Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
Resource
win10v2004-20240426-en
General
-
Target
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
-
Size
405KB
-
MD5
46d7046511e97a1cdf512f8dea84e253
-
SHA1
9ee8ddf44785ecc63b02570b7db97b1abf6bdb2a
-
SHA256
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2
-
SHA512
46017fbbd0715d0984b711c5cb3757774fce47078ec341dd0f20f802355b62e9e4a0ec3be79e880fe48b817dce4ad81366a26a655fd9ecbc741fab48e782d749
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4i:gtRfJcNYFNm8UhlZGsei
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2672 rundll32.exe 5 2672 rundll32.exe 8 2672 rundll32.exe 9 2672 rundll32.exe 10 2672 rundll32.exe 13 2672 rundll32.exe 14 2672 rundll32.exe 15 2672 rundll32.exe 17 2672 rundll32.exe 18 2672 rundll32.exe -
Deletes itself 1 IoCs
pid Process 3036 qczzp.exe -
Executes dropped EXE 1 IoCs
pid Process 3036 qczzp.exe -
Loads dropped DLL 6 IoCs
pid Process 1320 cmd.exe 1320 cmd.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\mumlltpsm\\dprgz.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2672 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\mumlltpsm qczzp.exe File created \??\c:\Program Files\mumlltpsm\dprgz.dll qczzp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2980 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2672 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2496 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 3036 qczzp.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2496 wrote to memory of 1320 2496 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 28 PID 2496 wrote to memory of 1320 2496 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 28 PID 2496 wrote to memory of 1320 2496 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 28 PID 2496 wrote to memory of 1320 2496 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 28 PID 1320 wrote to memory of 2980 1320 cmd.exe 30 PID 1320 wrote to memory of 2980 1320 cmd.exe 30 PID 1320 wrote to memory of 2980 1320 cmd.exe 30 PID 1320 wrote to memory of 2980 1320 cmd.exe 30 PID 1320 wrote to memory of 3036 1320 cmd.exe 31 PID 1320 wrote to memory of 3036 1320 cmd.exe 31 PID 1320 wrote to memory of 3036 1320 cmd.exe 31 PID 1320 wrote to memory of 3036 1320 cmd.exe 31 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32 PID 3036 wrote to memory of 2672 3036 qczzp.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qczzp.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\qczzp.exeC:\Users\Admin\AppData\Local\Temp\\qczzp.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\mumlltpsm\dprgz.dll",Verify C:\Users\Admin\AppData\Local\Temp\qczzp.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD54b0cbc710f0657e76ab511132d72dd8d
SHA14591d6db054ca9919f0d4e5fd66d9357eafd6b78
SHA256ba2ba7b22d8229c188522b54d07ed3d6915e14e468fc5a1b879f1d8d7d4b7c35
SHA51269486a98da468cf68945ca4baddff71acabd137a1628035bd5fd73ee45dcdd382713a214faa0518c4d9262f8b044c46d74986fceec4d03c668fa53e28dcb0432
-
Filesize
228KB
MD5eee605772987be435566d9b7461ad9cc
SHA1e5ecf62c599adb531da370d2914b26ac07c75be2
SHA256cc1c04aabd0dba7572a55f052a077190846a60b91200e47a38b5f56fe9f6a0be
SHA5128e079d14926e31a907f3fd110c71c208a0017a495c284254e57f4e39204ba8aa2c5b26bb1e020bde712260bcba7c47e4c40c4ea440c8a3f07a643bc952688260