Resubmissions

26-07-2024 23:18

240726-3ac1dsthre 10

11-06-2024 01:50

240611-b9q8hszbqh 10

09-06-2024 15:53

240609-tbyttach24 10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-07-2024 23:18

General

  • Target

    Dexis Setup.exe

  • Size

    64.6MB

  • MD5

    168e953440d699dc30a39402b4f6e625

  • SHA1

    66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

  • SHA256

    c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

  • SHA512

    0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

  • SSDEEP

    1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

Malware Config

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Program Files (x86)\Dexis\Dexis.exe
      "C:\Program Files (x86)\Dexis\Dexis.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:6040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:5760
      • C:\Users\Admin\AppData\Local\Temp\8d5f3cdd-4308-427d-a0e6-a449f5958c6c\snss1.exe
        "C:\Users\Admin\AppData\Local\Temp\8d5f3cdd-4308-427d-a0e6-a449f5958c6c\snss1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    ab8b6ea5fcfd10f997a3abd78fcdf447

    SHA1

    05c012c26309be98323dc10543370179e0a25e8f

    SHA256

    4bb2f6cbd033d8916b9d068af07228e56aa27e94e59d9da4747c4de0074056ef

    SHA512

    08cc4f222c954c0ad0970faee94552f58e92a52471bccd88fa882d40f27a50e58130e9ef581495461977313bb292766857a3fb70db14960e53c05bfed0769c4f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    12ce32cdb860ea27c099070bd8739917

    SHA1

    0316c3dcd8f5926dc125427a2220526e53b2b1c6

    SHA256

    cea8621365f1e4a19ccdbc46ef431635352d68753fc939f7412df3181080f6bd

    SHA512

    69da9c85c8068dfcef7267154215047aa3743a80724b60558f22c66237e04b24737d14dea19b7d8d8a7236da32d4fe9b4a48af04f22f61f54c5a69af1bc0ca95

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    a7a4159d4796da431909197a06769a75

    SHA1

    b24a5ce4e0e294d6f8897863a9dd990f230b39cb

    SHA256

    170756aed46913a6cb5583747a0a6ef59329bd7be0ded29f5ea96c53c520f419

    SHA512

    0b150134d53edefa4d63d8debaba3eb27b2f9a9f12c2da259f17db4c08c1463176e7f06a2233d1a119111d46705dd408efac04e56cf2582ef78ab9965e8c0e74

  • C:\Users\Admin\AppData\Local\Temp\7925cf73

    Filesize

    899KB

    MD5

    4343a14de4efeb427a2e6f2572b0c208

    SHA1

    b849281e838cd6755ba967cacc8ce2062c6df6f3

    SHA256

    f73ad2fdb86512ee77792338584bea90ffa51354b340c58acae2eb08a5b2389e

    SHA512

    3a02fd1e534c9086599990f54d3a474452009cc82b604bb2a9c58c2a2bee7fd326ca3e8085ab1b7e7867dac2ec4d046ff2fcc16b58013c9c8b1016f2af20887c

  • C:\Users\Admin\AppData\Local\Temp\8d5f3cdd-4308-427d-a0e6-a449f5958c6c\snss1.exe

    Filesize

    1001KB

    MD5

    4ccd18f6c7aa9498fd47d7da126209a2

    SHA1

    2e79a313f0b5613ce98e6ca9f490e553b0536513

    SHA256

    5dbe678474b396f5edc307d96d3f83fba693d33c41f361e850bb91e98529f9b2

    SHA512

    45b7e8acdb077f1c2861417d446624cf22b80488bfc86c92a629b37a35b9ed7793a6a99869befeb395ce913304558029a373f6adcc04758a080210b368c46206

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_loueu4eu.yu0.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • \ProgramData\mozglue.dll

    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

  • \ProgramData\nss3.dll

    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

  • memory/1856-2012-0x0000000000400000-0x0000000000644000-memory.dmp

    Filesize

    2.3MB

  • memory/1948-1060-0x000002107D820000-0x000002107D842000-memory.dmp

    Filesize

    136KB

  • memory/1948-1063-0x000002107DB50000-0x000002107DBC6000-memory.dmp

    Filesize

    472KB

  • memory/3796-605-0x0000019FEBD40000-0x0000019FEBE00000-memory.dmp

    Filesize

    768KB

  • memory/3796-615-0x0000019FEBE90000-0x0000019FEBEA0000-memory.dmp

    Filesize

    64KB

  • memory/3796-572-0x0000019FE7530000-0x0000019FE7550000-memory.dmp

    Filesize

    128KB

  • memory/3796-567-0x0000019FE74F0000-0x0000019FE7510000-memory.dmp

    Filesize

    128KB

  • memory/3796-582-0x0000019FE75B0000-0x0000019FE75D0000-memory.dmp

    Filesize

    128KB

  • memory/3796-590-0x0000019FEB7B0000-0x0000019FEB7E0000-memory.dmp

    Filesize

    192KB

  • memory/3796-610-0x0000019FEBE40000-0x0000019FEBE70000-memory.dmp

    Filesize

    192KB

  • memory/3796-577-0x0000019FE7570000-0x0000019FE7590000-memory.dmp

    Filesize

    128KB

  • memory/3796-600-0x0000019FEBC40000-0x0000019FEBC50000-memory.dmp

    Filesize

    64KB

  • memory/3796-164-0x0000019FE6250000-0x0000019FE6EF0000-memory.dmp

    Filesize

    12.6MB

  • memory/3796-596-0x0000019FEB960000-0x0000019FEBAE0000-memory.dmp

    Filesize

    1.5MB

  • memory/3796-557-0x0000015F50990000-0x0000015F509B0000-memory.dmp

    Filesize

    128KB

  • memory/3796-562-0x0000019FEB4A0000-0x0000019FEB780000-memory.dmp

    Filesize

    2.9MB

  • memory/3796-552-0x0000019FEA4C0000-0x0000019FEB1B0000-memory.dmp

    Filesize

    12.9MB

  • memory/3796-547-0x0000015F509C0000-0x0000015F50A00000-memory.dmp

    Filesize

    256KB

  • memory/3796-170-0x0000019FE7810000-0x0000019FE7A10000-memory.dmp

    Filesize

    2.0MB