Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 14:15

General

  • Target

    $TEMP/dxredist/dsetup32.dll

  • Size

    1.5MB

  • MD5

    d8fa7bb4fe10251a239ed75055dd6f73

  • SHA1

    76c4bd2d8f359f7689415efc15e3743d35673ae8

  • SHA256

    fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

  • SHA512

    73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

  • SSDEEP

    24576:CIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXi+:CIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXf

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dxredist\dsetup32.dll,#1
      2⤵
      • Drops file in Windows directory
      PID:2264
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2540
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002F4" "00000000000003D0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Logs\DXError.log

    Filesize

    238B

    MD5

    a8d289c014beddb9d779a59c7d3be0ae

    SHA1

    746c36cac1c16b055dffed00e321e3035974ce55

    SHA256

    13692e0aece2e8a97b8d826e370fd7b61a6deb5e3b7532b6f45ad44d24799716

    SHA512

    2f02fd8651cb57ac15f7148b6b7289995ee7ffb894736d7763aa9e7d679d0f08a4b0ba632db585c820ba696c370af4205083ee29ee801c4959aadb11b20750ae

  • C:\Windows\Logs\DirectX.log

    Filesize

    515B

    MD5

    83c4d1fb5cc65219c2429e252e516ee3

    SHA1

    d4cf9f543545df34d58f3972d5f6ae0e5a976843

    SHA256

    6766171635ee6db84bb47f0361767254a72a4b10fefb57a5f7da02ed7e0b9b74

    SHA512

    3bbde1c2b39e78fb537969354a6715ec0ec03368e5ae4126db86df1b8bca9e89b4a5e0546aa2e9f330e394fde536e71c3b64d910347bd848846f56b98d036b5d

  • C:\Windows\Logs\DirectX.log

    Filesize

    958B

    MD5

    693f2d8783422e44f2b7b6c7e115ae54

    SHA1

    7b39ea1db58df3ed466abd9a3a8d603ae349911b

    SHA256

    2402bb214874fa9157fb0b0a44f051d09ceed4dd4cddb8686283babe8ac3d8da

    SHA512

    b58d9541cafe1efd2f52eccc46d1de697015e91862b9f90e915adfb16ec5ee44c2c569c9d6df1bb3a754c779897241087de100f40133474d2f7c4169a4cf5355