Analysis

  • max time kernel
    312s
  • max time network
    1581s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-04-2024 14:35

General

  • Target

    $TEMP/dxredist/dsetup32.dll

  • Size

    1.5MB

  • MD5

    d8fa7bb4fe10251a239ed75055dd6f73

  • SHA1

    76c4bd2d8f359f7689415efc15e3743d35673ae8

  • SHA256

    fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

  • SHA512

    73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

  • SSDEEP

    24576:CIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXi+:CIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXf

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#1
      2⤵
      • Drops file in Windows directory
      PID:4616
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5116
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:4444
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Logs\DXError.log

    Filesize

    238B

    MD5

    589e9321824f7ea69a14c882b2f56194

    SHA1

    5a7a311b5844b2123b18c0ed49ef954095519832

    SHA256

    603417d1731fb446d0c2488a1d9dbcb5d8e6986ccb4b9bc1d8955a2f87e4e8a9

    SHA512

    28300f16b21f5e74f23f726ff93cbe9ee2b12671c23b1a53d90068f285203be544ff178fd1578287ade29382c0fdc327584369ee3c1132f2972e452ace6c5e1c

  • C:\Windows\Logs\DirectX.log

    Filesize

    517B

    MD5

    d1f7b16be74bca8634cc390e1733af71

    SHA1

    a8e3e84c5560424dd63f5007d95a6f1dbb8784d3

    SHA256

    e03ab647ed8795a4498a29b1e7b97dd916f0d19f95274e60eb5922bad7f9e4b7

    SHA512

    9c9540f4c0ababcfa124dc3af1ae50bc9511cf2ab2489c6c8ca6847c394a100dfea7dfa59aff205412fcdb8b8d61e539ec7f5c4186340c728cc86a4b734bd943