c8decad1fdadf8aa592613772db8bb3e6710ee223fddefbcd70afc64fdd8a734

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-12-2023 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1 - Программы и Твики/3 - DirectX.exe
Size

288KB
MD5

2cbd6ad183914a0c554f0739069e77d7
SHA1

7bf35f2afca666078db35ca95130beb2e3782212
SHA256

2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512

ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
SSDEEP

6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dxwsetup.exe

pid process

2896 dxwsetup.exe
Loads dropped DLL 5 IoCs

Processes:

3 - DirectX.exedxwsetup.exe

pid process

2524 3 - DirectX.exe
2896 dxwsetup.exe
2896 dxwsetup.exe
2896 dxwsetup.exe
2896 dxwsetup.exe

pid	process
2896	dxwsetup.exe

pid	process
2524	3 - DirectX.exe
2896	dxwsetup.exe
2896	dxwsetup.exe
2896	dxwsetup.exe
2896	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3 - DirectX.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3 - DirectX.exe

Drops file in System32 directory 7 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETE54.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETE54.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETE53.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETE53.tmp	dxwsetup.exe

Drops file in Windows directory 2 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dxwsetup.exe

pid process

2896 dxwsetup.exe

pid	process
2896	dxwsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

dxwsetup.exe

description	pid	process
Token: SeRestorePrivilege	2896	dxwsetup.exe
Token: SeRestorePrivilege	2896	dxwsetup.exe
Token: SeRestorePrivilege	2896	dxwsetup.exe
Token: SeRestorePrivilege	2896	dxwsetup.exe
Token: SeRestorePrivilege	2896	dxwsetup.exe
Token: SeRestorePrivilege	2896	dxwsetup.exe
Token: SeRestorePrivilege	2896	dxwsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3 - DirectX.exe

description	pid	process	target process
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe
PID 2524 wrote to memory of 2896	2524	3 - DirectX.exe	dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\1 - Программы и Твики\3 - DirectX.exe
"C:\Users\Admin\AppData\Local\Temp\1 - Программы и Твики\3 - DirectX.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
222KB

MD5
712f7c2370e30519b9ce4e9bc64653f8

SHA1
31b5f3f8faf527135792eec1b67e7c16e51f144f

SHA256
fa4a2383802fee45de02d9ea5c6bdcad65c869eb72bcd909ec4216bd3e12910a

SHA512
894456414a099a9d9061832927cc2432d009aff69269a7ffb7d898382a45e04e94dc1dd809391306b562fb5896f962f62950f7de6580402663026c2c3da64132

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
446KB

MD5
21ce80e44867f25b86c31d3c7ec84fb6

SHA1
c1be961b73edc07fe234fea85c591b73d1b9f426

SHA256
74bb9de4dad2f3a69ffede220ef01c5f72d4dc8ada6e9520b4f9b4718a7bc350

SHA512
43d389e78e48d0560c6df88678774f96673c242e29bba941cd1316c8cbd979643bfd6e220cb9c1de4ada580a1386a642ea97eee64848058db619f63dae18b4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
393KB

MD5
4034841b056fcb57129bb3cbd528c480

SHA1
c423b97d43f63985a37122043381b3e770d38e57

SHA256
c3528d1e4e093e6bad00054a0e231debac795abbfe01d2dcc86da47152b5e890

SHA512
ad5eab2c7d9e56e429ebeb6fef6fd4fcefff78d97a7b44910fef4f58ade961d49e20522d6660cc958f71ec4f9614363331791b87b14c04cb1614ba451638508b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
301KB

MD5
de78be2857b89ba6c115566253dff2bb

SHA1
5b45feed44907fe4bde9d4971b99c73e5cc77b0c

SHA256
bca2a45ed7b9e016df4556de57c4bd62e7712f42285d2ce561a9d389d312cc5d

SHA512
dff7b401215767c5b751fae1eceb4cfb68dfd290f44d5c863ef7d8e2534b11f71d7f3df8e9163e2891c8f379c339c883fb1953949a396dd23fa7ee16b0c8d695

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
268KB

MD5
5ac70e80f4f5f210c4aba04f8625d5e2

SHA1
194b5fd95e50c81086b77e1b7b1d27f1fa63308a

SHA256
19a0d2dddae094f0a7576fc75a084dd8ef084134408d65a43f6420d05fcc2608

SHA512
04b574f08ee1ac45fa4915e334925a2b368533f79fd97601f8a5438fad855071cb84640f2376009fe44bf8f8f1dc3e099803abe166df744d80aead52335597fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
310KB

MD5
47e7c6ad96205f4f4a898f9ea7f3291c

SHA1
03461c5506d3d0d16497303ec5115232c1265841

SHA256
6b614e324eda2d81ab396c609f5a6d82cbf1ff2b6fa5a7cf19ec51fb924aacf4

SHA512
a6a24124c08b8d8c97aa247c4c624b74a7280163d30f984e16729afce36342bb2c280d7328d2d0dac9e7477f76e09b85c5ee62724557f9122a69a21c7803dd7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
303KB

MD5
49bd0589ecbea47e81c65aff551967bd

SHA1
9c0671e9abcbd0e4cb4fca1037da0104c65a525a

SHA256
e37c98b9e689cf4873e26a7ce1da779b5751a03a05e12175fd8ddbe04160971d

SHA512
2a1dea83f91739e6520fc34b5cb54d85df874fc0f634f0d156ba2e92255a2492398386d8ab45d1e950dc7166e115fa6ae476085aa8146591db7f81383d16b726

Download Submit