Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe
Resource
win10v2004-20240426-en
General
-
Target
f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe
-
Size
405KB
-
MD5
39c17eda4092dd49c21efb670b2d1ad8
-
SHA1
b1fd01b3e23736ed0c328f27b8735a2dde3fdf5b
-
SHA256
f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53
-
SHA512
f0ef7cbacac315f587ee5f3570135bb34432e72a7d77f941b4d462a2891cb8b5c834f333612e4ecefdbeda99ed3937dada83bcfb446401dc3e887ee9a7d6fb20
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 3 2600 rundll32.exe 5 2600 rundll32.exe 6 2600 rundll32.exe 7 2600 rundll32.exe 8 2600 rundll32.exe 9 2600 rundll32.exe 10 2600 rundll32.exe 11 2600 rundll32.exe 13 2600 rundll32.exe 14 2600 rundll32.exe -
Deletes itself 1 IoCs
Processes:
shojjtcsp.exepid process 2588 shojjtcsp.exe -
Executes dropped EXE 1 IoCs
Processes:
shojjtcsp.exepid process 2588 shojjtcsp.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exerundll32.exepid process 956 cmd.exe 956 cmd.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\rbouu\\pzzzqwx.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2600 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
shojjtcsp.exedescription ioc process File opened for modification \??\c:\Program Files\rbouu shojjtcsp.exe File created \??\c:\Program Files\rbouu\pzzzqwx.dll shojjtcsp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2600 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exeshojjtcsp.exepid process 2268 f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe 2588 shojjtcsp.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.execmd.exeshojjtcsp.exedescription pid process target process PID 2268 wrote to memory of 956 2268 f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe cmd.exe PID 2268 wrote to memory of 956 2268 f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe cmd.exe PID 2268 wrote to memory of 956 2268 f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe cmd.exe PID 2268 wrote to memory of 956 2268 f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe cmd.exe PID 956 wrote to memory of 1840 956 cmd.exe PING.EXE PID 956 wrote to memory of 1840 956 cmd.exe PING.EXE PID 956 wrote to memory of 1840 956 cmd.exe PING.EXE PID 956 wrote to memory of 1840 956 cmd.exe PING.EXE PID 956 wrote to memory of 2588 956 cmd.exe shojjtcsp.exe PID 956 wrote to memory of 2588 956 cmd.exe shojjtcsp.exe PID 956 wrote to memory of 2588 956 cmd.exe shojjtcsp.exe PID 956 wrote to memory of 2588 956 cmd.exe shojjtcsp.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe PID 2588 wrote to memory of 2600 2588 shojjtcsp.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe"C:\Users\Admin\AppData\Local\Temp\f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\shojjtcsp.exe "C:\Users\Admin\AppData\Local\Temp\f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\shojjtcsp.exeC:\Users\Admin\AppData\Local\Temp\\shojjtcsp.exe "C:\Users\Admin\AppData\Local\Temp\f0cac61298b53cda1ec85091daae4a766287aaac53c95a9c15253a0cc2b16d53.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\rbouu\pzzzqwx.dll",Verify C:\Users\Admin\AppData\Local\Temp\shojjtcsp.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\Program Files\rbouu\pzzzqwx.dllFilesize
228KB
MD5a0da3207c43e9c0727a155c0d5863569
SHA12096b486411735fbf0e7d613ebde626b1e6d61a4
SHA256d21e0b05c342153ae00c8e6fff49de28b24e8b39195a571803ad2623c20fe316
SHA512572c42358445065187d5fe4eb343859e89357f32e8d215c81220728b93972ea34856fdb15b6e18346b2835f6c80f292ee856b115a73396800ccac692689b10e8
-
\Users\Admin\AppData\Local\Temp\shojjtcsp.exeFilesize
405KB
MD5a269d1969b9ff581b929041f5de896b1
SHA1c3dd27b420c31c988c352b1a4e76027b77872ce2
SHA256b3956ab7b84e2ea1d041a676ad1eb9d932654cb120a8b066b8cd31d78d472dc5
SHA51267f3000cfe7d927d781da5e7b37207f30f21aa1d9b9dff156429877bf94989b303773cfa51988593b22dcfbc0d15390b897cb30c52c6a5aa9580c7dbd14efe52
-
memory/956-7-0x0000000000370000-0x00000000003D4000-memory.dmpFilesize
400KB
-
memory/2268-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2268-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2588-9-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2600-15-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2600-16-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2600-18-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB