Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe
Resource
win10v2004-20240419-en
General
-
Target
d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe
-
Size
405KB
-
MD5
4070d58fc98be5e72f8b0386d19a5e57
-
SHA1
10cbae7e59cb4ea5f2d35d98af6cff2a0cfafc3f
-
SHA256
d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13
-
SHA512
6d3627bf5f1415713e25384ec12ab01e84878ca44ad8c369e50a48a696ca9a84096be6e433a6180503a14821535625385154ca5201762253b958cccf3b7d2f87
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2620 rundll32.exe 5 2620 rundll32.exe 8 2620 rundll32.exe 9 2620 rundll32.exe 10 2620 rundll32.exe 13 2620 rundll32.exe 14 2620 rundll32.exe 15 2620 rundll32.exe 17 2620 rundll32.exe 18 2620 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2584 zfmjf.exe -
Executes dropped EXE 1 IoCs
pid Process 2584 zfmjf.exe -
Loads dropped DLL 6 IoCs
pid Process 2240 cmd.exe 2240 cmd.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ftnjx\\rjgypyuwv.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2620 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\ftnjx zfmjf.exe File created \??\c:\Program Files\ftnjx\rjgypyuwv.dll zfmjf.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2768 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2620 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2216 d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe 2584 zfmjf.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2240 2216 d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe 28 PID 2216 wrote to memory of 2240 2216 d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe 28 PID 2216 wrote to memory of 2240 2216 d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe 28 PID 2216 wrote to memory of 2240 2216 d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe 28 PID 2240 wrote to memory of 2768 2240 cmd.exe 30 PID 2240 wrote to memory of 2768 2240 cmd.exe 30 PID 2240 wrote to memory of 2768 2240 cmd.exe 30 PID 2240 wrote to memory of 2768 2240 cmd.exe 30 PID 2240 wrote to memory of 2584 2240 cmd.exe 31 PID 2240 wrote to memory of 2584 2240 cmd.exe 31 PID 2240 wrote to memory of 2584 2240 cmd.exe 31 PID 2240 wrote to memory of 2584 2240 cmd.exe 31 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32 PID 2584 wrote to memory of 2620 2584 zfmjf.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zfmjf.exe "C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\zfmjf.exeC:\Users\Admin\AppData\Local\Temp\\zfmjf.exe "C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\ftnjx\rjgypyuwv.dll",Verify C:\Users\Admin\AppData\Local\Temp\zfmjf.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD53abf7dc8833cf450001398020923717b
SHA18a553cbcb78d865e590a789ae0ed30faf497c1b4
SHA256e1ae34a408922f64621c689f825804c11469f0c9095fe28ddcba761f46f69657
SHA5123141ecb01cc45cf133e72dff742faad47b384d24c8d5ca73ca3dadeb775bf3ac32aa7f76b6b2bba3a3684684874436e2cf9f94a8b0c05fb13a75e8fcd5dd9426
-
Filesize
406KB
MD5248d79d5a8a5e14162f0c234a6ee9052
SHA10a21c45323857d302b7ccf541a863bed39b0cb11
SHA25658d1c79443158ce45569f9a8ed8b1af19d5c6350b637a68f56d677e60f997ec1
SHA512df88cb3dc501aca1743cfe054a478984a251ae8c3af6d8ed328b509e63588c8044098e305b88c86fc2b552e550908a9d1a9902d5b09fca3f8af448265e819349