Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 02:14
Static task
static1
Behavioral task
behavioral1
Sample
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
Resource
win10v2004-20240419-en
General
-
Target
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe
-
Size
405KB
-
MD5
47a631f9ed3ea367f8ae67f0233ff53e
-
SHA1
539b06f5af6720a98c3d40d35a0c200129d599f4
-
SHA256
fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24
-
SHA512
c2f0452d4a5809be5b5ec7d91b4dd9bcddf7e4ccbb3fb388e7270fa23575984c9280ee804ad1bfbef504aa87cc6f28d2590530c854b26a6a037b356dab432892
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 26 1072 rundll32.exe 32 1072 rundll32.exe 34 1072 rundll32.exe 33 1072 rundll32.exe 47 1072 rundll32.exe 48 1072 rundll32.exe 62 1072 rundll32.exe 77 1072 rundll32.exe 78 1072 rundll32.exe -
Deletes itself 1 IoCs
pid Process 3816 sxmuw.exe -
Executes dropped EXE 1 IoCs
pid Process 3816 sxmuw.exe -
Loads dropped DLL 1 IoCs
pid Process 1072 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\zcwjw\\veole.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1072 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\Program Files\zcwjw\veole.dll sxmuw.exe File opened for modification \??\c:\Program Files\zcwjw sxmuw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1164 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1072 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4672 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 3816 sxmuw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4300 4672 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 86 PID 4672 wrote to memory of 4300 4672 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 86 PID 4672 wrote to memory of 4300 4672 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe 86 PID 4300 wrote to memory of 1164 4300 cmd.exe 88 PID 4300 wrote to memory of 1164 4300 cmd.exe 88 PID 4300 wrote to memory of 1164 4300 cmd.exe 88 PID 4300 wrote to memory of 3816 4300 cmd.exe 92 PID 4300 wrote to memory of 3816 4300 cmd.exe 92 PID 4300 wrote to memory of 3816 4300 cmd.exe 92 PID 3816 wrote to memory of 1072 3816 sxmuw.exe 93 PID 3816 wrote to memory of 1072 3816 sxmuw.exe 93 PID 3816 wrote to memory of 1072 3816 sxmuw.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\sxmuw.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\sxmuw.exeC:\Users\Admin\AppData\Local\Temp\\sxmuw.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\zcwjw\veole.dll",Verify C:\Users\Admin\AppData\Local\Temp\sxmuw.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5bff5eef69343949add9a0c7802f27072
SHA1cc6fd10ae052f388537c4ed2c696548b2d225ea5
SHA256eeb49de0f4c86236eba496384e4ec8d19576900caf7addc30a303c42a37eaa2f
SHA512297d82105db53c5f8ca791baed21859883e13a0eae088dc2b42457d9da8b981d3daa3d6f9e33d0a84eeba7dc2e4274e7eb731b551ef0b96c9de1bc2df2ead146
-
Filesize
228KB
MD519e8567637f5433c5cd3f8352af59106
SHA1304228910b17a6116d47864b53c4fff0d1498a14
SHA25648d8cb786f468839e17ae2d6e0ef6cfa0b338ed74c486b7b130c197d46c5add1
SHA5129d351b84927accd4f7e65cf0705596059315498221d34d479b5e6e69d62663de275b0385f1bbe314c02c6e1f09a94bb55075dffeee547309bdc20b626b35c48c