f57c1ea32aeca71a26d25590f275de29d3c3072869da02111a76035307c30bb6

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 17:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/dxwebsetup.exe
Size

285KB
MD5

14ca145edd4f381e1adad6c2ceda5e7a
SHA1

1f785ac7c5da7cc2750de9991cbb2d72b570ab82
SHA256

b68ca13c29b2c9ad899f68fe3f9baff7ecbb848e963604ab5f66bcbf420a26c8
SHA512

58c08005db38c9dee19d9ee02717fc9780fcd61a41e14491c51f7f23782511737ec8235637b797b3f83cef4028aad3edf746ab87e02ca08aac2727cd1ba7788f
SSDEEP

6144:nWK8CN+qHUKfw5R8DPv5N6RkMphh++axWzfAHzxHtUiq4:ngKI5R8DpNakMpWn0zmtUiq4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	dxwsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2544	dxwebsetup.exe
2296	dxwsetup.exe
2296	dxwsetup.exe
2296	dxwsetup.exe
2296	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETD6C0.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETD6C0.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETD6BF.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETD6BF.tmp	dxwsetup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	dxwsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2296	dxwsetup.exe
Token: SeRestorePrivilege	2296	dxwsetup.exe
Token: SeRestorePrivilege	2296	dxwsetup.exe
Token: SeRestorePrivilege	2296	dxwsetup.exe
Token: SeRestorePrivilege	2296	dxwsetup.exe
Token: SeRestorePrivilege	2296	dxwsetup.exe
Token: SeRestorePrivilege	2296	dxwsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31
PID 2544 wrote to memory of 2296	2544	dxwebsetup.exe	31

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dxwebsetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
93KB

MD5
8cb755b5b14674c8f8283ccb20a2298c

SHA1
7e519cfffa14a8a0e9f96e1552e3e8e2b35f7b84

SHA256
715d2128f5132fc827a5fc7ca83ad15b03eab353e93fa1f99a435fb174829085

SHA512
03e0ec41a2eec698c2c01490ce0b0ee5c5dab85390889c20efb5eed97cb3a15668d91903d91a23ebaa76f1f92a44d2e32a920f2eef8bac75acd7a594535c1104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.7MB

MD5
7191e87049d9f8fbe220e5a7c0a0a5db

SHA1
f695639d16b30d010a18838bddda406b0458b8de

SHA256
9258ce024b84be2498a4437f9214b8ad9dd44b632200027e13e14fa5ffc008e8

SHA512
cd76b9de232faadcd084d1a595a82eafa904b945a487048974d5518bf72f74bebd7b317cd89226531a23ef3b27d476bc091658c25132f9f268c68e0c9ef73a35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
539KB

MD5
58ebc7d092bf3c697ea6e4fde55260ca

SHA1
7ae821ebbf840f0356e8100ef56170cf68c78741

SHA256
291fa135e523a13c9d633ab6de0d8f35931f5e502fb57953db2b15bf9aae32a4

SHA512
a0b8d41928f7721272a29b4e403ca5d061813f5b1bbbafa8e16819d1568e08907f30990f36a1beb22ec84860e56b0440be25865ab7d897e6f39eec66ab1ce614

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads