Resubmissions
26-07-2024 23:18
240726-3ac1dsthre 1011-06-2024 01:50
240611-b9q8hszbqh 1009-06-2024 15:53
240609-tbyttach24 10Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-07-2024 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Dexis Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Dexis Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dexis Setup.exe
Resource
win10v2004-20240709-en
General
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/files/0x000b00000001ac9e-1534.dat family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5760 powershell.exe 1948 powershell.exe 5272 powershell.exe 6040 powershell.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4592 set thread context of 4652 4592 snss1.exe 86 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Dexis\locales\es.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\fil.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\trayIcon.ico Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\version Dexis Setup.exe File created C:\Program Files (x86)\Dexis\libEGL.dll Dexis Setup.exe File created C:\Program Files (x86)\Dexis\chrome_100_percent.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\bg.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\node-mac-window Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\mr.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\mr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\zh-CN.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3\build\Release\test_extension.node Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\node-mac-window\build\Release\mac_window.node Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\en-US.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\gu.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fil.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ja.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ml.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\nl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\zh-CN.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\app.asar Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3 Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\es-419.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ro.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\sr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\da.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ja.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\af.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\nb.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\nb.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\vulkan-1.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\node-mac-window\build Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\hi.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ms.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\snapshot_blob.bin Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\node-mac-window\build\Release Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\et.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\hi.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ml.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\tr.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\vk_swiftshader_icd.json Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\libGLESv2.dll Dexis Setup.exe File created C:\Program Files (x86)\Dexis\LICENSES.chromium.html Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\fa.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ar.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\uk.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3\build\Release\better_sqlite3.node Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\Dexis.exe Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\libEGL.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\th.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\sl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\vi.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\vk_swiftshader_icd.json Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\fi.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fa.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ko.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\pt-PT.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\sv.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\sv.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\sw.pak Dexis Setup.exe -
Executes dropped EXE 2 IoCs
pid Process 3796 Dexis.exe 4592 snss1.exe -
Loads dropped DLL 2 IoCs
pid Process 1856 explorer.exe 1856 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dexis Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snss1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1948 powershell.exe 1948 powershell.exe 1948 powershell.exe 5272 powershell.exe 5272 powershell.exe 5272 powershell.exe 6040 powershell.exe 6040 powershell.exe 6040 powershell.exe 5760 powershell.exe 5760 powershell.exe 5760 powershell.exe 4592 snss1.exe 4592 snss1.exe 4652 cmd.exe 4652 cmd.exe 1856 explorer.exe 1856 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4592 snss1.exe 4652 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1948 powershell.exe Token: SeIncreaseQuotaPrivilege 1948 powershell.exe Token: SeSecurityPrivilege 1948 powershell.exe Token: SeTakeOwnershipPrivilege 1948 powershell.exe Token: SeLoadDriverPrivilege 1948 powershell.exe Token: SeSystemProfilePrivilege 1948 powershell.exe Token: SeSystemtimePrivilege 1948 powershell.exe Token: SeProfSingleProcessPrivilege 1948 