Resubmissions

26-07-2024 23:18

240726-3ac1dsthre 10

11-06-2024 01:50

240611-b9q8hszbqh 10

09-06-2024 15:53

240609-tbyttach24 10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 23:18

General

  • Target

    Dexis Setup.exe

  • Size

    64.6MB

  • MD5

    168e953440d699dc30a39402b4f6e625

  • SHA1

    66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

  • SHA256

    c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

  • SHA512

    0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

  • SSDEEP

    1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

Malware Config

Extracted

Family

stealc

Botnet

dex23

C2

http://45.156.27.196

Attributes
  • url_path

    /4c7ef30d4540070f.php

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Program Files (x86)\Dexis\Dexis.exe
      "C:\Program Files (x86)\Dexis\Dexis.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\7ba77e13-c4ed-4614-a06b-a6eb89354b79\snss1.exe
        "C:\Users\Admin\AppData\Local\Temp\7ba77e13-c4ed-4614-a06b-a6eb89354b79\snss1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\21484ef0

    Filesize

    899KB

    MD5

    3066c555c2b5e296b6078d6427c80d67

    SHA1

    55e8ad27e108da8086cc1a5c33eeb88515b5b8c7

    SHA256

    9f17da2819bd3963a5275453c9c2a26449537a65872f71c29749086c4b6e2acd

    SHA512

    8901a7bb9d291922a385ee92f92fd998816a5ef0d8216f5575cc87fce091d0fe44800c7bc823354dfcf82d6841412e8741830178952a0f948b4c4685d916f28f

  • C:\Users\Admin\AppData\Local\Temp\7ba77e13-c4ed-4614-a06b-a6eb89354b79\snss1.exe

    Filesize

    1001KB

    MD5

    4ccd18f6c7aa9498fd47d7da126209a2

    SHA1

    2e79a313f0b5613ce98e6ca9f490e553b0536513

    SHA256

    5dbe678474b396f5edc307d96d3f83fba693d33c41f361e850bb91e98529f9b2

    SHA512

    45b7e8acdb077f1c2861417d446624cf22b80488bfc86c92a629b37a35b9ed7793a6a99869befeb395ce913304558029a373f6adcc04758a080210b368c46206

  • C:\Users\Admin\AppData\Local\Temp\Cab66D0.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar6750.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    df42ca18eebbab7429eb34e42efd888f

    SHA1

    9b6ddeb3bf3039af0a90f086200415923cfd0d03

    SHA256

    696e87b01651179ac2beee90cca039a9b33c4e86769a204e4eba36969edb2947

    SHA512

    0db6fb34cc6c11e4c8a2fed31a3764f8f9a3d6ef69ac90daf9fd3856acf93f51b084bd250cc001bcfd73a608f87d98138bd404b66607a3598afab2f046266d9e

  • \ProgramData\mozglue.dll

    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

  • \ProgramData\nss3.dll

    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

  • memory/1164-401-0x0000000000400000-0x0000000000644000-memory.dmp

    Filesize

    2.3MB

  • memory/1712-219-0x0000000007890000-0x0000000007950000-memory.dmp

    Filesize

    768KB

  • memory/1712-163-0x000000013F88D000-0x000000013F88E000-memory.dmp

    Filesize

    4KB

  • memory/1712-207-0x0000000004490000-0x00000000044C0000-memory.dmp

    Filesize

    192KB

  • memory/1712-200-0x0000000004430000-0x0000000004450000-memory.dmp

    Filesize

    128KB

  • memory/1712-196-0x0000000002520000-0x0000000002540000-memory.dmp

    Filesize

    128KB

  • memory/1712-192-0x0000000002160000-0x0000000002180000-memory.dmp

    Filesize

    128KB

  • memory/1712-188-0x0000000002120000-0x0000000002140000-memory.dmp

    Filesize

    128KB

  • memory/1712-184-0x00000000071F0000-0x00000000074D0000-memory.dmp

    Filesize

    2.9MB

  • memory/1712-180-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

    Filesize

    128KB

  • memory/1712-164-0x0000000003390000-0x0000000004030000-memory.dmp

    Filesize

    12.6MB

  • memory/1712-169-0x0000000004E30000-0x0000000005030000-memory.dmp

    Filesize

    2.0MB

  • memory/1712-215-0x00000000044E0000-0x00000000044F0000-memory.dmp

    Filesize

    64KB

  • memory/1712-179-0x0000000006500000-0x00000000071F0000-memory.dmp

    Filesize

    12.9MB

  • memory/1712-211-0x0000000007650000-0x00000000077D0000-memory.dmp

    Filesize

    1.5MB

  • memory/1712-223-0x00000000045A0000-0x00000000045D0000-memory.dmp

    Filesize

    192KB

  • memory/1712-227-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

    Filesize

    64KB

  • memory/1712-172-0x0000000001F80000-0x0000000001FC0000-memory.dmp

    Filesize

    256KB

  • memory/1820-265-0x0000000002820000-0x0000000002828000-memory.dmp

    Filesize

    32KB

  • memory/1820-264-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

  • memory/2052-276-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB