Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 02:14

General

  • Target

    fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe

  • Size

    405KB

  • MD5

    47a631f9ed3ea367f8ae67f0233ff53e

  • SHA1

    539b06f5af6720a98c3d40d35a0c200129d599f4

  • SHA256

    fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24

  • SHA512

    c2f0452d4a5809be5b5ec7d91b4dd9bcddf7e4ccbb3fb388e7270fa23575984c9280ee804ad1bfbef504aa87cc6f28d2590530c854b26a6a037b356dab432892

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Malware Config

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
    "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mwyewp.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\mwyewp.exe
        C:\Users\Admin\AppData\Local\Temp\\mwyewp.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2668
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\ioesf\grurvepgw.dll",Verify C:\Users\Admin\AppData\Local\Temp\mwyewp.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \??\c:\Program Files\ioesf\grurvepgw.dll

          Filesize

          228KB

          MD5

          9a9926c58e8ac749d5d903847f58c9ae

          SHA1

          d0b90a665a92307461002f2b4f5c5d380fd4454a

          SHA256

          07b72f445a782503f45e95371413fe5240d2eea408d855816d3373d36f331675

          SHA512

          2e59e19441b6fc33128bb9a3c1380f624553cb85fef33309b813b92732565036d1403a1ad641ce6d2ba112b1d25a5fd4ede7a7e176e36430390a91d58cde0d67

        • \Users\Admin\AppData\Local\Temp\mwyewp.exe

          Filesize

          405KB

          MD5

          d4dd1092940b2b02d484d955d03b558a

          SHA1

          00255d067f0178568c1a147d8a0826d284b89607

          SHA256

          31b3962c17d09cf0627dd7de8c5a74a74d89d2c71f1a27d3c0654adec2f2daf3

          SHA512

          8615221f6cce856d8e18f483409782fbd82355c76316d9b3c1fce9463d15b5a876bcc0de507ad863799b8feb8409ac372510518d14f4e300d138382d87d2953c

        • memory/1728-0-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/1728-2-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/2668-11-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/2668-9-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/2928-7-0x0000000002340000-0x00000000023A4000-memory.dmp

          Filesize

          400KB

        • memory/2928-8-0x0000000002340000-0x00000000023A4000-memory.dmp

          Filesize

          400KB

        • memory/2948-19-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/2948-18-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/2948-16-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/2948-20-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/2948-22-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB