Analysis

  • max time kernel
    63s
  • max time network
    86s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-04-2024 18:29

General

  • Target

    $TEMP/dxredist/dsetup32.dll

  • Size

    1.5MB

  • MD5

    d8fa7bb4fe10251a239ed75055dd6f73

  • SHA1

    76c4bd2d8f359f7689415efc15e3743d35673ae8

  • SHA256

    fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

  • SHA512

    73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

  • SSDEEP

    24576:CIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXi+:CIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXf

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#1
      2⤵
      • Drops file in Windows directory
      PID:2132
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:512
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Logs\DXError.log

    Filesize

    238B

    MD5

    02327c6eed465863afc36380f4867fe4

    SHA1

    e990c7f55e76da83b6fbf8755204a2878dff0ccd

    SHA256

    60dd6f83166a117297a4225f124feb7d472a8d27faaa82ad16d1ad59259760f0

    SHA512

    ba5a78985a4c1120f0fc8c2f4614246a5aa468d13d3ecca1c7f75bf28efe32500c0c496b53f2b06cfb21074ffc9e9bc94a99053ce230e5b7732947bd21fd85e2

  • C:\Windows\Logs\DirectX.log

    Filesize

    517B

    MD5

    39ebf18bdf1b8ab3ded46b38ef075fb4

    SHA1

    d345595be2922b8ed5826361db2112ba264efb8f

    SHA256

    f99f9f7199c37713905cb852512900cd61c0eaf6b2c23d0710a50ae21ad706c0

    SHA512

    89509d380462b0725cce930c04f34555b0855f69ff3d06259499b5730c63d51756eec19e4f5e16732cfb26a15b8630a60ac599e64aced907bcf9d4ae1aa771ba