Overview

overview

8

Static

static

3

42accdf0f1...1e.exe

windows7-x64

8

42accdf0f1...1e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42accdf0f1782c859eead78b0674ddceb53ab42181aac82d35d349fe7e6cff1e.exe

  • Size

    405KB

  • MD5

    9678c167f2b8fc5bcdd413c22a898991

  • SHA1

    6693e31ab0db353ff40b40f36e45f8d567120920

  • SHA256

    42accdf0f1782c859eead78b0674ddceb53ab42181aac82d35d349fe7e6cff1e

  • SHA512

    5a815c22a33df222354cad45ee922fa01abba49245b5a21d8e54c409894d66ba48ba08a5242f3f48b4a84f64f76a9936bd4b48263806ec66834e4265bf2ec553

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Score
8/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42accdf0f1782c859eead78b0674ddceb53ab42181aac82d35d349fe7e6cff1e.exe
    "C:\Users\Admin\AppData\Local\Temp\42accdf0f1782c859eead78b0674ddceb53ab42181aac82d35d349fe7e6cff1e.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ykoqx.exe "C:\Users\Admin\AppData\Local\Temp\42accdf0f1782c859eead78b0674ddceb53ab42181aac82d35d349fe7e6cff1e.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:1796
      • C:\Users\Admin\AppData\Local\Temp\ykoqx.exe
        C:\Users\Admin\AppData\Local\Temp\\ykoqx.exe "C:\Users\Admin\AppData\Local\Temp\42accdf0f1782c859eead78b0674ddceb53ab42181aac82d35d349fe7e6cff1e.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3648
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\lvhnx\fczqptjym.dll",Verify C:\Users\Admin\AppData\Local\Temp\ykoqx.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ykoqx.exe
    Filesize

    405KB

    MD5

    964a7551ef872440345cd31ec23f2bd3

    SHA1

    0ad37ff7d1f71d9c8ccd059b801ac1c0d8e7d1c7

    SHA256

    e4fc5e42c8b5a7ea2d451333634ec1760c3560066f6a5749eab4868990beac7b

    SHA512

    31708d8fc35380624615a06daa3ec5492c8b43f453efb1493316509db6bbe82f64ff043de4607fefc6115cfb2c01fa70e8d71073aed9f887476ef99fc9b34e04

    Download Submit

  • \??\c:\Program Files\lvhnx\fczqptjym.dll
    Filesize

    228KB

    MD5

    fd39262264f64dd3fd090b8738860e89

    SHA1

    87e238df8b02bb4fe067b523e3c2bc713eac4109

    SHA256

    f87a8a29489a2c962c8382df57cd963da0e351a164a8856a2df309be3b4810da

    SHA512

    40a2e2295dc0e0e64c3f447e90476afdb14e83ae5dd1b3cadee251ec1671be2db6014384df646a3efe2797994809a7110a3d53c1d55aafe306318854285ef2e0

    Download Submit

  • memory/1720-11-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1720-12-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1720-14-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3648-6-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3648-8-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3672-0-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/3672-2-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download