Analysis

  • max time kernel
    168s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 19:46

General

  • Target

    2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe

  • Size

    406KB

  • MD5

    078aba95aa7a5f290cef84ed464f3577

  • SHA1

    64bbc09de5c653d4a7e27fa5099cd94ebd4d3c48

  • SHA256

    2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55

  • SHA512

    07d786712326897bbf1ce17e0b0807a79bf801fc5052f390e0f434a2d9c1868004b8318e78a0d680f1eb5c0aa9249d9706fd08da5aace7c55ef618df9ee86e7c

  • SSDEEP

    12288:vdDU6g13sJd1fm/+yb3O2jg82ydU/DdKumy:vdE3sJd1fm/+yb3OYg84/JHJ

Malware Config

Signatures

  • Detects executables containing base64 encoded User Agent 3 IoCs
  • UPX dump on OEP (original entry point) 5 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe
    "C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fugks.exe "C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:4392
      • C:\Users\Admin\AppData\Local\Temp\fugks.exe
        C:\Users\Admin\AppData\Local\Temp\\fugks.exe "C:\Users\Admin\AppData\Local\Temp\2dcf982415010a9a93dd8919326258daf5865ad248de1e13cff81e2b1a22aa55.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4028
        • \??\c:\Program Files\egqppsk\jqmkf.exe
          "c:\Program Files\egqppsk\jqmkf.exe" "c:\Program Files\egqppsk\jqmkf.dll",Viewer C:\Users\Admin\AppData\Local\Temp\fugks.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\egqppsk\jqmkf.exe

    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

  • C:\Users\Admin\AppData\Local\Temp\fugks.exe

    Filesize

    406KB

    MD5

    acf3521569e180dccf575291e48f338c

    SHA1

    8ef47cb63b2635046dba240b88dbc4cd129b002e

    SHA256

    bc2c83ea853cce6b4c6bbeb4007d6e8511e83a1d4a97fbe65b2a518a8cfff237

    SHA512

    5dc0d7c46d9ee0def3ff733f64fd4115128cefc776a706cad420aec80b67125b40af20156289c495921d47a7f39a092f25e1ceaf270cb18afe57017f47d1d7bc

  • \??\c:\Program Files\egqppsk\jqmkf.dll

    Filesize

    89KB

    MD5

    9340b36d1cc013fdd5598b5adf282b04

    SHA1

    53f844b0dfcf000831b965b94b06df7a4a6cc44c

    SHA256

    58416477e50964a6ade66fd2e9ea320e6ecc7b809874f90a95c41d804ea70a77

    SHA512

    2b733dad418338d32d0fc745d986883c21265f7f42b152df561540db594b6ccbe6238719699494dc3cf295e663ab10cee2576fa1e15d33610d41aec6970d20df

  • memory/4400-11-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/4400-12-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

  • memory/4400-21-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB