fa80cf9a4c64499b1665a26470fadee31de6aa740eabeb98af5a338e39b47365

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COD Encoutered error/COD Encoutered error/Dx 12/dxwebsetup.exe
Size

288KB
MD5

2cbd6ad183914a0c554f0739069e77d7
SHA1

7bf35f2afca666078db35ca95130beb2e3782212
SHA256

2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512

ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
SSDEEP

6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dxwsetup.exe

pid process

2132 dxwsetup.exe
Loads dropped DLL 3 IoCs

Processes:

dxwsetup.exe

pid process

2132 dxwsetup.exe
2132 dxwsetup.exe
2132 dxwsetup.exe

pid	process
2132	dxwsetup.exe

pid	process
2132	dxwsetup.exe
2132	dxwsetup.exe
2132	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dxwebsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxwsetup.exe

description	ioc	process
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe

Drops file in System32 directory 9 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\directx\websetup\SET3614.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET3615.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET3614.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET3615.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\dxupdate.cab	dxwsetup.exe

Drops file in Windows directory 5 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File opened for modification	C:\Windows\msdownld.tmp\AS57CFC9.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS57CFC9.tmp	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS57CFC9.tmp\dxupdate.cab	dxwsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dxwebsetup.exe

description	pid	process	target process
PID 2140 wrote to memory of 2132	2140	dxwebsetup.exe	dxwsetup.exe
PID 2140 wrote to memory of 2132	2140	dxwebsetup.exe	dxwsetup.exe
PID 2140 wrote to memory of 2132	2140	dxwebsetup.exe	dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\COD Encoutered error\COD Encoutered error\Dx 12\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\COD Encoutered error\COD Encoutered error\Dx 12\dxwebsetup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.cif
Filesize
65KB

MD5
b36d3f105d18e55534ad605cbf061a92

SHA1
788ef2de1dea6c8fe1d23a2e1007542f7321ed79

SHA256
c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae

SHA512
35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
Filesize
56KB

MD5
7b1fbe9f5f43b2261234b78fe115cf8e

SHA1
dd0f256ae38b4c4771e1d1ec001627017b7bb741

SHA256
762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

SHA512
d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
Filesize
56KB

MD5
2c4d9e4773084f33092ced15678a2c46

SHA1
bad603d543470157effd4876a684b9cfd5075524

SHA256
ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a

SHA512
d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\Logs\DirectX.log
Filesize
4KB

MD5
9e0bb030d2ba023a7e3da6dd0ea17ef0

SHA1
bc779bd6b5013ced73617b415d36b0ffe3a3253f

SHA256
63c0b4569b1e09e46c3ec6f9627a25ebea7cc1b3abcd8cea13a5364b68746ab0

SHA512
afdce36f3b555d38d6714c16bbeba1b3f8bdddc44e8409112291c83f4a0531d4804759746893ebbdc7de770c496ad0702883d28a33d0064b5cb33d88cac5b451

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Windows\SysWOW64\directx\websetup\dxupdate.cab
Filesize
98KB

MD5
4afd7f5c0574a0efd163740ecb142011

SHA1
3ebca5343804fe94d50026da91647442da084302

SHA256
6e39b3fdb6722ea8aa0dc8f46ae0d8bd6496dd0f5f56bac618a0a7dd22d6cfb2

SHA512
6f974acec7d6c1b6a423b28810b0840e77a9f9c1f9632c5cba875bd895e076c7e03112285635cf633c2fa9a4d4e2f4a57437ae8df88a7882184ff6685ee15f3f

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat
Filesize
137B

MD5
cec960807fa5bec11ad4a31c3512da4d

SHA1
a3ac60a3518747d3bbead5edfd17e155cf7ce9f7

SHA256
f960075a7b1c2590e18700f3230f7baea9aced3e6ba5dc93dac193027b5cec48

SHA512
2da2d935f9b96bd36536f3a7a494775c8ed9bfef6538ffe66307b73cd5c82210fc43bbe6706d74d99dd5b924fb78a0d1beceee8c0e22d91e17b1346dd85690ec

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat
Filesize
111B

MD5
d6f81567baaf05b557d9bc6c348cb5f1

SHA1
0c840165fcd34d996c85b6b44b00c7206bf772b6

SHA256
e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359

SHA512
09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2

Download Submit