6d1816a16faf2f4c08172633a3849a9d8688ae6519f87a8c8cbffd307cfdb90d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft DirectX/dsetup32.dll
Size

1.5MB
MD5

a5412a144f63d639b47fcc1ba68cb029
SHA1

81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256

8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512

2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
SSDEEP

24576:GIQ+ddddddddddddddxOOOOOOOOOOOOOO2iWeXiWeXiWeXiWeXiWeXiWeXiWeXig:GIQsOOOOOOOOOOOOOO2iWeXiWeXiWeXV

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DXError.log	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2708	2632	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Microsoft DirectX\dsetup32.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Microsoft DirectX\dsetup32.dll",#1
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Logs\DXError.log

Filesize
238B

MD5
7c3d0f833be1baf325e771b61936ed25

SHA1
f742c46bef897f6723ac63507e602125ef3ddc8d

SHA256
716cf75ddaaee70f09df6a9203328e0926d9646fd80ffc7b3ac8c1666f93fd0f

SHA512
cecd60c24185d37a2f1fab7f338a2c30c902f363cb62068257319231feb6db1227a7875c09adb5d8aa436a61b633eed1514bd7bad55dff37459df8c9b1fdaf9a

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
677B

MD5
7265edc8d47ba26c5d34faebb0c78d3f

SHA1
fd73397178c20abffc048afd57cd275bd58e4c88

SHA256
2173743834f8133be0efe32827296d2aa6ec4414fb1bb2c59540447c088cf0cc

SHA512
41af97a9f8448a4f6d437931b364866e75c8ab34bf75a5319f48e3d7f1a5d15eab04202782eb4c9d692152366b8c9ab59e114a5a740171df631b5bc089212ce4

Download Submit