a33443c6603faec9d3bd8d8afd97259308fa4cf7c52332746eca9399c1b97194

Analysis

max time kernel
153s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-09-2023 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

隔離區文件/DxSetup.exe
Size

1.1MB
MD5

2ad4408322e458c7eaff4f795bd95d16
SHA1

fa094366dffc8bf1bab1ab37921c9ee360d90fc4
SHA256

d90014a6d91ec80987cfb9c8dc342a2e9ed2e2a33f74dd54500f2e677218a5f7
SHA512

ecc11971cd5616852597ec59d9c203d7e90e89a4a2d62a30f191327a8688ffe9395c99fa08baa231226252b90ad3631a68bc0593e1dd8c0618034d29bad989f1
SSDEEP

24576:gnsJ39LyjbJkQFMhmC+6GD9pfxjou0joooooooooP:gnsHyjtk2MYC5GDV0u

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	._cache_DxSetup.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.pif	lsass.exe

Executes dropped EXE 3 IoCs

pid	Process
2708	._cache_DxSetup.exe
2652	lsass.exe
2796	._cache_DxSetup.~tmp

Loads dropped DLL 10 IoCs

pid	Process
1376	DxSetup.exe
2708	._cache_DxSetup.exe
2708	._cache_DxSetup.exe
2708	._cache_DxSetup.exe
2708	._cache_DxSetup.exe
2708	._cache_DxSetup.exe
2652	lsass.exe
2652	lsass.exe
2652	lsass.exe
2708	._cache_DxSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	DxSetup.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2612	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2612	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2612	msiexec.exe
2612	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2708	._cache_DxSetup.exe
2708	._cache_DxSetup.exe
2652	lsass.exe
2652	lsass.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 1376 wrote to memory of 2708	1376	DxSetup.exe	28
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2652	2708	._cache_DxSetup.exe	29
PID 2708 wrote to memory of 2796	2708	._cache_DxSetup.exe	30
PID 2708 wrote to memory of 2796	2708	._cache_DxSetup.exe	30
PID 2708 wrote to memory of 2796	2708	._cache_DxSetup.exe	30
PID 2708 wrote to memory of 2796	2708	._cache_DxSetup.exe	30
PID 2796 wrote to memory of 2612	2796	._cache_DxSetup.~tmp	31
PID 2796 wrote to memory of 2612	2796	._cache_DxSetup.~tmp	31
PID 2796 wrote to memory of 2612	2796	._cache_DxSetup.~tmp	31
PID 2796 wrote to memory of 2612	2796	._cache_DxSetup.~tmp	31
PID 2796 wrote to memory of 2612	2796	._cache_DxSetup.~tmp	31

C:\Users\Admin\AppData\Local\Temp\隔離區文件\DxSetup.exe
"C:\Users\Admin\AppData\Local\Temp\隔離區文件\DxSetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\drivers\lsass.exe
    "C:\Windows\system32\drivers\lsass.exe"
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.~tmp
    "C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.~tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i PROSetDX.msi LANG=1033.mst
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_DxSetup.~tmp

Filesize
337KB

MD5
b2a3f550c7eb4684f6575704528bda6b

SHA1
9f66421a79e6794bdd6c694e65b11673f9f1eaf4

SHA256
4c9c95c9ccfec7f9f58841ee8e317b541a11ccadbd96c91cd6e731681f7280e3

SHA512
8cb0683df08952e91e2bc386bfb529f342ed960d9ba73936dac2e3a25019d287bd03ab2549e61daf47089f47cd37375a34740640f89bc8f9de08df622099bdfc

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_DxSetup.exe

Filesize
401KB

MD5
9552c93c26113f6b41199bbbd48c2181

SHA1
2bb50beb76bc6dd37ae9cdc7ffe8e5de03020166

SHA256
76f3faf18af0c630ae921954b53d33a5afe9db3562f83b38a2ae2ded7db6da59

SHA512
3a5ff4e46aa4f3bfbf669328f8a317a2247edf6bb169d811eeb7ccb318bfe13f8dcbf1d6087c7c9491e872eb97e94da198e596668a8432e10de09027aee08e29

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_DxSetup.~tmp

Filesize
337KB

MD5
b2a3f550c7eb4684f6575704528bda6b

SHA1
9f66421a79e6794bdd6c694e65b11673f9f1eaf4

SHA256
4c9c95c9ccfec7f9f58841ee8e317b541a11ccadbd96c91cd6e731681f7280e3

SHA512
8cb0683df08952e91e2bc386bfb529f342ed960d9ba73936dac2e3a25019d287bd03ab2549e61daf47089f47cd37375a34740640f89bc8f9de08df622099bdfc

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
007b4d557984229bdc98e9f3a6fcae05

SHA1
d7bdbb4f3ba427d1362429645efd242e2a7e1448

SHA256
9c503850af6ce9e4598007e1581694f389e9ad1b4fb78ca1b96170555dafb532

SHA512
18b3ab76d5e421fbcaf12dfbc74ad717823ca57adfc663e615a3862d05e276177683e89916003cca849666f1cb84869a7773ebf775abb969d26776997114dd88

Download Submit
memory/1376-31-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2612-29-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads