Overview

overview

8

Static

static

3

c5c4bda9be...e1.exe

windows7-x64

8

c5c4bda9be...e1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 03:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c5c4bda9beed40bbab0bee6e13de4fd52f3d535a38c153c8c7acab4edfe1c4e1.exe

  • Size

    401KB

  • MD5

    1f48247381e18d4fc84e494001a89c79

  • SHA1

    0d721b9e302e741b7d8804e19392d3c3acec3344

  • SHA256

    c5c4bda9beed40bbab0bee6e13de4fd52f3d535a38c153c8c7acab4edfe1c4e1

  • SHA512

    35a04f5b1ffbee93f457e2edd5fdba1c2ae6e8daae1d33b6682e9a08394122a80ac41f4793ffb371c7fdc636c113d632902cc23fc60abd1525d1cf542b4cdde0

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Score
8/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5c4bda9beed40bbab0bee6e13de4fd52f3d535a38c153c8c7acab4edfe1c4e1.exe
    "C:\Users\Admin\AppData\Local\Temp\c5c4bda9beed40bbab0bee6e13de4fd52f3d535a38c153c8c7acab4edfe1c4e1.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ompotbo.exe "C:\Users\Admin\AppData\Local\Temp\c5c4bda9beed40bbab0bee6e13de4fd52f3d535a38c153c8c7acab4edfe1c4e1.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:1532
      • C:\Users\Admin\AppData\Local\Temp\ompotbo.exe
        C:\Users\Admin\AppData\Local\Temp\\ompotbo.exe "C:\Users\Admin\AppData\Local\Temp\c5c4bda9beed40bbab0bee6e13de4fd52f3d535a38c153c8c7acab4edfe1c4e1.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2556
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\orvphnjyo\xlzhktd.dll",Verify C:\Users\Admin\AppData\Local\Temp\ompotbo.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ompotbo.exe
          Filesize

          384KB

          MD5

          f6404de5f5fa504b5e464ea456e9f1b8

          SHA1

          48541edc15d5f95451fb57cb4f18b33cc25bbcb5

          SHA256

          406bd8fa9e750dfd0396b96d0c01ccf190f3e98b168e5751b9403a5abe7d438e

          SHA512

          ad8d6e883bf29b32222920efa2b1f5c75d85fc0919d45b9d0895814cbc5dc4c3cab37488d3a7a17003cd65fd4ae1cf2f1d41f7a65458ee1ad6cd604c4eb2e545

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ompotbo.exe
          Filesize

          256KB

          MD5

          5a08cd71ba47bc97c2184a7a36b6016b

          SHA1

          113cb903a4f618bb0e1f9f0a027c17bad534588e

          SHA256

          fb7bfb9bf5661540bf1ae88015a386d3c5a82d4b44adaae1fcd24f9dd2bed608

          SHA512

          f78968a8a030feef710032722b2cebe584ddfcae4729717929ef3ebc5e7818f0999c219f26e86c2724812307d7c10c71134ee57a3392417ff2067434420e43f6

          Download Submit

        • \??\c:\Program Files\orvphnjyo\xlzhktd.dll
          Filesize

          228KB

          MD5

          5d400dbfebc01eb858fca2cf39d7f189

          SHA1

          9fb46dca9c6c43314b4e6fd8eb92c893b1970588

          SHA256

          1be8682e730e24ef75e938275152651ac571bf7ac2860a9eca16a49043465fb3

          SHA512

          abe390129dffe84805b1d7f437f9b0c957f1c23a5bfbf877a2e7cdea291cdeb20d8c32b6d007fb2527acfd9f969e943edb8c83e78a98f6e4fc2bc6ce8f064c02

          Download Submit

        • \Users\Admin\AppData\Local\Temp\ompotbo.exe
          Filesize

          401KB

          MD5

          909e4d68a5372aa8cc1713bb06ab480f

          SHA1

          3b5a8941bb3600f3598747fd3006500e5205c0bc

          SHA256

          c7cd62890a8c95c8a498992a5b6602cb3656621a84e0faf61474fa19d1e7870a

          SHA512

          a2e160645c3e7cce32ece6550fe06848af3220859f0e249b388504f18091c6f119e9128fa56bd12e3f316ef6e8660752ce32306f7a0dab7b5bc3f619c776011d

          Download Submit

        • \Users\Admin\AppData\Local\Temp\ompotbo.exe
          Filesize

          320KB

          MD5

          aab7d063f719f14637307465e58961de

          SHA1

          195f9438de785240f33df690d32d08c2648dab7a

          SHA256

          d9c2d7b1314e11973f1f38f8f79522848b003fd3385dea4b2f5efed235f4a573

          SHA512

          e2514c9a1d1c5deaf5fe7ce7086b0d8ce071bc680f794d894ad70b00226767d02679746a118c91169cf05e11f62dc57cc98916a0626e96c64f32c3f691b6adc3

          Download Submit

        • memory/2092-2-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2092-0-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2268-8-0x0000000000380000-0x00000000003E4000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2268-5-0x0000000000380000-0x00000000003E4000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2556-10-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2844-16-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2844-17-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2844-18-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2844-19-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2844-20-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2844-22-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

          Download