powershell.exe Token: SeIncBasePriorityPrivilege 1948 powershell.exe Token: SeCreatePagefilePrivilege 1948 powershell.exe Token: SeBackupPrivilege 1948 powershell.exe Token: SeRestorePrivilege 1948 powershell.exe Token: SeShutdownPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeSystemEnvironmentPrivilege 1948 powershell.exe Token: SeRemoteShutdownPrivilege 1948 powershell.exe Token: SeUndockPrivilege 1948 powershell.exe Token: SeManageVolumePrivilege 1948 powershell.exe Token: 33 1948 powershell.exe Token: 34 1948 powershell.exe Token: 35 1948 powershell.exe Token: 36 1948 powershell.exe Token: SeDebugPrivilege 5272 powershell.exe Token: SeIncreaseQuotaPrivilege 1948 powershell.exe Token: SeSecurityPrivilege 1948 powershell.exe Token: SeTakeOwnershipPrivilege 1948 powershell.exe Token: SeLoadDriverPrivilege 1948 powershell.exe Token: SeSystemProfilePrivilege 1948 powershell.exe Token: SeSystemtimePrivilege 1948 powershell.exe Token: SeProfSingleProcessPrivilege 1948 powershell.exe Token: SeIncBasePriorityPrivilege 1948 powershell.exe Token: SeCreatePagefilePrivilege 1948 powershell.exe Token: SeBackupPrivilege 1948 powershell.exe Token: SeRestorePrivilege 1948 powershell.exe Token: SeShutdownPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeSystemEnvironmentPrivilege 1948 powershell.exe Token: SeRemoteShutdownPrivilege 1948 powershell.exe Token: SeUndockPrivilege 1948 powershell.exe Token: SeManageVolumePrivilege 1948 powershell.exe Token: 33 1948 powershell.exe Token: 34 1948 powershell.exe Token: 35 1948 powershell.exe Token: 36 1948 powershell.exe Token: SeIncreaseQuotaPrivilege 5272 powershell.exe Token: SeSecurityPrivilege 5272 powershell.exe Token: SeTakeOwnershipPrivilege 5272 powershell.exe Token: SeLoadDriverPrivilege 5272 powershell.exe Token: SeSystemProfilePrivilege 5272 powershell.exe Token: SeSystemtimePrivilege 5272 powershell.exe Token: SeProfSingleProcessPrivilege 5272 powershell.exe Token: SeIncBasePriorityPrivilege 5272 powershell.exe Token: SeCreatePagefilePrivilege 5272 powershell.exe Token: SeBackupPrivilege 5272 powershell.exe Token: SeRestorePrivilege 5272 powershell.exe Token: SeShutdownPrivilege 5272 powershell.exe Token: SeDebugPrivilege 5272 powershell.exe Token: SeSystemEnvironmentPrivilege 5272 powershell.exe Token: SeRemoteShutdownPrivilege 5272 powershell.exe Token: SeUndockPrivilege 5272 powershell.exe Token: SeManageVolumePrivilege 5272 powershell.exe Token: 33 5272 powershell.exe Token: 34 5272 powershell.exe Token: 35 5272 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2772 wrote to memory of 3796 2772 Dexis Setup.exe 74 PID 2772 wrote to memory of 3796 2772 Dexis Setup.exe 74 PID 3796 wrote to memory of 1948 3796 Dexis.exe 75 PID 3796 wrote to memory of 1948 3796 Dexis.exe 75 PID 3796 wrote to memory of 5272 3796 Dexis.exe 77 PID 3796 wrote to memory of 5272 3796 Dexis.exe 77 PID 3796 wrote to memory of 6040 3796 Dexis.exe 80 PID 3796 wrote to memory of 6040 3796 Dexis.exe 80 PID 3796 wrote to memory of 5760 3796 Dexis.exe 82 PID 3796 wrote to memory of 5760 3796 Dexis.exe 82 PID 3796 wrote to memory of 4592 3796 Dexis.exe 84 PID 3796 wrote to memory of 4592 3796 Dexis.exe 84 PID 3796 wrote to memory of 4592 3796 Dexis.exe 84 PID 4592 wrote to memory of 4652 4592 snss1.exe 86 PID 4592 wrote to memory of 4652 4592 snss1.exe 86 PID 4592 wrote to memory of 4652 4592 snss1.exe 86 PID 4592 wrote to memory of 4652 4592 snss1.exe 86 PID 4652 wrote to memory of 1856 4652 cmd.exe 88 PID 4652 wrote to memory of 1856 4652 cmd.exe 88 PID 4652 wrote to memory of 1856 4652 cmd.exe 88 PID 4652 wrote to memory of 1856 4652 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files (x86)\Dexis\Dexis.exe"C:\Program Files (x86)\Dexis\Dexis.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5760
-
-
C:\Users\Admin\AppData\Local\Temp\8d5f3cdd-4308-427d-a0e6-a449f5958c6c\snss1.exe"C:\Users\Admin\AppData\Local\Temp\8d5f3cdd-4308-427d-a0e6-a449f5958c6c\snss1.exe"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1856
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5ab8b6ea5fcfd10f997a3abd78fcdf447
SHA105c012c26309be98323dc10543370179e0a25e8f
SHA2564bb2f6cbd033d8916b9d068af07228e56aa27e94e59d9da4747c4de0074056ef
SHA51208cc4f222c954c0ad0970faee94552f58e92a52471bccd88fa882d40f27a50e58130e9ef581495461977313bb292766857a3fb70db14960e53c05bfed0769c4f
-
Filesize
1KB
MD512ce32cdb860ea27c099070bd8739917
SHA10316c3dcd8f5926dc125427a2220526e53b2b1c6
SHA256cea8621365f1e4a19ccdbc46ef431635352d68753fc939f7412df3181080f6bd
SHA51269da9c85c8068dfcef7267154215047aa3743a80724b60558f22c66237e04b24737d14dea19b7d8d8a7236da32d4fe9b4a48af04f22f61f54c5a69af1bc0ca95
-
Filesize
1KB
MD5a7a4159d4796da431909197a06769a75
SHA1b24a5ce4e0e294d6f8897863a9dd990f230b39cb
SHA256170756aed46913a6cb5583747a0a6ef59329bd7be0ded29f5ea96c53c520f419
SHA5120b150134d53edefa4d63d8debaba3eb27b2f9a9f12c2da259f17db4c08c1463176e7f06a2233d1a119111d46705dd408efac04e56cf2582ef78ab9965e8c0e74
-
Filesize
899KB
MD54343a14de4efeb427a2e6f2572b0c208
SHA1b849281e838cd6755ba967cacc8ce2062c6df6f3
SHA256f73ad2fdb86512ee77792338584bea90ffa51354b340c58acae2eb08a5b2389e
SHA5123a02fd1e534c9086599990f54d3a474452009cc82b604bb2a9c58c2a2bee7fd326ca3e8085ab1b7e7867dac2ec4d046ff2fcc16b58013c9c8b1016f2af20887c
-
Filesize
1001KB
MD54ccd18f6c7aa9498fd47d7da126209a2
SHA12e79a313f0b5613ce98e6ca9f490e553b0536513
SHA2565dbe678474b396f5edc307d96d3f83fba693d33c41f361e850bb91e98529f9b2
SHA51245b7e8acdb077f1c2861417d446624cf22b80488bfc86c92a629b37a35b9ed7793a6a99869befeb395ce913304558029a373f6adcc04758a080210b368c46206
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571