...ME.txt
windows7-x64
1Smartphone...ME.txt
windows10-2004-x64
1Smartphone...44.exe
windows7-x64
7Smartphone...44.exe
windows10-2004-x64
7Smartphone...64.exe
windows7-x64
7Smartphone...64.exe
windows10-2004-x64
7Smartphone...64.exe
windows7-x64
7Smartphone...64.exe
windows10-2004-x64
7Smartphone...42.exe
windows7-x64
7Smartphone...42.exe
windows10-2004-x64
7Smartphone...43.exe
windows7-x64
7Smartphone...43.exe
windows10-2004-x64
7Smartphone...86.exe
windows7-x64
7Smartphone...86.exe
windows10-2004-x64
7Smartphone...62.exe
windows7-x64
7Smartphone...62.exe
windows10-2004-x64
7Smartphone...63.exe
windows7-x64
7Smartphone...63.exe
windows10-2004-x64
7Smartphone...on.exe
windows7-x64
7Smartphone...on.exe
windows10-2004-x64
7Smartphone...47.dll
windows7-x64
3Smartphone...47.dll
windows10-2004-x64
3Smartphone...up.exe
windows7-x64
7Smartphone...up.exe
windows10-2004-x64
7Smartphone...eg.dll
windows7-x64
1Smartphone...eg.dll
windows10-2004-x64
1Analysis
-
max time kernel
127s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-03-2023 03:06
Behavioral task
behavioral1
Sample
Smartphone.Tycoon MT.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Smartphone.Tycoon MT.rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Smartphone.Tycoon MT/IGG-GAMES.COM.url
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Smartphone.Tycoon MT/IGG-GAMES.COM.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Smartphone.Tycoon MT/PCGAMESTORRENTS.COM.url
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Smartphone.Tycoon MT/PCGAMESTORRENTS.COM.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Smartphone.Tycoon MT/README.txt
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Smartphone.Tycoon MT/README.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Smartphone.Tycoon MT/Redist/vc_redist.x644.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Smartphone.Tycoon MT/Redist/vc_redist.x644.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Smartphone.Tycoon MT/Redist/vc_redist.x864.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Smartphone.Tycoon MT/Redist/vc_redist.x864.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Smartphone.Tycoon MT/Redist/vcredist_x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
Smartphone.Tycoon MT/Redist/vcredist_x64.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral15
Sample
Smartphone.Tycoon MT/Redist/vcredist_x642.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
Smartphone.Tycoon MT/Redist/vcredist_x642.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Smartphone.Tycoon MT/Redist/vcredist_x643.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
Smartphone.Tycoon MT/Redist/vcredist_x643.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
Smartphone.Tycoon MT/Redist/vcredist_x86.exe
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
Smartphone.Tycoon MT/Redist/vcredist_x86.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
Smartphone.Tycoon MT/Redist/vcredist_x862.exe
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
Smartphone.Tycoon MT/Redist/vcredist_x862.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
Smartphone.Tycoon MT/Redist/vcredist_x863.exe
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
Smartphone.Tycoon MT/Redist/vcredist_x863.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
Smartphone.Tycoon MT/Smartphone Tycoon.exe
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
Smartphone.Tycoon MT/Smartphone Tycoon.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
