Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 14:20
Static task
static1
Behavioral task
behavioral1
Sample
120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe
Resource
win10v2004-20240226-en
General
-
Target
120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe
-
Size
403KB
-
MD5
1581bd35e4f16dca4b982a2b953cfcdd
-
SHA1
a6252f7993137811caca25634674ced6b126c3b9
-
SHA256
120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b
-
SHA512
31bc1f323d471177a502f508a698d08abae7777c2cab54d31a8c5f6b25cc2a9018a4d3238720c82d5ba8bac6dbd4b2f4c8bba3f73175b9f5be6ceccad35bd43c
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 11 2428 rundll32.exe 51 2428 rundll32.exe 54 2428 rundll32.exe 55 2428 rundll32.exe 68 2428 rundll32.exe 71 2428 rundll32.exe 78 2428 rundll32.exe 84 2428 rundll32.exe -
Deletes itself 1 IoCs
Processes:
tfhai.exepid process 2696 tfhai.exe -
Executes dropped EXE 1 IoCs
Processes:
tfhai.exepid process 2696 tfhai.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2428 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\vzefmuqda\\bxjxeuh.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\a: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2428 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
tfhai.exedescription ioc process File opened for modification \??\c:\Program Files\vzefmuqda tfhai.exe File created \??\c:\Program Files\vzefmuqda\bxjxeuh.dll tfhai.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe 2428 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2428 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exetfhai.exepid process 3016 120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe 2696 tfhai.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.execmd.exetfhai.exedescription pid process target process PID 3016 wrote to memory of 4760 3016 120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe cmd.exe PID 3016 wrote to memory of 4760 3016 120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe cmd.exe PID 3016 wrote to memory of 4760 3016 120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe cmd.exe PID 4760 wrote to memory of 3552 4760 cmd.exe PING.EXE PID 4760 wrote to memory of 3552 4760 cmd.exe PING.EXE PID 4760 wrote to memory of 3552 4760 cmd.exe PING.EXE PID 4760 wrote to memory of 2696 4760 cmd.exe tfhai.exe PID 4760 wrote to memory of 2696 4760 cmd.exe tfhai.exe PID 4760 wrote to memory of 2696 4760 cmd.exe tfhai.exe PID 2696 wrote to memory of 2428 2696 tfhai.exe rundll32.exe PID 2696 wrote to memory of 2428 2696 tfhai.exe rundll32.exe PID 2696 wrote to memory of 2428 2696 tfhai.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe"C:\Users\Admin\AppData\Local\Temp\120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\tfhai.exe "C:\Users\Admin\AppData\Local\Temp\120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\tfhai.exeC:\Users\Admin\AppData\Local\Temp\\tfhai.exe "C:\Users\Admin\AppData\Local\Temp\120a0efd4e4eea95fe3c6730fb495bc1006b33081a9a107619df1f16595b138b.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\vzefmuqda\bxjxeuh.dll",Verify C:\Users\Admin\AppData\Local\Temp\tfhai.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tfhai.exeFilesize
403KB
MD5df7a527277f7bc0d8be9b1b0d0545a86
SHA15ac2fd4693f3d950aeccf35e0527579f1e0da0fe
SHA256c6847540f8381cebac079e962b48c1acf98ecb9b63034ee143bf24214a8b7e8a
SHA5124ef477de0869c2565ef6170c43b8d6f74d631ba9da80f56e81d9d1776724d936c151b5f4366c5f4089f97535d4739d870488409fc97efb43e4d75f15dfb180bf
-
\??\c:\Program Files\vzefmuqda\bxjxeuh.dllFilesize
228KB
MD56c8f61934dd95659bb49dbdaa377d62b
SHA16fcb799ee1734944f8b0d82577ba799d59b6571a
SHA25617921997af9c1fea7edd939dc194fc8d385e51fe37683dbc6f67135d12c32c26
SHA512013e81d1e8cb5993fd814884c7e9849abc20b9e717b23e35e9f581aa67843ae574d7fb0106eb9a962f17b55d42077eb8cbe571c3ad507f71a4fbdfcb7bb69b8f
-
memory/2428-10-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2428-11-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2428-13-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2696-7-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3016-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3016-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB