Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe
Resource
win10v2004-20240412-en
General
-
Target
ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe
-
Size
224KB
-
MD5
7bd5164ee78d24c88b50a2f902e2d9aa
-
SHA1
552ac1b320c0feb3e3de70c90ff4cea41d17c1d7
-
SHA256
ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda
-
SHA512
5ded8db0954d667e133e566abb0c5194582b0f8568ee49094832f2369cac2cd1997fc58a88948d84f2786fa38ededc507f3a1c5b192b46e8358bcc6eef2e7c1c
-
SSDEEP
6144:sXJ88CQbV3dj3rHwzBt5vxcalHqqFJqokNbb8pWd1DO:ahCQbR5Ut5r8okN1U
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2876-20-0x0000000010000000-0x0000000010065000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2876-21-0x0000000010000000-0x0000000010065000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2876-22-0x0000000010000000-0x0000000010065000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2876-26-0x0000000010000000-0x0000000010065000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2876-35-0x0000000010000000-0x0000000010065000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Deletes itself 1 IoCs
Processes:
tjknbza.exepid process 3728 tjknbza.exe -
Executes dropped EXE 2 IoCs
Processes:
tjknbza.exexwsmszz.exepid process 3728 tjknbza.exe 2876 xwsmszz.exe -
Loads dropped DLL 1 IoCs
Processes:
xwsmszz.exepid process 2876 xwsmszz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
xwsmszz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flash = "c:\\Program Files\\aahmezdog\\xwsmszz.exe \"c:\\Program Files\\aahmezdog\\xwsmszz.dll\",CreateFlashAdapterHlink" xwsmszz.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
xwsmszz.exedescription ioc process File opened (read-only) \??\s: xwsmszz.exe File opened (read-only) \??\a: xwsmszz.exe File opened (read-only) \??\m: xwsmszz.exe File opened (read-only) \??\r: xwsmszz.exe File opened (read-only) \??\o: xwsmszz.exe File opened (read-only) \??\u: xwsmszz.exe File opened (read-only) \??\y: xwsmszz.exe File opened (read-only) \??\b: xwsmszz.exe File opened (read-only) \??\h: xwsmszz.exe File opened (read-only) \??\i: xwsmszz.exe File opened (read-only) \??\p: xwsmszz.exe File opened (read-only) \??\v: xwsmszz.exe File opened (read-only) \??\w: xwsmszz.exe File opened (read-only) \??\x: xwsmszz.exe File opened (read-only) \??\g: xwsmszz.exe File opened (read-only) \??\j: xwsmszz.exe File opened (read-only) \??\k: xwsmszz.exe File opened (read-only) \??\q: xwsmszz.exe File opened (read-only) \??\t: xwsmszz.exe File opened (read-only) \??\z: xwsmszz.exe File opened (read-only) \??\e: xwsmszz.exe File opened (read-only) \??\l: xwsmszz.exe File opened (read-only) \??\n: xwsmszz.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
xwsmszz.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 xwsmszz.exe -
Drops file in Program Files directory 4 IoCs
Processes:
tjknbza.exedescription ioc process File opened for modification \??\c:\Program Files\aahmezdog tjknbza.exe File created \??\c:\Program Files\aahmezdog\xwsmszz.dll tjknbza.exe File created \??\c:\Program Files\aahmezdog\xwsmszz.exe tjknbza.exe File opened for modification \??\c:\Program Files\aahmezdog\xwsmszz.exe tjknbza.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
xwsmszz.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xwsmszz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString xwsmszz.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
xwsmszz.exepid process 2876 xwsmszz.exe 2876 xwsmszz.exe 2876 xwsmszz.exe 2876 xwsmszz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xwsmszz.exedescription pid process Token: SeDebugPrivilege 2876 xwsmszz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exetjknbza.exepid process 4348 ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe 3728 tjknbza.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.execmd.exetjknbza.exedescription pid process target process PID 4348 wrote to memory of 796 4348 ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe cmd.exe PID 4348 wrote to memory of 796 4348 ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe cmd.exe PID 4348 wrote to memory of 796 4348 ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe cmd.exe PID 796 wrote to memory of 3236 796 cmd.exe PING.EXE PID 796 wrote to memory of 3236 796 cmd.exe PING.EXE PID 796 wrote to memory of 3236 796 cmd.exe PING.EXE PID 796 wrote to memory of 3728 796 cmd.exe tjknbza.exe PID 796 wrote to memory of 3728 796 cmd.exe tjknbza.exe PID 796 wrote to memory of 3728 796 cmd.exe tjknbza.exe PID 3728 wrote to memory of 2876 3728 tjknbza.exe xwsmszz.exe PID 3728 wrote to memory of 2876 3728 tjknbza.exe xwsmszz.exe PID 3728 wrote to memory of 2876 3728 tjknbza.exe xwsmszz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe"C:\Users\Admin\AppData\Local\Temp\ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\tjknbza.exe "C:\Users\Admin\AppData\Local\Temp\ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\tjknbza.exeC:\Users\Admin\AppData\Local\Temp\\tjknbza.exe "C:\Users\Admin\AppData\Local\Temp\ad2b14433fcc95acfa41bcda4a7f287b60c956114fcf476396dc4a8df2030eda.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\Program Files\aahmezdog\xwsmszz.exe"c:\Program Files\aahmezdog\xwsmszz.exe" "c:\Program Files\aahmezdog\xwsmszz.dll",CreateFlashAdapter C:\Users\Admin\AppData\Local\Temp\tjknbza.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\aahmezdog\xwsmszz.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Users\Admin\AppData\Local\Temp\tjknbza.exeFilesize
224KB
MD5ae55933fbc7c1563cbf668e5643e1587
SHA16bea10e7ba8f3f2445a3d977dd639c9bd8852638
SHA2564b499b44fc5d39bd334c0291080fda0cfca9682af3ad44227083d6e8571e590a
SHA512c0c9021746852d2f4df9bd6fc3a02557caeed0f17889a2d11476ed57cb749f84d8e0d30a3f611cd45c5472e418054bbf171f4100656e54591727a3081a077291
-
\??\c:\Program Files\aahmezdog\xwsmszz.dllFilesize
132KB
MD549434bd050185159f7c2535931d00d51
SHA17ca42acb6b6cd285dab1e445d36694decb24b8ff
SHA25620773074ebdd8b70cba946772e78d794a5f40c0eba74b5112c885a629714d11f
SHA512c9c90ed0921ded6b068683b744111c054e436c1a49790d1cd234ccb9282e7d0dc566525c4a34379e3a9369d47918a171814af0535838cbfdb26ea506466b2f43
-
memory/2876-17-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/2876-16-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/2876-20-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/2876-21-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/2876-22-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/2876-26-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/2876-35-0x0000000010000000-0x0000000010065000-memory.dmpFilesize
404KB
-
memory/3728-7-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3728-12-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4348-3-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4348-1-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4348-0-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB