Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 02:14
Static task
static1
Behavioral task
behavioral1
Sample
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
Resource
win10v2004-20240419-en
General
-
Target
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
-
Size
405KB
-
MD5
47a631f9ed3ea367f8ae67f0233ff53e
-
SHA1
539b06f5af6720a98c3d40d35a0c200129d599f4
-
SHA256
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24
-
SHA512
c2f0452d4a5809be5b5ec7d91b4dd9bcddf7e4ccbb3fb388e7270fa23575984c9280ee804ad1bfbef504aa87cc6f28d2590530c854b26a6a037b356dab432892
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2948 rundll32.exe 5 2948 rundll32.exe 8 2948 rundll32.exe 9 2948 rundll32.exe 10 2948 rundll32.exe 13 2948 rundll32.exe 14 2948 rundll32.exe 15 2948 rundll32.exe 17 2948 rundll32.exe 18 2948 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2668 mwyewp.exe -
Executes dropped EXE 1 IoCs
pid Process 2668 mwyewp.exe -
Loads dropped DLL 6 IoCs
pid Process 2928 cmd.exe 2928 cmd.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ioesf\\grurvepgw.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2948 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\ioesf mwyewp.exe File created \??\c:\Program Files\ioesf\grurvepgw.dll mwyewp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2592 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe 2948 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2948 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1728 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 2668 mwyewp.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2928 1728 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 28 PID 1728 wrote to memory of 2928 1728 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 28 PID 1728 wrote to memory of 2928 1728 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 28 PID 1728 wrote to memory of 2928 1728 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 28 PID 2928 wrote to memory of 2592 2928 cmd.exe 30 PID 2928 wrote to memory of 2592 2928 cmd.exe 30 PID 2928 wrote to memory of 2592 2928 cmd.exe 30 PID 2928 wrote to memory of 2592 2928 cmd.exe 30 PID 2928 wrote to memory of 2668 2928 cmd.exe 31 PID 2928 wrote to memory of 2668 2928 cmd.exe 31 PID 2928 wrote to memory of 2668 2928 cmd.exe 31 PID 2928 wrote to memory of 2668 2928 cmd.exe 31 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32 PID 2668 wrote to memory of 2948 2668 mwyewp.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mwyewp.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\mwyewp.exeC:\Users\Admin\AppData\Local\Temp\\mwyewp.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\ioesf\grurvepgw.dll",Verify C:\Users\Admin\AppData\Local\Temp\mwyewp.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD59a9926c58e8ac749d5d903847f58c9ae
SHA1d0b90a665a92307461002f2b4f5c5d380fd4454a
SHA25607b72f445a782503f45e95371413fe5240d2eea408d855816d3373d36f331675
SHA5122e59e19441b6fc33128bb9a3c1380f624553cb85fef33309b813b92732565036d1403a1ad641ce6d2ba112b1d25a5fd4ede7a7e176e36430390a91d58cde0d67
-
Filesize
405KB
MD5d4dd1092940b2b02d484d955d03b558a
SHA100255d067f0178568c1a147d8a0826d284b89607
SHA25631b3962c17d09cf0627dd7de8c5a74a74d89d2c71f1a27d3c0654adec2f2daf3
SHA5128615221f6cce856d8e18f483409782fbd82355c76316d9b3c1fce9463d15b5a876bcc0de507ad863799b8feb8409ac372510518d14f4e300d138382d87d2953c