Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 04:15
Static task
static1
Behavioral task
behavioral1
Sample
33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe
Resource
win10v2004-20240419-en
General
-
Target
33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe
-
Size
406KB
-
MD5
6261b4321aed3ecd2f700ed37c64843c
-
SHA1
7eeeb49a06410ef6df0e361d3dc5a43ee10492ad
-
SHA256
33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c
-
SHA512
7971ae6bcb18466564be65196691aa62f8bc7fbd071e954749640bc29d4d127383291d9ce1f130865d8bb978e88a1ed130c57416364a7c8de774db2eeb0298d3
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2724 rundll32.exe 5 2724 rundll32.exe 8 2724 rundll32.exe 9 2724 rundll32.exe 10 2724 rundll32.exe 13 2724 rundll32.exe 14 2724 rundll32.exe 15 2724 rundll32.exe 17 2724 rundll32.exe 18 2724 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2628 nmegwa.exe -
Executes dropped EXE 1 IoCs
pid Process 2628 nmegwa.exe -
Loads dropped DLL 6 IoCs
pid Process 2160 cmd.exe 2160 cmd.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\tpgas\\rlyfbdu.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2724 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\Program Files\tpgas\rlyfbdu.dll nmegwa.exe File opened for modification \??\c:\Program Files\tpgas nmegwa.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2796 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe 2724 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1996 33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe 2628 nmegwa.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2160 1996 33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe 28 PID 1996 wrote to memory of 2160 1996 33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe 28 PID 1996 wrote to memory of 2160 1996 33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe 28 PID 1996 wrote to memory of 2160 1996 33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe 28 PID 2160 wrote to memory of 2796 2160 cmd.exe 30 PID 2160 wrote to memory of 2796 2160 cmd.exe 30 PID 2160 wrote to memory of 2796 2160 cmd.exe 30 PID 2160 wrote to memory of 2796 2160 cmd.exe 30 PID 2160 wrote to memory of 2628 2160 cmd.exe 31 PID 2160 wrote to memory of 2628 2160 cmd.exe 31 PID 2160 wrote to memory of 2628 2160 cmd.exe 31 PID 2160 wrote to memory of 2628 2160 cmd.exe 31 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32 PID 2628 wrote to memory of 2724 2628 nmegwa.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe"C:\Users\Admin\AppData\Local\Temp\33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\nmegwa.exe "C:\Users\Admin\AppData\Local\Temp\33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\nmegwa.exeC:\Users\Admin\AppData\Local\Temp\\nmegwa.exe "C:\Users\Admin\AppData\Local\Temp\33c2e83deecb9631716c249016ba7a460398af74260648a5b434ec0ea2cb793c.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\tpgas\rlyfbdu.dll",Verify C:\Users\Admin\AppData\Local\Temp\nmegwa.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5c8f3c9dc95bf06b8ba775cedf3e7336a
SHA1e727801cf5a852cd96d360b2887281b48b8a1450
SHA2568ad0d4f5db68256fd9d6dfa3f95bce78c721b4a344ab6e1c15d44804a504f1de
SHA51295f156d8d221f8c9ecfece0bbd2af526ee68ad80c1cfe98a876fe877489f2081ec385d2174b97ee63454c7a4c183b51d4e1522c6208e7ac81a8117e9de117708
-
Filesize
406KB
MD55802ac3ffc78ad53bb6c27a7e798f5f8
SHA1f0a2fc04c09b8e407d2c84bd7c5178d063447b91
SHA256401334a26250d2c2557deeb894b17c74bd2136498fe9754338423587a2594189
SHA5124575d0c652583fe91f54aedac16ac89fcfed3973ac08dce122dc5cd02af4dff33575b26bf99675786e55dd994b5f8c29b7b93e3aaa896f850586b1279e5d8314