fc177447cdf3ff84cf9c88ab9692242e525b00ea5067e4bc3773823ac9305253

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Astral Spoofer/Bootstrapper/Bootstrapper.exe
Size

128KB
MD5

c8a44ba9b317cdae796cad6a3db01fd6
SHA1

9a7854df8133e6bd539a9312b49a8533a030d36e
SHA256

0b80a52885e811d0e59318bd5feef640c7b18976c9da51e618de4d2b19b90c07
SHA512

5517f24bb118c208862a0c270379ac5698cd3a06b4e13894605adc9918cdd780aa90949c8b43d093fa335ae2921722126cf31bda1b72d690dae804682655b815
SSDEEP

3072:s/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSDep:vtzsb5Uh28+V1WW69B9VjMdxPedN9ugc

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	4628	powershell.exe
23	1632	powershell.exe
26	1632	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4628	powershell.exe
1632	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3824	dxwebsetup.exe
3200	dxwsetup.exe

Loads dropped DLL 2 IoCs

pid	Process
3200	dxwsetup.exe
3200	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET8373.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET8373.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET8384.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET8384.tmp	dxwsetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4628	powershell.exe
4628	powershell.exe
1632	powershell.exe
1632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1236	3328	Bootstrapper.exe	85
PID 3328 wrote to memory of 1236	3328	Bootstrapper.exe	85
PID 1236 wrote to memory of 4628	1236	cmd.exe	86
PID 1236 wrote to memory of 4628	1236	cmd.exe	86
PID 1236 wrote to memory of 1632	1236	cmd.exe	90
PID 1236 wrote to memory of 1632	1236	cmd.exe	90
PID 1236 wrote to memory of 3824	1236	cmd.exe	102
PID 1236 wrote to memory of 3824	1236	cmd.exe	102
PID 1236 wrote to memory of 3824	1236	cmd.exe	102
PID 3824 wrote to memory of 3200	3824	dxwebsetup.exe	103
PID 3824 wrote to memory of 3200	3824	dxwebsetup.exe	103
PID 3824 wrote to memory of 3200	3824	dxwebsetup.exe	103

C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Bootstrapper\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Bootstrapper\Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C9A9.tmp\C9AA.tmp\C9AB.bat "C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Bootstrapper\Bootstrapper.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxwebsetup.exe' -OutFile 'dxwebsetup.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://aka.ms/vs/17/release/vc_redist.x64.exe' -OutFile 'vc_redist.x64.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Bootstrapper\dxwebsetup.exe
    dxwebsetup.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Astral Spoofer\Bootstrapper\dxwebsetup.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9A9.tmp\C9AA.tmp\C9AB.bat

Filesize
1KB

MD5
f93358fb1ce85a4e0aa24acaaa7e75d4

SHA1
f8c246e3327772bbdbffae318e28ba36e1e75eb5

SHA256
666ccd4a45a48bbdd7b32e291436b8fd3104dcd797f4e17e204c18b046fe8077

SHA512
2f96129922006f5a87f5d9e1c08fd7717d1fcd0d36a344378f921e11a047946113af63bfd1fadf8f9e40ac704c747cacd6cd5ef85db1df925571b5f4d66573f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wxynimqh.xcp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1632-38-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/1632-31-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/1632-32-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/1632-33-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/1632-34-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/1632-35-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/1632-25-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/4628-18-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/4628-14-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/4628-13-0x00007FFE6B870000-0x00007FFE6C331000-memory.dmp

Filesize
10.8MB

Download
memory/4628-8-0x000001B4E4BF0000-0x000001B4E4C12000-memory.dmp

Filesize
136KB

Download
memory/4628-2-0x00007FFE6B873000-0x00007FFE6B875000-memory.dmp

Filesize
8KB

Download