Analysis
-
max time kernel
168s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe
Resource
win10v2004-20240226-en
General
-
Target
2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe
-
Size
406KB
-
MD5
078aba95aa7a5f290cef84ed464f3577
-
SHA1
64bbc09de5c653d4a7e27fa5099cd94ebd4d3c48
-
SHA256
2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55
-
SHA512
07d786712326897bbf1ce17e0b0807a79bf801fc5052f390e0f434a2d9c1868004b8318e78a0d680f1eb5c0aa9249d9706fd08da5aace7c55ef618df9ee86e7c
-
SSDEEP
12288:vdDU6g13sJd1fm/+yb3O2jg82ydU/DdKumy:vdE3sJd1fm/+yb3OYg84/JHJ
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4400-11-0x0000000010000000-0x0000000010033000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/4400-12-0x0000000010000000-0x0000000010033000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/4400-21-0x0000000010000000-0x0000000010033000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
UPX dump on OEP (original entry point) 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fugks.exe UPX \??\c:\Program Files\egqppsk\jqmkf.dll UPX behavioral2/memory/4400-11-0x0000000010000000-0x0000000010033000-memory.dmp UPX behavioral2/memory/4400-12-0x0000000010000000-0x0000000010033000-memory.dmp UPX behavioral2/memory/4400-21-0x0000000010000000-0x0000000010033000-memory.dmp UPX -
Deletes itself 1 IoCs
Processes:
fugks.exepid process 4028 fugks.exe -
Executes dropped EXE 2 IoCs
Processes:
fugks.exejqmkf.exepid process 4028 fugks.exe 4400 jqmkf.exe -
Loads dropped DLL 1 IoCs
Processes:
jqmkf.exepid process 4400 jqmkf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jqmkf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIEW = "c:\\Program Files\\egqppsk\\jqmkf.exe \"c:\\Program Files\\egqppsk\\jqmkf.dll\",Viewer" jqmkf.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jqmkf.exedescription ioc process File opened (read-only) \??\a: jqmkf.exe File opened (read-only) \??\b: jqmkf.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
jqmkf.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 jqmkf.exe -
Drops file in Program Files directory 4 IoCs
Processes:
fugks.exedescription ioc process File opened for modification \??\c:\Program Files\egqppsk fugks.exe File created \??\c:\Program Files\egqppsk\jqmkf.dll fugks.exe File created \??\c:\Program Files\egqppsk\jqmkf.exe fugks.exe File opened for modification \??\c:\Program Files\egqppsk\jqmkf.exe fugks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jqmkf.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jqmkf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jqmkf.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
jqmkf.exepid process 4400 jqmkf.exe 4400 jqmkf.exe 4400 jqmkf.exe 4400 jqmkf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jqmkf.exedescription pid process Token: SeDebugPrivilege 4400 jqmkf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exefugks.exepid process 1932 2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe 4028 fugks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.execmd.exefugks.exedescription pid process target process PID 1932 wrote to memory of 4768 1932 2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe cmd.exe PID 1932 wrote to memory of 4768 1932 2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe cmd.exe PID 1932 wrote to memory of 4768 1932 2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe cmd.exe PID 4768 wrote to memory of 4392 4768 cmd.exe PING.EXE PID 4768 wrote to memory of 4392 4768 cmd.exe PING.EXE PID 4768 wrote to memory of 4392 4768 cmd.exe PING.EXE PID 4768 wrote to memory of 4028 4768 cmd.exe fugks.exe PID 4768 wrote to memory of 4028 4768 cmd.exe fugks.exe PID 4768 wrote to memory of 4028 4768 cmd.exe fugks.exe PID 4028 wrote to memory of 4400 4028 fugks.exe jqmkf.exe PID 4028 wrote to memory of 4400 4028 fugks.exe jqmkf.exe PID 4028 wrote to memory of 4400 4028 fugks.exe jqmkf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fugks.exe "C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\fugks.exeC:\Users\Admin\AppData\Local\Temp\\fugks.exe "C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\Program Files\egqppsk\jqmkf.exe"c:\Program Files\egqppsk\jqmkf.exe" "c:\Program Files\egqppsk\jqmkf.dll",Viewer C:\Users\Admin\AppData\Local\Temp\fugks.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
406KB
MD5acf3521569e180dccf575291e48f338c
SHA18ef47cb63b2635046dba240b88dbc4cd129b002e
SHA256bc2c83ea853cce6b4c6bbeb4007d6e8511e83a1d4a97fbe65b2a518a8cfff237
SHA5125dc0d7c46d9ee0def3ff733f64fd4115128cefc776a706cad420aec80b67125b40af20156289c495921d47a7f39a092f25e1ceaf270cb18afe57017f47d1d7bc
-
Filesize
89KB
MD59340b36d1cc013fdd5598b5adf282b04
SHA153f844b0dfcf000831b965b94b06df7a4a6cc44c
SHA25658416477e50964a6ade66fd2e9ea320e6ecc7b809874f90a95c41d804ea70a77
SHA5122b733dad418338d32d0fc745d986883c21265f7f42b152df561540db594b6ccbe6238719699494dc3cf295e663ab10cee2576fa1e15d33610d41aec6970d20df