Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 07:14

General

  • Target

    399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe

  • Size

    405KB

  • MD5

    46d7046511e97a1cdf512f8dea84e253

  • SHA1

    9ee8ddf44785ecc63b02570b7db97b1abf6bdb2a

  • SHA256

    399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2

  • SHA512

    46017fbbd0715d0984b711c5cb3757774fce47078ec341dd0f20f802355b62e9e4a0ec3be79e880fe48b817dce4ad81366a26a655fd9ecbc741fab48e782d749

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4i:gtRfJcNYFNm8UhlZGsei

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
    "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qmjqd.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:396
      • C:\Users\Admin\AppData\Local\Temp\qmjqd.exe
        C:\Users\Admin\AppData\Local\Temp\\qmjqd.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3944
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\fhuqy\sdsvt.dll",Verify C:\Users\Admin\AppData\Local\Temp\qmjqd.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2000

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\fhuqy\sdsvt.dll

          Filesize

          228KB

          MD5

          5dc74511078ee7d135e0f8c57882dc8f

          SHA1

          c0ef43cc42219f96e3765cd6d4be3f09058104ff

          SHA256

          5fef57ac37033bd49f0a2d7a21e6aa09e20ff8f7c2686c9b18027b24e40286a4

          SHA512

          7ed27c0d5e44f3f2cd7819ef533ca8f3052245ce1053f0f512d6b3e90eb34817dfc27dc18ec21e3d89a6a261d63179b85be7a173166600e8d07903042439dbdc

        • C:\Users\Admin\AppData\Local\Temp\qmjqd.exe

          Filesize

          405KB

          MD5

          9382de433d754d7bf90606ab0e4f9e10

          SHA1

          a0dc6a85094427c96247231db9e3bc37086d31ad

          SHA256

          d7cb5c8d8bdc984438a50a0021a6c031f6fb8dd160ea7954c377d98da2e81f93

          SHA512

          87388127e3bf2ce3dca7828e5671241b25f2630ebbf856304acd468f6e4802e13222e7aa75bca7c5b4a170855df99f93c4dff9d6bba699f5342193e4753c9622

        • memory/812-0-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/812-2-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/2000-11-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/2000-12-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/2000-14-0x0000000010000000-0x0000000010080000-memory.dmp

          Filesize

          512KB

        • memory/3944-6-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB

        • memory/3944-8-0x0000000000400000-0x0000000000464000-memory.dmp

          Filesize

          400KB