f9143519bfb1b7809d4d1b6282e4698f9efe9ea775febb7e84c7de3f19a6f32a

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe
Size

292KB
MD5

880a353dc9ab4202f2cfbec1cb37181d
SHA1

0bafee10ed68194fb332d3b46f7d92c8ad962843
SHA256

6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578
SHA512

795db9946ac4bac6af4afcbd2e87671b45c488ea32d61daa821012f0213bde76af1d7ae395b9adfdc0fed5fd80367e232a6bc1d834e7dc9028b885fa908149d8
SSDEEP

6144:OWK8faaQMbjFtVNtHb7RGb/Mp7mgypysDVpU2drVxP:LaaQMXDFFfp7S5DbU2RP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	dxwsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe
2408	dxwsetup.exe
2408	dxwsetup.exe
2408	dxwsetup.exe
2408	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx\websetup\SET538C.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET538D.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET538D.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET538C.tmp	dxwsetup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	dxwsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2408	dxwsetup.exe
Token: SeRestorePrivilege	2408	dxwsetup.exe
Token: SeRestorePrivilege	2408	dxwsetup.exe
Token: SeRestorePrivilege	2408	dxwsetup.exe
Token: SeRestorePrivilege	2408	dxwsetup.exe
Token: SeRestorePrivilege	2408	dxwsetup.exe
Token: SeRestorePrivilege	2408	dxwsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18
PID 1924 wrote to memory of 2408	1924	6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe	18

C:\Users\Admin\AppData\Local\Temp\6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe
"C:\Users\Admin\AppData\Local\Temp\6b5c9cec68c7f3c0ba98b8d0b335f1be8ea4cd37fb02b4c81ecc1a95ef6d9578.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
114KB

MD5
227a046c5498a2bcdc969bfe2f73c13a

SHA1
860dcc997a160232eb0f1098db6bda1e6c90c2f0

SHA256
92ef3a458f27aa77fe322d9faffb60f1145424c396579c21690d70392c508b80

SHA512
9c1b8042bbb34cf7f1fb1da86a89d860d6fa22061cfc0c9941f1c81ea49eefa299a121d4cbcacb2caf767407cdd54d0ff954471ab90a96c49ca4d497f7af88a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
129KB

MD5
7f34a50a1d67e194c99cba22ff1cf09c

SHA1
d9f89699e9bb8fac06f4f507123c178de67f6361

SHA256
33d92279f951cece92d3e7b83113e3475c48a9f3fcfff74af7e873cfd895709e

SHA512
a18be340c055b09bd1d1b5999e89157af5947b6b5dd058d97a2ba641474c196aeae3f32248238740da0355d8a6ef81e997d2028ac66dd6b41364622f1bc1aeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
59KB

MD5
48ee43f10b6a8f072fdcb6302d71bd9b

SHA1
1775deb0222da94771a3e0b4a1aceef5b0a22957

SHA256
60bc21a438e21fe3ab4903d203a1cad3fab42489f4e2f0ab9fa12dafabc413b4

SHA512
eab05e11bc823221d05e88b037e24a017a9ea88665de4ccae0cdb299fd129ac9748618f7c89b1f652b08659850df4508df50fdd27838018fdcd8706123f07f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
91KB

MD5
8dc08c0effffc3d08e8718260843d10c

SHA1
4b4fe49c563c01c8df1c8b0ecfd0008460a44cfe

SHA256
9ad6f392a736ba7e137ac7a49bc454e1457c91372ffec8effd4e779716a1f07d

SHA512
4698f40795e82ee01e2ef6ee2f168714b61cb4c702f2b8f9a66d804d0f37d2f6a6de68fd3669171f193da9eadf397f166d0a3f656682d4c19a990c1875ef08ae

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
119KB

MD5
6cec41df558269e4f1fd4e9f328e715b

SHA1
f4566e371becbb0e0ca414ad792c546a066c5ad9

SHA256
e02bf7a86bd9e80c140e9da8e9806c0dad417d491f42ef2350243e051d5df53a

SHA512
6ae2fd267a7240bebe0045d47b40d38b6ca9e7599e93a178bcdec11a673273ca4448c778089a187fa4dbaaec3dd84b80d1c06cb993817352036c740d7556885f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
46KB

MD5
97a5c6405c951a6380a6e61109d11ffe

SHA1
2349ef0041639b3cfa6c96802258727d4ffe9be9

SHA256
5da8b1664d40dcd06d4cf24ff5248a599e2b7dcb00c30867428a2e077c64532a

SHA512
8f09b73f3e05c1bfd42230c9a6f7169ce5fb15bc4e4d25b90e760dcee9e1b0f5d84829ac6056c0459abca32665ca10fa467a52bc92f9f450909c57429f92dbb5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
78KB

MD5
2bd4b0db66bb1575306ac0c6c9a0d287

SHA1
2110399a32d0aa608a67bb11e9bbfbbf5bc0f2cd

SHA256
f423353b2d06eb25a479fc4812cad1604c93430cd98e321f6d295e441f0cd806

SHA512
f36b60ba25c32894b16ec1da06205b6f37f4d40f39fe6047064b5b02088e6a58e4247b292855324348b87ae7120d0f6c0ebbb82d36d99fa9996b1c6ac440cddb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
70KB

MD5
36527b98edd5053d004a89b75820dbe9

SHA1
b9d0ca9ff837013ecf1ce42445e5de701f62b927

SHA256
9b501f8a3749b9fd00a878306725913569923a6f976b492bb949f7f902646e9e

SHA512
96a436e86e44391e0acd065f26cb5eebf9e6a6faab466ebb504e2412f335653f10a6d11d07f1b14799192eb3904919c525364ebf24edd4834cc250a859395738

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
61KB

MD5
92d613ae10870899081b11dcb299ea79

SHA1
bc31744c68b329e6a4791e89630518d4affc23ba

SHA256
9c2d7fa27c65e3a6d37114967b89a30f760daf9213e790d142a284e7d2410615

SHA512
a4ad0cecf4d73a1e8d28389b8196760a5f6c3c6126f7dd790e56178c3528702c78f1fb49b9191efedd4449141768c7dbcdcb4397795144487485b2b0504a4d98

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads