Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 02:14

General

  • Target

    fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe

  • Size

    405KB

  • MD5

    47a631f9ed3ea367f8ae67f0233ff53e

  • SHA1

    539b06f5af6720a98c3d40d35a0c200129d599f4

  • SHA256

    fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24

  • SHA512

    c2f0452d4a5809be5b5ec7d91b4dd9bcddf7e4ccbb3fb388e7270fa23575984c9280ee804ad1bfbef504aa87cc6f28d2590530c854b26a6a037b356dab432892

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Malware Config

Signatures

  • Blocklisted process makes network request 9 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
    "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\sxmuw.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:1164
      • C:\Users\Admin\AppData\Local\Temp\sxmuw.exe
        C:\Users\Admin\AppData\Local\Temp\\sxmuw.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3816
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\zcwjw\veole.dll",Verify C:\Users\Admin\AppData\Local\Temp\sxmuw.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1072

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\sxmuw.exe

          Filesize

          405KB

          MD5

          bff5eef69343949add9a0c7802f27072

          SHA1

          cc6fd10ae052f388537c4ed2c696548b2d225ea5

          SHA256

          eeb49de0f4c86236eba496384e4ec8d19576900caf7addc30a303c42a37eaa2f

          SHA512

          297d82105db53c5f8ca791baed21859883e13a0eae088dc2b42457d9da8b981d3daa3d6f9e33d0a84eeba7dc2e4274e7eb731b551ef0b96c9de1bc2df2ead146

        • \??\c:\Program Files\zcwjw\veole.dll

          Filesize

          228KB

          MD5

          19e8567637f5433c5cd3f8352af59106

          SHA1

          304228910b17a6116d47864b53c4fff0d1498a14

          SHA256

          48d8cb786f468839e17ae2d6e0ef6cfa0b338ed74c486b7b130c197d46c5add1

          SHA512

          9d351b84927accd4f7e65cf0705596059315498221d34d479b5e6e69d62663de275b0385f1bbe314c02c6e1f09a94bb55075dffeee547309bdc20b626b35c48c

        • memory/1072-10-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/1072-12-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/1072-13-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/3816-7-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/4672-0-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/4672-2-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB