Resubmissions
26-07-2024 23:18
240726-3ac1dsthre 1011-06-2024 01:50
240611-b9q8hszbqh 1009-06-2024 15:53
240609-tbyttach24 10Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Dexis Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Dexis Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dexis Setup.exe
Resource
win10v2004-20240709-en
General
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
Malware Config
Extracted
stealc
dex23
http://45.156.27.196
-
url_path
/4c7ef30d4540070f.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
resource yara_rule behavioral3/files/0x00070000000234e6-220.dat family_hijackloader behavioral3/memory/2756-221-0x00000000007F0000-0x00000000008EB000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4728 powershell.exe 4232 powershell.exe 3232 powershell.exe 208 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation Dexis Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2756 set thread context of 1832 2756 snss1.exe 114 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Dexis\resources Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ru.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\te.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\th.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\version Dexis Setup.exe File created C:\Program Files (x86)\Dexis\chrome_200_percent.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ar.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\uk.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\af.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\fa.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\hr.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ta.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\icudtl.dat Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\hr.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\nl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\trayIcon.ico Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3 Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\fr.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\pt-BR.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\sl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\zh-CN.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\app-update.yml Dexis Setup.exe File created C:\Program Files (x86)\Dexis\Dexis.exe Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ar.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\bg.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\id.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\kn.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\pt-PT.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\am.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\bg.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fil.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\nl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\pl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ur.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\vulkan-1.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\id.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\it.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\mr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\v8_context_snapshot.bin Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\libGLESv2.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\de.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\es.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fr.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\trayIcon.ico Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\cs.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\et.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\kn.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\pl.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\chrome_100_percent.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\el.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\fi.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\ml.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\vi.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\resources\app.asar Dexis Setup.exe File created C:\Program Files (x86)\Dexis\d3dcompiler_47.dll Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\Dexis.exe Dexis Setup.exe File created C:\Program Files (x86)\Dexis\chrome_100_percent.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\cs.pak Dexis Setup.exe File created C:\Program Files (x86)\Dexis\locales\lv.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ml.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\locales\ro.pak Dexis Setup.exe File opened for modification C:\Program Files (x86)\Dexis\resources\app.asar.unpacked\node_modules\better-sqlite3\build\Release\better_sqlite3.node Dexis Setup.exe -
Executes dropped EXE 2 IoCs
pid Process 5012 Dexis.exe 2756 snss1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snss1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dexis Setup.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4728 powershell.exe 4728 powershell.exe 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 3232 powershell.exe 3232 powershell.exe 3232 powershell.exe 208 powershell.exe 208 powershell.exe 2756 snss1.exe 2756 snss1.exe 1832 cmd.exe 1832 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2756 snss1.exe 1832 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 208 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 836 wrote to memory of 5012 836 Dexis Setup.exe 91 PID 836 wrote to memory of 5012 836 Dexis Setup.exe 91 PID 5012 wrote to memory of 4728 5012 Dexis.exe 104 PID 5012 wrote to memory of 4728 5012 Dexis.exe 104 PID 5012 wrote to memory of 4232 5012 Dexis.exe 106 PID 5012 wrote to memory of 4232 5012 Dexis.exe 106 PID 5012 wrote to memory of 3232 5012 Dexis.exe 108 PID 5012 wrote to memory of 3232 5012 Dexis.exe 108 PID 5012 wrote to memory of 208 5012 Dexis.exe 110 PID 5012 wrote to memory of 208 5012 Dexis.exe 110 PID 5012 wrote to memory of 2756 5012 Dexis.exe 112 PID 5012 wrote to memory of 2756 5012 Dexis.exe 112 PID 5012 wrote to memory of 2756 5012 Dexis.exe 112 PID 2756 wrote to memory of 1832 2756 snss1.exe 114 PID 2756 wrote to memory of 1832 2756 snss1.exe 114 PID 2756 wrote to memory of 1832 2756 snss1.exe 114 PID 2756 wrote to memory of 1832 2756 snss1.exe 114 PID 1832 wrote to memory of 896 1832 cmd.exe 119 PID 1832 wrote to memory of 896 1832 cmd.exe 119 PID 1832 wrote to memory of 896 1832 cmd.exe 119 PID 1832 wrote to memory of 896 1832 cmd.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"C:\Users\Admin\AppData\Local\Temp\Dexis Setup.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files (x86)\Dexis\Dexis.exe"C:\Program Files (x86)\Dexis\Dexis.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\3dbbcc87-f52f-4ea0-99fe-1f22cadfa9a0\snss1.exe"C:\Users\Admin\AppData\Local\Temp\3dbbcc87-f52f-4ea0-99fe-1f22cadfa9a0\snss1.exe"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- System Location Discovery: System Language Discovery
PID:896
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
899KB
MD56798ae2cccf67bbd7d2f51592994553e
SHA1e17180911e6730575c6b935de0d3809e3c754ed5
SHA2569b4d2e09b49b0c60b870efdc16ecc20bbaeeb8e8e39c55f2901a3adb5c7432e7
SHA512a7a3e03f0a771c91f7e4aafe62598ad23867cd890659e3b048f9fb054c3c25eccff05cb78717f117bd153cbf5c9af0da33b3c3565c06933d339458c92abe7d1d
-
Filesize
1001KB
MD54ccd18f6c7aa9498fd47d7da126209a2
SHA12e79a313f0b5613ce98e6ca9f490e553b0536513
SHA2565dbe678474b396f5edc307d96d3f83fba693d33c41f361e850bb91e98529f9b2
SHA51245b7e8acdb077f1c2861417d446624cf22b80488bfc86c92a629b37a35b9ed7793a6a99869befeb395ce913304558029a373f6adcc04758a080210b368c46206
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82