Smartphone.Tycoon MT/d3dcompiler_47.dll
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
Smartphone.Tycoon MT/d3dcompiler_47.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
Smartphone.Tycoon MT/dxwebsetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
Smartphone.Tycoon MT/dxwebsetup.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
Smartphone.Tycoon MT/ffmpeg.dll
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
Smartphone.Tycoon MT/ffmpeg.dll
Resource
win10v2004-20230220-en
General
-
Target
Smartphone.Tycoon MT/dxwebsetup.exe
-
Size
292KB
-
MD5
880a353dc9ab4202f2cfbec1cb37181d
-
SHA1
0bafee10ed68194fb332d3b46f7d92c8ad962843
-
SHA256
6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578
-
SHA512
795db9946ac4bac6af4afcbd2e87671b45c488ea32d61daa821012f0213bde76af1d7ae395b9adfdc0fed5fd80367e232a6bc1d834e7dc9028b885fa908149d8
-
SSDEEP
6144:OWK8faaQMbjFtVNtHb7RGb/Mp7mgypysDVpU2drVxP:LaaQMXDFFfp7S5DbU2RP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dxwsetup.exepid process 1928 dxwsetup.exe -
Loads dropped DLL 5 IoCs
Processes:
dxwebsetup.exedxwsetup.exepid process 1992 dxwebsetup.exe 1928 dxwsetup.exe 1928 dxwsetup.exe 1928 dxwsetup.exe 1928 dxwsetup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dxwebsetup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce dxwebsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dxwebsetup.exe -
Drops file in System32 directory 7 IoCs
Processes:
dxwsetup.exedescription ioc process File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SET629C.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET629C.tmp dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll dxwsetup.exe File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup dxwsetup.exe File opened for modification C:\Windows\SysWOW64\directx\websetup\SET628B.tmp dxwsetup.exe File created C:\Windows\SysWOW64\directx\websetup\SET628B.tmp dxwsetup.exe -
Drops file in Windows directory 2 IoCs
Processes:
dxwsetup.exedescription ioc process File opened for modification C:\Windows\Logs\DirectX.log dxwsetup.exe File opened for modification C:\Windows\INF\setupapi.app.log dxwsetup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dxwsetup.exepid process 1928 dxwsetup.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
dxwsetup.exedescription pid process Token: SeRestorePrivilege 1928 dxwsetup.exe Token: SeRestorePrivilege 1928 dxwsetup.exe Token: SeRestorePrivilege 1928 dxwsetup.exe Token: SeRestorePrivilege 1928 dxwsetup.exe Token: SeRestorePrivilege 1928 dxwsetup.exe Token: SeRestorePrivilege 1928 dxwsetup.exe Token: SeRestorePrivilege 1928 dxwsetup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
dxwebsetup.exedescription pid process target process PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe PID 1992 wrote to memory of 1928 1992 dxwebsetup.exe dxwsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Smartphone.Tycoon MT\dxwebsetup.exe"C:\Users\Admin\AppData\Local\Temp\Smartphone.Tycoon MT\dxwebsetup.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dllFilesize
91KB
MD58dc08c0effffc3d08e8718260843d10c
SHA14b4fe49c563c01c8df1c8b0ecfd0008460a44cfe
SHA2569ad6f392a736ba7e137ac7a49bc454e1457c91372ffec8effd4e779716a1f07d
SHA5124698f40795e82ee01e2ef6ee2f168714b61cb4c702f2b8f9a66d804d0f37d2f6a6de68fd3669171f193da9eadf397f166d0a3f656682d4c19a990c1875ef08ae
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dllFilesize
1.6MB
MD5f6b14958d2a93750c3d4fad02ca739be
SHA102e3592c5d45d4b72d42ce9378513c0d3a661b7b
SHA256529c3e93c1a7cbb0225ab5f12c5bb0e91eb905ebf3db7fc00cbd96d8e66a6f0e
