07a33cf6926b62bf66bcaed91712218c9d81bfd10bf41d005b7d55310f3b352e

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe
Size

292KB
MD5

56d52c503adf02184f19eee4767ef60a
SHA1

ca133f67a286f4f20282e19837b53b38a27a1caa
SHA256

ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494
SHA512

246f35664a9af548d402878a3e6ce6d8901a0978477b145db5fd4e5857021efc4016369e9e02e709a27cf5c84f44a32e106008668ba96e2b45d4d06599090d8f
SSDEEP

6144:lWK8x2ZFD7h/uMdnv0iyLI6utiI1ARjhaXcoUvedlVFdo:22ZFD77dnBhi3Us8/VFdo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	dxwsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe
2928	dxwsetup.exe
2928	dxwsetup.exe
2928	dxwsetup.exe
2928	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx\websetup\SETA4C8.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETA4B8.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETA4B8.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETA4C8.tmp	dxwsetup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	dxwsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2928	dxwsetup.exe
Token: SeRestorePrivilege	2928	dxwsetup.exe
Token: SeRestorePrivilege	2928	dxwsetup.exe
Token: SeRestorePrivilege	2928	dxwsetup.exe
Token: SeRestorePrivilege	2928	dxwsetup.exe
Token: SeRestorePrivilege	2928	dxwsetup.exe
Token: SeRestorePrivilege	2928	dxwsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28
PID 2952 wrote to memory of 2928	2952	ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe	28

C:\Users\Admin\AppData\Local\Temp\ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe
"C:\Users\Admin\AppData\Local\Temp\ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
91KB

MD5
a3f004fa39ceb31724d772d01c59b8f2

SHA1
124d72b67f329090a7ab98db097cfbd6d18a8285

SHA256
9a2af85c88bcf8c84cbca527347798f3f2f5cb79c54e91723da2468a8408a423

SHA512
ec554a732d19ad3a2b5e8cea5f88195db498f1694c76175b5adca926ef43329f8e674e5e63f159b790f93243d91c25e20e3a88ac242c57dfc1683b49f87e3843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.6MB

MD5
0d74662d6885afffb3aba5cf32468a37

SHA1
2eff77c424239fffa0d226425868e95bf8a6c9ee

SHA256
e94a6ad43e9e0a7a57e9a6d9ab52b1be40ae772a11bf2f9cfbc3fbdd4d3f2cac

SHA512
d124b4b2231cc34e90a8feb6f8cd37bae99f21f649482ae49472560abdfbe8f1e8bc0ca7fa8624f628c9c2bc9ad52ad5680eb691b682115d614ef2b12f9fdd59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
476KB

MD5
876a2cc08319bb41a27752651e1a9b20

SHA1
ffc2ea8b54fc6f2477e7d1c1f9b76605ee914285

SHA256
77b7623c6e7cfee7f51c6a79209d16b2dfd8c66a12b16d9cb28005af75cd6f09

SHA512
80354ecf6859bbb4502163dd2ad749537a2c166f3913af0baa60466dad5c11e2dfc77e9e761eb66ea2fc25f8b12c1b0fcf0be83b62103808d0c125d54a86e834

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
476KB

MD5
876a2cc08319bb41a27752651e1a9b20

SHA1
ffc2ea8b54fc6f2477e7d1c1f9b76605ee914285

SHA256
77b7623c6e7cfee7f51c6a79209d16b2dfd8c66a12b16d9cb28005af75cd6f09

SHA512
80354ecf6859bbb4502163dd2ad749537a2c166f3913af0baa60466dad5c11e2dfc77e9e761eb66ea2fc25f8b12c1b0fcf0be83b62103808d0c125d54a86e834

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
91KB

MD5
a3f004fa39ceb31724d772d01c59b8f2

SHA1
124d72b67f329090a7ab98db097cfbd6d18a8285

SHA256
9a2af85c88bcf8c84cbca527347798f3f2f5cb79c54e91723da2468a8408a423

SHA512
ec554a732d19ad3a2b5e8cea5f88195db498f1694c76175b5adca926ef43329f8e674e5e63f159b790f93243d91c25e20e3a88ac242c57dfc1683b49f87e3843

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.6MB

MD5
0d74662d6885afffb3aba5cf32468a37

SHA1
2eff77c424239fffa0d226425868e95bf8a6c9ee

SHA256
e94a6ad43e9e0a7a57e9a6d9ab52b1be40ae772a11bf2f9cfbc3fbdd4d3f2cac

SHA512
d124b4b2231cc34e90a8feb6f8cd37bae99f21f649482ae49472560abdfbe8f1e8bc0ca7fa8624f628c9c2bc9ad52ad5680eb691b682115d614ef2b12f9fdd59

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
476KB

MD5
876a2cc08319bb41a27752651e1a9b20

SHA1
ffc2ea8b54fc6f2477e7d1c1f9b76605ee914285

SHA256
77b7623c6e7cfee7f51c6a79209d16b2dfd8c66a12b16d9cb28005af75cd6f09

SHA512
80354ecf6859bbb4502163dd2ad749537a2c166f3913af0baa60466dad5c11e2dfc77e9e761eb66ea2fc25f8b12c1b0fcf0be83b62103808d0c125d54a86e834

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
476KB

MD5
876a2cc08319bb41a27752651e1a9b20

SHA1
ffc2ea8b54fc6f2477e7d1c1f9b76605ee914285

SHA256
77b7623c6e7cfee7f51c6a79209d16b2dfd8c66a12b16d9cb28005af75cd6f09

SHA512
80354ecf6859bbb4502163dd2ad749537a2c166f3913af0baa60466dad5c11e2dfc77e9e761eb66ea2fc25f8b12c1b0fcf0be83b62103808d0c125d54a86e834

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
476KB

MD5
876a2cc08319bb41a27752651e1a9b20

SHA1
ffc2ea8b54fc6f2477e7d1c1f9b76605ee914285

SHA256
77b7623c6e7cfee7f51c6a79209d16b2dfd8c66a12b16d9cb28005af75cd6f09

SHA512
80354ecf6859bbb4502163dd2ad749537a2c166f3913af0baa60466dad5c11e2dfc77e9e761eb66ea2fc25f8b12c1b0fcf0be83b62103808d0c125d54a86e834

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
91KB

MD5
a3f004fa39ceb31724d772d01c59b8f2

SHA1
124d72b67f329090a7ab98db097cfbd6d18a8285

SHA256
9a2af85c88bcf8c84cbca527347798f3f2f5cb79c54e91723da2468a8408a423

SHA512
ec554a732d19ad3a2b5e8cea5f88195db498f1694c76175b5adca926ef43329f8e674e5e63f159b790f93243d91c25e20e3a88ac242c57dfc1683b49f87e3843

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.6MB

MD5
0d74662d6885afffb3aba5cf32468a37

SHA1
2eff77c424239fffa0d226425868e95bf8a6c9ee

SHA256
e94a6ad43e9e0a7a57e9a6d9ab52b1be40ae772a11bf2f9cfbc3fbdd4d3f2cac

SHA512
d124b4b2231cc34e90a8feb6f8cd37bae99f21f649482ae49472560abdfbe8f1e8bc0ca7fa8624f628c9c2bc9ad52ad5680eb691b682115d614ef2b12f9fdd59

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads