Resubmissions

26-07-2024 23:18

240726-3ac1dsthre 10

11-06-2024 01:50

240611-b9q8hszbqh 10

09-06-2024 15:53

240609-tbyttach24 10

Analysis

  • max time kernel
    148s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 23:18

General

  • Target

    Dexis Setup.exe

  • Size

    64.6MB

  • MD5

    168e953440d699dc30a39402b4f6e625

  • SHA1

    66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

  • SHA256

    c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

  • SHA512

    0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

  • SSDEEP

    1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

Malware Config

Extracted

Family

stealc

Botnet

dex23

C2

http://45.156.27.196

Attributes
  • url_path

    /4c7ef30d4540070f.php

Signatures

  • Detects HijackLoader (aka IDAT Loader) 2 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

  • Stealc

    Stealc is an infostealer written in C++.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Program Files (x86)\Dexis\Dexis.exe
      "C:\Program Files (x86)\Dexis\Dexis.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\3dbbcc87-f52f-4ea0-99fe-1f22cadfa9a0\snss1.exe
        "C:\Users\Admin\AppData\Local\Temp\3dbbcc87-f52f-4ea0-99fe-1f22cadfa9a0\snss1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    bd5940f08d0be56e65e5f2aaf47c538e

    SHA1

    d7e31b87866e5e383ab5499da64aba50f03e8443

    SHA256

    2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

    SHA512

    c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

  • C:\Users\Admin\AppData\Local\Temp\24f267b3

    Filesize

    899KB

    MD5

    6798ae2cccf67bbd7d2f51592994553e

    SHA1

    e17180911e6730575c6b935de0d3809e3c754ed5

    SHA256

    9b4d2e09b49b0c60b870efdc16ecc20bbaeeb8e8e39c55f2901a3adb5c7432e7

    SHA512

    a7a3e03f0a771c91f7e4aafe62598ad23867cd890659e3b048f9fb054c3c25eccff05cb78717f117bd153cbf5c9af0da33b3c3565c06933d339458c92abe7d1d

  • C:\Users\Admin\AppData\Local\Temp\3dbbcc87-f52f-4ea0-99fe-1f22cadfa9a0\snss1.exe

    Filesize

    1001KB

    MD5

    4ccd18f6c7aa9498fd47d7da126209a2

    SHA1

    2e79a313f0b5613ce98e6ca9f490e553b0536513

    SHA256

    5dbe678474b396f5edc307d96d3f83fba693d33c41f361e850bb91e98529f9b2

    SHA512

    45b7e8acdb077f1c2861417d446624cf22b80488bfc86c92a629b37a35b9ed7793a6a99869befeb395ce913304558029a373f6adcc04758a080210b368c46206

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjuwmoog.w2y.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/896-233-0x0000000000400000-0x0000000000644000-memory.dmp

    Filesize

    2.3MB

  • memory/896-232-0x00007FFA27170000-0x00007FFA27365000-memory.dmp

    Filesize

    2.0MB

  • memory/896-231-0x0000000000400000-0x0000000000644000-memory.dmp

    Filesize

    2.3MB

  • memory/1832-229-0x0000000073420000-0x000000007359B000-memory.dmp

    Filesize

    1.5MB

  • memory/1832-228-0x00007FFA27170000-0x00007FFA27365000-memory.dmp

    Filesize

    2.0MB

  • memory/2756-225-0x0000000073420000-0x000000007359B000-memory.dmp

    Filesize

    1.5MB

  • memory/2756-224-0x00007FFA27170000-0x00007FFA27365000-memory.dmp

    Filesize

    2.0MB

  • memory/2756-223-0x0000000073420000-0x000000007359B000-memory.dmp

    Filesize

    1.5MB

  • memory/2756-221-0x00000000007F0000-0x00000000008EB000-memory.dmp

    Filesize

    1004KB

  • memory/4728-171-0x000001F0A5520000-0x000001F0A5542000-memory.dmp

    Filesize

    136KB