Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe
Resource
win10v2004-20240426-en
General
-
Target
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe
-
Size
405KB
-
MD5
d593a7be4aa110558a7dc5cc88643aaa
-
SHA1
98df8292e228247d6914026b6c1a29e7ff5d07ed
-
SHA256
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828
-
SHA512
6a916cababd2068591e782ae8745a784bd3b04e1fbd37cf38d5764bb85c90dc17031b5408dc5e89e1eef6ef04bdcd4d9baa9205e919e5fd1dba49bda9a162570
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 3 3060 rundll32.exe 5 3060 rundll32.exe 8 3060 rundll32.exe 9 3060 rundll32.exe 10 3060 rundll32.exe 13 3060 rundll32.exe 14 3060 rundll32.exe 15 3060 rundll32.exe 17 3060 rundll32.exe 18 3060 rundll32.exe -
Deletes itself 1 IoCs
Processes:
lxqxo.exepid process 2992 lxqxo.exe -
Executes dropped EXE 1 IoCs
Processes:
lxqxo.exepid process 2992 lxqxo.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exerundll32.exepid process 2104 cmd.exe 2104 cmd.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\cbhtn\\ztdrcwxs.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 3060 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
lxqxo.exedescription ioc process File opened for modification \??\c:\Program Files\cbhtn lxqxo.exe File created \??\c:\Program Files\cbhtn\ztdrcwxs.dll lxqxo.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3060 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exelxqxo.exepid process 2756 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe 2992 lxqxo.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.execmd.exelxqxo.exedescription pid process target process PID 2756 wrote to memory of 2104 2756 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 2756 wrote to memory of 2104 2756 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 2756 wrote to memory of 2104 2756 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 2756 wrote to memory of 2104 2756 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 2104 wrote to memory of 2368 2104 cmd.exe PING.EXE PID 2104 wrote to memory of 2368 2104 cmd.exe PING.EXE PID 2104 wrote to memory of 2368 2104 cmd.exe PING.EXE PID 2104 wrote to memory of 2368 2104 cmd.exe PING.EXE PID 2104 wrote to memory of 2992 2104 cmd.exe lxqxo.exe PID 2104 wrote to memory of 2992 2104 cmd.exe lxqxo.exe PID 2104 wrote to memory of 2992 2104 cmd.exe lxqxo.exe PID 2104 wrote to memory of 2992 2104 cmd.exe lxqxo.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe PID 2992 wrote to memory of 3060 2992 lxqxo.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lxqxo.exe "C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\lxqxo.exeC:\Users\Admin\AppData\Local\Temp\\lxqxo.exe "C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\cbhtn\ztdrcwxs.dll",Verify C:\Users\Admin\AppData\Local\Temp\lxqxo.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\Program Files\cbhtn\ztdrcwxs.dllFilesize
228KB
MD5c3e2fc59f3186c390e1cacb31330789b
SHA13845bff4bfd676dffa629dda8a254c7061abc94c
SHA2567319a96e81681758bff9346acc384506ff560d70d106a652e1ff76f510d5f8d2
SHA512a71615e04812d5311b2d8cee56e14d9abf895a7c72ac8c5151689e4ed3b3c3cb996045cecf83b1cd02128e68454c41c56755871ad22876e69041dc5fd2676ee9
-
\Users\Admin\AppData\Local\Temp\lxqxo.exeFilesize
405KB
MD534a428aef99021eeeac605733168b4a5
SHA1cd0c2a84a40a7a2a65cf41637c97353d07a1fe5f
SHA25633139b92574bad5774b68900da9d5cc1853949716d40aa832829c113b61d1b75
SHA512afba26f0dfecbf51772c1ae18053cbc91097147b501e9bcd0155dc2fa1cbc2b2e2423faaa8c958da4eac17bb18c29250420688c55e5857e7e841d007d699cfd5
-
memory/2756-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2756-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2992-7-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2992-9-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3060-13-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3060-16-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3060-17-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3060-19-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB