f29a1cfa97ac37a35bc20001a586911688ddd68e52a4db7c3fcb95c47334db01

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2023 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Papers Please - By XaviGamer/Papers Please -XaviGamer/redist/dx_setup.exe
Size

281KB
MD5

fd6057b33e15a553ddc5d9873723ce8f
SHA1

f90efb623b5abea70af63c470daa8674444fb1df
SHA256

111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288
SHA512

d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d
SSDEEP

6144:pWK8EGMUjp5cGQ3Mek1B3B9h8Ins3i8AEYBSawz1YSc:JGvjp5cj35kDB9hrs3zARBSaJSc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	dxwsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
2636	dxwsetup.exe
2636	dxwsetup.exe
2636	dxwsetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dx_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dx_setup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET8118.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET80F7.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET80F7.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET8118.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab	dxwsetup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS598A4B.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS598A4B.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS598A4B.tmp	dxwsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 2636	3752	dx_setup.exe	83
PID 3752 wrote to memory of 2636	3752	dx_setup.exe	83
PID 3752 wrote to memory of 2636	3752	dx_setup.exe	83

C:\Users\Admin\AppData\Local\Temp\Papers Please - By XaviGamer\Papers Please -XaviGamer\redist\dx_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Papers Please - By XaviGamer\Papers Please -XaviGamer\redist\dx_setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
87KB

MD5
0a23038ea472ffc938366ef4099d6635

SHA1
6499d741776dc4a446c22ea11085842155b34176

SHA256
8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a

SHA512
dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.7MB

MD5
7672509436485121135c2a0e30b9e9ff

SHA1
f557022a9f42fe1303078093e389f21fb693c959

SHA256
d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea

SHA512
e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.cif

Filesize
65KB

MD5
b36d3f105d18e55534ad605cbf061a92

SHA1
788ef2de1dea6c8fe1d23a2e1007542f7321ed79

SHA256
c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae

SHA512
35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll

Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

Filesize
56KB

MD5
386aedf86d7f2a2e3f6fc056d3c1e03f

SHA1
9a2069787b997342f44908850facce63cfab4b6a

SHA256
b062aa4b9e9c2fcbec20d0d3c04071a01a1abe08831d780e82e6be22867d1f34

SHA512
8544d7ce9adc2628b6160a90775973c41f44ec0123e30b05852d5513d2db401692490bf8a1a3ce4fead40c8dcc0e82f75f5e0be1b45935829242e5276b1baa7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

Filesize
56KB

MD5
0dafb23d5bd4b80c79a0f82dc2de34d0

SHA1
8159fd03f133c9cd8cfb194971a5250b9ecda0a8

SHA256
3ef4c33102886eae3c812b948ff3fbf70bb03dd91e772b852da3f9aaf75bdb29

SHA512
78e7fb35cab3d0ace4e4fef2868cc5f31b2254c267402779893b3f3fce90b8d784328ac19ef0d6bd37d975d557917be19d7a8a32a94ff8606afd36883ec1c9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
487KB

MD5
eaa6b5ee297982a6a396354814006761

SHA1
780bf9a61c080a335e8712c5544fcbf9c7bdcd72

SHA256
d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee

SHA512
ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
487KB

MD5
eaa6b5ee297982a6a396354814006761

SHA1
780bf9a61c080a335e8712c5544fcbf9c7bdcd72

SHA256
d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee

SHA512
ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
4KB

MD5
3ce51409cbddf5346c361fff1fb99d04

SHA1
aad4c2dae8a48bb380843296ea28a77c826325d9

SHA256
e7bcae3e83bf878a57b917670e326db8a4b5d669425a2fdc5cb3b32ad8fd6ed8

SHA512
7180d083cdf6702ba14b3cba009006e0da5fc25431540d7a65bb66dd47c56f251812771c87f35d6b2ba92e547d9621b32527f4e27ad2efc5146be40e50bfcb65

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
87KB

MD5
0a23038ea472ffc938366ef4099d6635

SHA1
6499d741776dc4a446c22ea11085842155b34176

SHA256
8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a

SHA512
dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
87KB

MD5
0a23038ea472ffc938366ef4099d6635

SHA1
6499d741776dc4a446c22ea11085842155b34176

SHA256
8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a

SHA512
dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.7MB

MD5
7672509436485121135c2a0e30b9e9ff

SHA1
f557022a9f42fe1303078093e389f21fb693c959

SHA256
d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea

SHA512
e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.7MB

MD5
7672509436485121135c2a0e30b9e9ff

SHA1
f557022a9f42fe1303078093e389f21fb693c959

SHA256
d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea

SHA512
e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Download Submit
C:\Windows\SysWOW64\directx\websetup\dxupdate.cab

Filesize
98KB

MD5
4afd7f5c0574a0efd163740ecb142011

SHA1
3ebca5343804fe94d50026da91647442da084302

SHA256
6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2

SHA512
6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat

Filesize
111B

MD5
24701b46dccc4ac0b74d23bf457b15a8

SHA1
2d82c069cc6e05fd6d0bcb7665171ffaf136f8ea

SHA256
9ee5f6b1a1202f3bbf64e7fbdd13963fadb2bf299630c17b1397ab2aa15d6731

SHA512
4ee56e6cee09bd3e01f9574b01210402acf90f5efb2ff697dcff4eb8f26016462f9d7b1927aa8e34b8a2b3c8eccd7ae148a7c65a07cce663fe27a750249a1be5

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat

Filesize
137B

MD5
e16ac2a22fdfb293c815c945eab28310

SHA1
66831191df79f5c3990436921b08dc2171b0ca57

SHA256
34eda9073fd30d317a6a35e1989dbd74f400121faaa9b1f4c7da138f8686b243

SHA512
08480390b059545acb8ca1038c5060693a938c987a1ea1057e6f03951a7db0dee8d97d1540f646f8d249d38e54ea43fb49b01610801deaaacfbe29f4361cbe93

Download Submit