Analysis
-
max time kernel
165s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 22:15
Behavioral task
behavioral1
Sample
9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe
Resource
win10v2004-20240226-en
General
-
Target
9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe
-
Size
246KB
-
MD5
57b7f75667fb705abd2cad5a8cc90f49
-
SHA1
bea3465bc1c783b413d9b01d300bcaf175a8c00b
-
SHA256
9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3
-
SHA512
240f7009e205048bfc2b2c459b3506353013c701b74f9b7efa34c7d25b4ef0ba1f18cdb11534aa15b347547b397e9f564c46ad0354081d4a7104be943c545775
-
SSDEEP
6144:6lez2ssftlVN+zBfGrSWm+omDAgQsSygGG2SzA9u:H6silNoGSJ+omDAdsWGLS8k
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 4 IoCs
resource yara_rule behavioral2/memory/2620-14-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2620-17-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2620-19-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2620-25-0x0000000010000000-0x000000001004E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral2/memory/4552-1-0x0000000000400000-0x000000000047301D-memory.dmp UPX behavioral2/files/0x0007000000023205-3.dat UPX behavioral2/memory/3644-9-0x0000000000400000-0x000000000047301D-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 3644 owkfkmce.exe -
Executes dropped EXE 2 IoCs
pid Process 3644 owkfkmce.exe 2620 asa.exe -
Loads dropped DLL 1 IoCs
pid Process 2620 asa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4552-1-0x0000000000400000-0x000000000047301D-memory.dmp upx behavioral2/files/0x0007000000023205-3.dat upx behavioral2/memory/3644-9-0x0000000000400000-0x000000000047301D-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\pqhlw\\asa.exe \"c:\\Program Files\\pqhlw\\asawb.dll\",WriteErrorLog" asa.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: asa.exe File opened (read-only) \??\b: asa.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 asa.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\pqhlw owkfkmce.exe File created \??\c:\Program Files\pqhlw\asawb.dll owkfkmce.exe File created \??\c:\Program Files\pqhlw\asa.exe owkfkmce.exe File opened for modification \??\c:\Program Files\pqhlw\asa.exe owkfkmce.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 asa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString asa.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4876 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2620 asa.exe 2620 asa.exe 2620 asa.exe 2620 asa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2620 asa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4552 9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe 3644 owkfkmce.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4552 wrote to memory of 3164 4552 9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe 88 PID 4552 wrote to memory of 3164 4552 9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe 88 PID 4552 wrote to memory of 3164 4552 9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe 88 PID 3164 wrote to memory of 4876 3164 cmd.exe 90 PID 3164 wrote to memory of 4876 3164 cmd.exe 90 PID 3164 wrote to memory of 4876 3164 cmd.exe 90 PID 3164 wrote to memory of 3644 3164 cmd.exe 92 PID 3164 wrote to memory of 3644 3164 cmd.exe 92 PID 3164 wrote to memory of 3644 3164 cmd.exe 92 PID 3644 wrote to memory of 2620 3644 owkfkmce.exe 93 PID 3644 wrote to memory of 2620 3644 owkfkmce.exe 93 PID 3644 wrote to memory of 2620 3644 owkfkmce.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe"C:\Users\Admin\AppData\Local\Temp\9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\owkfkmce.exe "C:\Users\Admin\AppData\Local\Temp\9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\owkfkmce.exeC:\Users\Admin\AppData\Local\Temp\\owkfkmce.exe "C:\Users\Admin\AppData\Local\Temp\9f374c06a147db8596e113ffa63cf972457b6e9bc0879e24627fd726a39515e3.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\Program Files\pqhlw\asa.exe"c:\Program Files\pqhlw\asa.exe" "c:\Program Files\pqhlw\asawb.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\owkfkmce.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
246KB
MD5eaf5a7656a327a054434bee953eb1a30
SHA1f20595c4c9e9b3e02e989582a7b3879e2493320d
SHA256fb352deac99a2916f5078644a5207c9bf4a1b370615a5db4b2c3bf6c603f58af
SHA512639f9da84667b077a3c9d8aefe2d5c00bde5b4bd5f4bbc6b3b7b3b1ed658d21484efdeafc538bce88c8bce8272f8877143df5172aaaa065c06a005c534238f3a
-
Filesize
181KB
MD56e2da01c637db2bde6b7dbd577eb00bd
SHA105ffcc54e23d3f6c8348d066071a2179f53ce5c1
SHA25690e5303fbe5a871fcdae6cbdfc0a6e882323a7bced2538627c6fbd760a951143
SHA51226307b2eddfcdbfeb6a409a9026e18bc285c518d60c5fc52f582ac3af92b7ad5b85a8c194323d5e818edee02af27a07537717bfc7eed1090747a192e7e5344c2