fa80cf9a4c64499b1665a26470fadee31de6aa740eabeb98af5a338e39b47365

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COD Encoutered error/COD Encoutered error/Dx 12/dxwebsetup.exe
Size

288KB
MD5

2cbd6ad183914a0c554f0739069e77d7
SHA1

7bf35f2afca666078db35ca95130beb2e3782212
SHA256

2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512

ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
SSDEEP

6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dxwsetup.exe

pid process

768 dxwsetup.exe
Loads dropped DLL 5 IoCs

Processes:

dxwebsetup.exedxwsetup.exe

pid process

2308 dxwebsetup.exe
768 dxwsetup.exe
768 dxwsetup.exe
768 dxwsetup.exe
768 dxwsetup.exe

pid	process
768	dxwsetup.exe

pid	process
2308	dxwebsetup.exe
768	dxwsetup.exe
768	dxwsetup.exe
768	dxwsetup.exe
768	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dxwebsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxwsetup.exe

description	ioc	process
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe

Drops file in System32 directory 8 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\directx\websetup\SET16AC.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET16BD.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET16BD.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET16AC.tmp	dxwsetup.exe

Drops file in Windows directory 39 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File opened for modification	C:\Windows\msdownld.tmp\AS76A601.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76A601.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76E590.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76F0B6.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS772637.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS777F7D.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS779F8B.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77DDC3.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77DDC3.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77E40A.tmp	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7764BD.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS777F7D.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS76E590.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS76F0B6.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76F0B6.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS772637.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77781E.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS779935.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77E40A.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS76A601.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77781E.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS777F7D.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS76D7AB.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76D7AB.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS779935.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS77DDC3.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS7764BD.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76D7AB.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS76E590.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS779F8B.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS779F8B.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS77E40A.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS772637.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7764BD.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS77781E.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS779935.tmp\dxupdate.cab	dxwsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dxwsetup.exe

pid process

768 dxwsetup.exe

pid	process
768	dxwsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

dxwsetup.exe

description	pid	process
Token: SeRestorePrivilege	768	dxwsetup.exe
Token: SeRestorePrivilege	768	dxwsetup.exe
Token: SeRestorePrivilege	768	dxwsetup.exe
Token: SeRestorePrivilege	768	dxwsetup.exe
Token: SeRestorePrivilege	768	dxwsetup.exe
Token: SeRestorePrivilege	768	dxwsetup.exe
Token: SeRestorePrivilege	768	dxwsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

dxwebsetup.exe

description	pid	process	target process
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe
PID 2308 wrote to memory of 768	2308	dxwebsetup.exe	dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\COD Encoutered error\COD Encoutered error\Dx 12\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\COD Encoutered error\COD Encoutered error\Dx 12\dxwebsetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
Filesize
56KB

MD5
7b1fbe9f5f43b2261234b78fe115cf8e

SHA1
dd0f256ae38b4c4771e1d1ec001627017b7bb741

SHA256
762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

SHA512
d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCCF7.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\Logs\DirectX.log
Filesize
2KB

MD5
8a072eb1e4af79ddbce36b3bee2248fe

SHA1
770cca42fb817de67d4e1f27a6a157891ab7a49d

SHA256
f33be77165aac3d46d803c1e98e1222cc39b293d00e90af7def61480bb9c9d76

SHA512
aa37d1267578e3f61a36eea24f1b2bb101ef2eb9c114ee65fa0eab6e1027ae91fd8a14dcc8c02d370218650ab172c3fbd08be209b31dfca787cdc6eb5a9155c8

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat
Filesize
22B

MD5
cc85d7649546d3c0b1607f761b73fec2

SHA1
1a1a10b819f321b91b47d7dd73668406a15992db

SHA256
e1c85577fee77b7535af5918de16479d5b38f08d7aadbf1b3613d275c7797920

SHA512
34c4427ac1c6d84861d84bf699f215e1cc271c3214b39d3acbe0d4dfdb8eae6c4e7c340068ece3899ed5a4146508dac48e92ff2cfc9f4691dd1ea487cf3ffdcc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit