Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 03:14
Behavioral task
behavioral1
Sample
c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe
Resource
win10v2004-20240426-en
General
-
Target
c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe
-
Size
240KB
-
MD5
d75e3236e471d4aa6a815411ffa047bf
-
SHA1
79da92d124702d91ba2258bfdbdadd25f7855d96
-
SHA256
c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32
-
SHA512
95e02604d0f1451fef19c5edb7d388e2eb7f08666087a524ca1ae610611ecca922880dbb5a88baf30283eeeed0d37f328e4bdf1a577011d09335c0b4f7833fee
-
SSDEEP
6144:VBoXYv1rTTdFB4Tbk2V27e+fbhJAPNADR:XD1rT5vV2W
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 2 IoCs
resource yara_rule behavioral2/memory/2332-13-0x0000000010000000-0x000000001004A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2332-19-0x0000000010000000-0x000000001004A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 8 IoCs
flow pid Process 13 2332 rundll32.exe 14 2332 rundll32.exe 15 2332 rundll32.exe 24 2332 rundll32.exe 36 2332 rundll32.exe 49 2332 rundll32.exe 64 2332 rundll32.exe 70 2332 rundll32.exe -
resource yara_rule behavioral2/files/0x0009000000023297-6.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation rundll32.exe -
Deletes itself 1 IoCs
pid Process 5240 estjf.exe -
Executes dropped EXE 2 IoCs
pid Process 5240 estjf.exe 2592 wiseman.exe -
Loads dropped DLL 1 IoCs
pid Process 2332 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiseman = "C:\\wiseman.exe" wiseman.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ppkcgvd\\qotcl.dll\",GetWindowClass" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2360 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe 2332 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2332 rundll32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3956 c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe 5240 estjf.exe 2592 wiseman.exe 2592 wiseman.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3956 wrote to memory of 4380 3956 c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe 83 PID 3956 wrote to memory of 4380 3956 c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe 83 PID 3956 wrote to memory of 4380 3956 c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe 83 PID 4380 wrote to memory of 2360 4380 cmd.exe 85 PID 4380 wrote to memory of 2360 4380 cmd.exe 85 PID 4380 wrote to memory of 2360 4380 cmd.exe 85 PID 4380 wrote to memory of 5240 4380 cmd.exe 89 PID 4380 wrote to memory of 5240 4380 cmd.exe 89 PID 4380 wrote to memory of 5240 4380 cmd.exe 89 PID 5240 wrote to memory of 2332 5240 estjf.exe 91 PID 5240 wrote to memory of 2332 5240 estjf.exe 91 PID 5240 wrote to memory of 2332 5240 estjf.exe 91 PID 2332 wrote to memory of 2592 2332 rundll32.exe 92 PID 2332 wrote to memory of 2592 2332 rundll32.exe 92 PID 2332 wrote to memory of 2592 2332 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe"C:\Users\Admin\AppData\Local\Temp\c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\estjf.exe "C:\Users\Admin\AppData\Local\Temp\c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2360
-
-
\??\c:\estjf.exec:\estjf.exe "C:\Users\Admin\AppData\Local\Temp\c70e06ce834e6a054e9323daae5eb797da7173696f1bb589430aa392651ecd32.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5240 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\ppkcgvd\qotcl.dll",GetWindowClass c:\estjf.exe4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\wiseman.exe"C:\wiseman.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD58f242369cf14f2b26ced131d7dd67144
SHA1d4f2f0f3047300ff5f36af6119ad5e109258fcd0
SHA25603505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce
SHA5124516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5
-
Filesize
240KB
MD5a253d66f041b8d6190ab19db63bfe0ff
SHA152b2ff8645aeaa5575db00354240280b8207f3e6
SHA25675d4e5ac31d2c89843231efd744196666a431f3bb139f1db8da25f0662333059
SHA5127378367c1884b7392ef405164212858026c21040f4b978fc15112143ba20a10acebc74bd9e7ef1db888a43c415dd65d98f1473cabfa60b5e26bfca6ea58aef3a
-
Filesize
71KB
MD510eb9b069e53509dfe5652372437858d
SHA1f5b7b4d4f4afe9439d78f43c1915cb3bd07fc620
SHA256c8c3ce80cc170f0a7a3a1ca9120e8279a3f323604b50478ad81869c4131f6315
SHA5126105b5547aa7754183471d395de4fabda8780b5000db2dc4d799bf3af27fca546a0548e6dcc4f435bee5f39e291cae400d7b8efd0d1d7034d31c4e92891b4051