SHA512377897d3aae1fceed8c9658800d7ffb05a855ec369b48b0709138122aaffdc9464a85abd214fbf93e9427a94b4ebee6e46a1ff34fc4b5ec54926c83c92ecd31c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
476KB
MD5a2772e5a8df5dc3487e8516321ed29da
SHA1a0eee1c6115fb776bbba1a97d4ba7baa5511b310
SHA2568fac859dc73ab7a8c18f093c6a58accf3ee8f1b86a4bcfce4c9e8a1253d2828f
SHA51217ecff8ab8083318b40b1a38a6ae82b93937cddd8743aa07006e4b67f9d409e80885815fd756914810fb5e9504f0343e337004f09e9b51117e828962c8fae259
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
476KB
MD5a2772e5a8df5dc3487e8516321ed29da
SHA1a0eee1c6115fb776bbba1a97d4ba7baa5511b310
SHA2568fac859dc73ab7a8c18f093c6a58accf3ee8f1b86a4bcfce4c9e8a1253d2828f
SHA51217ecff8ab8083318b40b1a38a6ae82b93937cddd8743aa07006e4b67f9d409e80885815fd756914810fb5e9504f0343e337004f09e9b51117e828962c8fae259
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.infFilesize
477B
MD5ad8982eaa02c7ad4d7cdcbc248caa941
SHA14ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA5125c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28
-
C:\Windows\SysWOW64\directx\websetup\dsetup.dllFilesize
91KB
MD58dc08c0effffc3d08e8718260843d10c
SHA14b4fe49c563c01c8df1c8b0ecfd0008460a44cfe
SHA2569ad6f392a736ba7e137ac7a49bc454e1457c91372ffec8effd4e779716a1f07d
SHA5124698f40795e82ee01e2ef6ee2f168714b61cb4c702f2b8f9a66d804d0f37d2f6a6de68fd3669171f193da9eadf397f166d0a3f656682d4c19a990c1875ef08ae
-
C:\Windows\SysWOW64\directx\websetup\dsetup32.dllFilesize
1.6MB
MD5f6b14958d2a93750c3d4fad02ca739be
SHA102e3592c5d45d4b72d42ce9378513c0d3a661b7b
SHA256529c3e93c1a7cbb0225ab5f12c5bb0e91eb905ebf3db7fc00cbd96d8e66a6f0e
SHA512377897d3aae1fceed8c9658800d7ffb05a855ec369b48b0709138122aaffdc9464a85abd214fbf93e9427a94b4ebee6e46a1ff34fc4b5ec54926c83c92ecd31c
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
476KB
MD5a2772e5a8df5dc3487e8516321ed29da
SHA1a0eee1c6115fb776bbba1a97d4ba7baa5511b310
SHA2568fac859dc73ab7a8c18f093c6a58accf3ee8f1b86a4bcfce4c9e8a1253d2828f
SHA51217ecff8ab8083318b40b1a38a6ae82b93937cddd8743aa07006e4b67f9d409e80885815fd756914810fb5e9504f0343e337004f09e9b51117e828962c8fae259
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
476KB
MD5a2772e5a8df5dc3487e8516321ed29da
SHA1a0eee1c6115fb776bbba1a97d4ba7baa5511b310
SHA2568fac859dc73ab7a8c18f093c6a58accf3ee8f1b86a4bcfce4c9e8a1253d2828f
SHA51217ecff8ab8083318b40b1a38a6ae82b93937cddd8743aa07006e4b67f9d409e80885815fd756914810fb5e9504f0343e337004f09e9b51117e828962c8fae259
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeFilesize
476KB
MD5a2772e5a8df5dc3487e8516321ed29da
SHA1a0eee1c6115fb776bbba1a97d4ba7baa5511b310
SHA2568fac859dc73ab7a8c18f093c6a58accf3ee8f1b86a4bcfce4c9e8a1253d2828f
SHA51217ecff8ab8083318b40b1a38a6ae82b93937cddd8743aa07006e4b67f9d409e80885815fd756914810fb5e9504f0343e337004f09e9b51117e828962c8fae259
-
\Windows\SysWOW64\directx\websetup\dsetup.dllFilesize
91KB
MD58dc08c0effffc3d08e8718260843d10c
SHA14b4fe49c563c01c8df1c8b0ecfd0008460a44cfe
SHA2569ad6f392a736ba7e137ac7a49bc454e1457c91372ffec8effd4e779716a1f07d
SHA5124698f40795e82ee01e2ef6ee2f168714b61cb4c702f2b8f9a66d804d0f37d2f6a6de68fd3669171f193da9eadf397f166d0a3f656682d4c19a990c1875ef08ae
-
\Windows\SysWOW64\directx\websetup\dsetup32.dllFilesize
1.6MB
MD5f6b14958d2a93750c3d4fad02ca739be
SHA102e3592c5d45d4b72d42ce9378513c0d3a661b7b
SHA256529c3e93c1a7cbb0225ab5f12c5bb0e91eb905ebf3db7fc00cbd96d8e66a6f0e
SHA512377897d3aae1fceed8c9658800d7ffb05a855ec369b48b0709138122aaffdc9464a85abd214fbf93e9427a94b4ebee6e46a1ff34fc4b5ec54926c83c92ecd31c