Analysis
-
max time kernel
156s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
13/10/2023, 06:48
General
-
Target
3624cb999e2bd4eae40b2b31253024f9980b89b6558004aff75a8910546c8931.exe
-
Size
72KB
-
MD5
1a8f83662f35bb6e47ae568d62918a5c
-
SHA1
5033608f379822d3609e62f7a696b52930ed018b
-
SHA256
3624cb999e2bd4eae40b2b31253024f9980b89b6558004aff75a8910546c8931
-
SHA512
e5eee50fb20aa6cf3d3a7925b765225e931754d2392a8a9d7ccdfefcb6816b37926e1820854ab0427009b735e774af293981158b68bcd3de4e6826ee8252ef73
-
SSDEEP
1536:5L5lxcQxgr9BcXzfGQz0/m4QdQiWC378JztYtfBpf4p7WtX4:blSQxgr9eXzd4/mxKIm+t3JI
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3624cb999e2bd4eae40b2b31253024f9980b89b6558004aff75a8910546c8931.exe"C:\Users\Admin\AppData\Local\Temp\3624cb999e2bd4eae40b2b31253024f9980b89b6558004aff75a8910546c8931.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\epvbx.exe "C:\Users\Admin\AppData\Local\Temp\3624cb999e2bd4eae40b2b31253024f9980b89b6558004aff75a8910546c8931.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
\??\c:\epvbx.exec:\epvbx.exe "C:\Users\Admin\AppData\Local\Temp\3624cb999e2bd4eae40b2b31253024f9980b89b6558004aff75a8910546c8931.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\vnbspziro\bbeuxgk.dll",GetWindowClass c:\epvbx.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD561fcb938ce293e34d7193a1ac2aed57c
SHA1aa5e4ff9c27bb08a16f560eb7910e556ae504f1f
SHA2560f379d0ac50fb4bf6358c8b58bff094eaf4c5cc1560e79ac71633bb18dffc88c
SHA51214f2c2b31f63a4201d8b8189eb41d44a20d262a5df0acb34b59965f907858346b192edc9ea13adf7075c3231228cb238d19c3c8c7f22d93fddf9f6ac0c59cad8
-
Filesize
46KB
MD5a3fd41430ddcaa55fde840788925406a
SHA1dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA51223109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9
-
Filesize
72KB
MD561fcb938ce293e34d7193a1ac2aed57c
SHA1aa5e4ff9c27bb08a16f560eb7910e556ae504f1f
SHA2560f379d0ac50fb4bf6358c8b58bff094eaf4c5cc1560e79ac71633bb18dffc88c
SHA51214f2c2b31f63a4201d8b8189eb41d44a20d262a5df0acb34b59965f907858346b192edc9ea13adf7075c3231228cb238d19c3c8c7f22d93fddf9f6ac0c59cad8
-
Filesize
46KB
MD5a3fd41430ddcaa55fde840788925406a
SHA1dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA51223109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB