Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
Resource
win10v2004-20240426-en
General
-
Target
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe
-
Size
405KB
-
MD5
46d7046511e97a1cdf512f8dea84e253
-
SHA1
9ee8ddf44785ecc63b02570b7db97b1abf6bdb2a
-
SHA256
399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2
-
SHA512
46017fbbd0715d0984b711c5cb3757774fce47078ec341dd0f20f802355b62e9e4a0ec3be79e880fe48b817dce4ad81366a26a655fd9ecbc741fab48e782d749
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4i:gtRfJcNYFNm8UhlZGsei
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 19 2000 rundll32.exe 32 2000 rundll32.exe 33 2000 rundll32.exe 34 2000 rundll32.exe 48 2000 rundll32.exe 49 2000 rundll32.exe 58 2000 rundll32.exe 76 2000 rundll32.exe -
Deletes itself 1 IoCs
pid Process 3944 qmjqd.exe -
Executes dropped EXE 1 IoCs
pid Process 3944 qmjqd.exe -
Loads dropped DLL 1 IoCs
pid Process 2000 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\fhuqy\\sdsvt.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\g: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2000 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\Program Files\fhuqy\sdsvt.dll qmjqd.exe File opened for modification \??\c:\Program Files\fhuqy qmjqd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 396 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe 2000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2000 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 812 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 3944 qmjqd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 812 wrote to memory of 2788 812 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 84 PID 812 wrote to memory of 2788 812 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 84 PID 812 wrote to memory of 2788 812 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe 84 PID 2788 wrote to memory of 396 2788 cmd.exe 86 PID 2788 wrote to memory of 396 2788 cmd.exe 86 PID 2788 wrote to memory of 396 2788 cmd.exe 86 PID 2788 wrote to memory of 3944 2788 cmd.exe 88 PID 2788 wrote to memory of 3944 2788 cmd.exe 88 PID 2788 wrote to memory of 3944 2788 cmd.exe 88 PID 3944 wrote to memory of 2000 3944 qmjqd.exe 89 PID 3944 wrote to memory of 2000 3944 qmjqd.exe 89 PID 3944 wrote to memory of 2000 3944 qmjqd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qmjqd.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\qmjqd.exeC:\Users\Admin\AppData\Local\Temp\\qmjqd.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\fhuqy\sdsvt.dll",Verify C:\Users\Admin\AppData\Local\Temp\qmjqd.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD55dc74511078ee7d135e0f8c57882dc8f
SHA1c0ef43cc42219f96e3765cd6d4be3f09058104ff
SHA2565fef57ac37033bd49f0a2d7a21e6aa09e20ff8f7c2686c9b18027b24e40286a4
SHA5127ed27c0d5e44f3f2cd7819ef533ca8f3052245ce1053f0f512d6b3e90eb34817dfc27dc18ec21e3d89a6a261d63179b85be7a173166600e8d07903042439dbdc
-
Filesize
405KB
MD59382de433d754d7bf90606ab0e4f9e10
SHA1a0dc6a85094427c96247231db9e3bc37086d31ad
SHA256d7cb5c8d8bdc984438a50a0021a6c031f6fb8dd160ea7954c377d98da2e81f93
SHA51287388127e3bf2ce3dca7828e5671241b25f2630ebbf856304acd468f6e4802e13222e7aa75bca7c5b4a170855df99f93c4dff9d6bba699f5342193e4753c9622