384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7

General

Target

384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe
Size

155KB
MD5

3232708db6260a3593e30d783fd325ea
SHA1

6d046a780124b33c88cf505cf2b771efd1197164
SHA256

384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7
SHA512

dac1fdffbb24478dfe72d68744fcfb592c3dfaae204247801646366fd2ffaef2e1cafe7a1ca2a052bbd3261806afcb337544120ccc753d6458e37d32bc713844
SSDEEP

3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dI:OPjEl6jLiQ1JW+Oy3p/

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\??\c:\Program Files\eklvz\vejgd.dll	acprotect

Deletes itself 1 IoCs

Processes:

xnafd.exe

pid process

1920 xnafd.exe
Executes dropped EXE 2 IoCs

Processes:

xnafd.exevej.exe

pid process

1920 xnafd.exe
2736 vej.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exexnafd.exevej.exe

pid process

2400 cmd.exe
2400 cmd.exe
1920 xnafd.exe
2736 vej.exe
2736 vej.exe
2736 vej.exe
2736 vej.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1920	xnafd.exe

pid	process
1920	xnafd.exe
2736	vej.exe

pid	process
2400	cmd.exe
2400	cmd.exe
1920	xnafd.exe
2736	vej.exe
2736	vej.exe
2736	vej.exe
2736	vej.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vej.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\eklvz\\vej.exe \"c:\\Program Files\\eklvz\\vejgd.dll\",SetHandle"	vej.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vej.exe

description	ioc	process
File opened (read-only)	\??\a:	vej.exe
File opened (read-only)	\??\g:	vej.exe
File opened (read-only)	\??\j:	vej.exe
File opened (read-only)	\??\m:	vej.exe
File opened (read-only)	\??\o:	vej.exe
File opened (read-only)	\??\s:	vej.exe
File opened (read-only)	\??\w:	vej.exe
File opened (read-only)	\??\b:	vej.exe
File opened (read-only)	\??\e:	vej.exe
File opened (read-only)	\??\k:	vej.exe
File opened (read-only)	\??\n:	vej.exe
File opened (read-only)	\??\r:	vej.exe
File opened (read-only)	\??\y:	vej.exe
File opened (read-only)	\??\h:	vej.exe
File opened (read-only)	\??\i:	vej.exe
File opened (read-only)	\??\p:	vej.exe
File opened (read-only)	\??\t:	vej.exe
File opened (read-only)	\??\l:	vej.exe
File opened (read-only)	\??\q:	vej.exe
File opened (read-only)	\??\u:	vej.exe
File opened (read-only)	\??\v:	vej.exe
File opened (read-only)	\??\x:	vej.exe
File opened (read-only)	\??\z:	vej.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

vej.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 vej.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	vej.exe

Drops file in Program Files directory 4 IoCs

Processes:

xnafd.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\eklvz	xnafd.exe
File created	\??\c:\Program Files\eklvz\vejgd.dll	xnafd.exe
File created	\??\c:\Program Files\eklvz\vej.exe	xnafd.exe
File opened for modification	\??\c:\Program Files\eklvz\vej.exe	xnafd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vej.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vej.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vej.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2272 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vej.exe

pid process

2736 vej.exe
2736 vej.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vej.exe

description pid process

Token: SeDebugPrivilege 2736 vej.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exexnafd.exe

pid process

2148 384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe
1920 xnafd.exe

pid	process
2272	PING.EXE

pid	process
2736	vej.exe
2736	vej.exe

description	pid	process
Token: SeDebugPrivilege	2736	vej.exe

pid	process
2148	384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe
1920	xnafd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.execmd.exexnafd.exe

description	pid	process	target process
PID 2148 wrote to memory of 2400	2148	384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe	cmd.exe
PID 2148 wrote to memory of 2400	2148	384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe	cmd.exe
PID 2148 wrote to memory of 2400	2148	384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe	cmd.exe
PID 2148 wrote to memory of 2400	2148	384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe	cmd.exe
PID 2400 wrote to memory of 2272	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 2272	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 2272	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 2272	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 1920	2400	cmd.exe	xnafd.exe
PID 2400 wrote to memory of 1920	2400	cmd.exe	xnafd.exe
PID 2400 wrote to memory of 1920	2400	cmd.exe	xnafd.exe
PID 2400 wrote to memory of 1920	2400	cmd.exe	xnafd.exe
PID 1920 wrote to memory of 2736	1920	xnafd.exe	vej.exe
PID 1920 wrote to memory of 2736	1920	xnafd.exe	vej.exe
PID 1920 wrote to memory of 2736	1920	xnafd.exe	vej.exe
PID 1920 wrote to memory of 2736	1920	xnafd.exe	vej.exe

C:\Users\Admin\AppData\Local\Temp\384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe
"C:\Users\Admin\AppData\Local\Temp\384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\xnafd.exe "C:\Users\Admin\AppData\Local\Temp\384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\xnafd.exe
    C:\Users\Admin\AppData\Local\Temp\\xnafd.exe "C:\Users\Admin\AppData\Local\Temp\384d07bdff2eb0c64b29c4c0b4444aaddc1a7e22a97f89e9219655035dd7e5b7.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - \??\c:\Program Files\eklvz\vej.exe
      "c:\Program Files\eklvz\vej.exe" "c:\Program Files\eklvz\vejgd.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\xnafd.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Program Files\eklvz\vejgd.dll

Filesize
128KB

MD5
57674249a2fa2f033cb6b5bcc6eac23a

SHA1
f8810df9e508ed4382739802079ab55e7cc09793

SHA256
d9927ab00fc57a6a372f6a05b8d87761127a899bc307adde60a23406e91aadfc

SHA512
f3109795962773af267e01c77ac2cb2faee4f610d91c8d348a17e721d0a4d04bd508a5a1941bd1789890549f09e3862099886e3808ee6a8b9b432f16b6b8a1a3

Download Submit
\Program Files\eklvz\vej.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\xnafd.exe

Filesize
155KB

MD5
151f03e390e4884d33cd71eb10f45173

SHA1
d7da681af85f1a1a111aacd90a84517350b99011

SHA256
66959e075fef573b02f73df82a3e50982f047192c2b444763ee191bc041eee6f

SHA512
2de349f7749d9fb5d6e5f3c8c43ae9ee2b2e0c2adfb8e895534d160f800fb7e2d449df43d635d053c7cf74c865a515c227a99e3913bd82f5b9dc0077ec16f353

Download Submit
memory/1920-15-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2148-0-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2148-2-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2400-8-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/2400-7-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/2736-23-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2736-24-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2736-28-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2736-29-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads