Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 07:14
Static task
static1
Behavioral task
behavioral1
Sample
3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe
Resource
win10v2004-20240412-en
General
-
Target
3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe
-
Size
404KB
-
MD5
f4a7e6d48c0c6d63f4a37e3966da768e
-
SHA1
2843fa105bce8cebb9ff828f56769588ee2b0e10
-
SHA256
3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa
-
SHA512
e954dd4ab8dd646e2d4cdbc63dbe56ca64fd4084937c4bba2253c6a7940cae0af7de8c0c20f6346dd1de5f0533dfac0be8b096e1eb0dc33ed2c53ffa4116f517
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 27 4868 rundll32.exe 28 4868 rundll32.exe 29 4868 rundll32.exe 30 4868 rundll32.exe 44 4868 rundll32.exe 45 4868 rundll32.exe 51 4868 rundll32.exe 55 4868 rundll32.exe -
Deletes itself 1 IoCs
Processes:
zdltgv.exepid process 2052 zdltgv.exe -
Executes dropped EXE 1 IoCs
Processes:
zdltgv.exepid process 2052 zdltgv.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4868 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\zhhsn\\edpsrmatw.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4868 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
zdltgv.exedescription ioc process File opened for modification \??\c:\Program Files\zhhsn zdltgv.exe File created \??\c:\Program Files\zhhsn\edpsrmatw.dll zdltgv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe 4868 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4868 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exezdltgv.exepid process 4544 3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe 2052 zdltgv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.execmd.exezdltgv.exedescription pid process target process PID 4544 wrote to memory of 3852 4544 3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe cmd.exe PID 4544 wrote to memory of 3852 4544 3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe cmd.exe PID 4544 wrote to memory of 3852 4544 3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe cmd.exe PID 3852 wrote to memory of 1840 3852 cmd.exe PING.EXE PID 3852 wrote to memory of 1840 3852 cmd.exe PING.EXE PID 3852 wrote to memory of 1840 3852 cmd.exe PING.EXE PID 3852 wrote to memory of 2052 3852 cmd.exe zdltgv.exe PID 3852 wrote to memory of 2052 3852 cmd.exe zdltgv.exe PID 3852 wrote to memory of 2052 3852 cmd.exe zdltgv.exe PID 2052 wrote to memory of 4868 2052 zdltgv.exe rundll32.exe PID 2052 wrote to memory of 4868 2052 zdltgv.exe rundll32.exe PID 2052 wrote to memory of 4868 2052 zdltgv.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe"C:\Users\Admin\AppData\Local\Temp\3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zdltgv.exe "C:\Users\Admin\AppData\Local\Temp\3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\zdltgv.exeC:\Users\Admin\AppData\Local\Temp\\zdltgv.exe "C:\Users\Admin\AppData\Local\Temp\3273ba4ceabab901c1daf89224e2a1ed6eca062b1a34bf5aada73f9b546d6efa.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\zhhsn\edpsrmatw.dll",Verify C:\Users\Admin\AppData\Local\Temp\zdltgv.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zdltgv.exeFilesize
404KB
MD5a854248047a7d7cab01e1e6353058a56
SHA13e4d6486bc3e410a608c32806435a68762e7c93e
SHA256d03136774cf3273906f800414ffaa6be37e7dfa1dae136cc2a41a7ab3d616668
SHA51295e8a5b1494c793a7dc95281edfa7077c473747f89982cdeecbd30227eb27ae5d75905b073c3d26dc3e77964084409cf55d7f24b2599bd8774855086a7a69a92
-
\??\c:\Program Files\zhhsn\edpsrmatw.dllFilesize
228KB
MD55aa4692dbfaa4383769c9b651eb0918f
SHA1ad4980442f693267bfd057fea1dbb8f7eb3d2432
SHA256829f11e0c1cdb03ac4f11c9870349e41a458832c34d0c4efe014bfd1d072cb72
SHA51218f2e1ab2b4d097dd97736efa94340aec2b2f8f05464612f565bc36e7154ac161afbf9e8f3a5b262a267972795b477b678d7cacea24da4d5dda398b1eeba023d
-
memory/2052-7-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4544-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4544-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4868-10-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4868-11-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4868-13-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB