Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe
Resource
win10v2004-20240426-en
General
-
Target
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe
-
Size
405KB
-
MD5
d593a7be4aa110558a7dc5cc88643aaa
-
SHA1
98df8292e228247d6914026b6c1a29e7ff5d07ed
-
SHA256
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828
-
SHA512
6a916cababd2068591e782ae8745a784bd3b04e1fbd37cf38d5764bb85c90dc17031b5408dc5e89e1eef6ef04bdcd4d9baa9205e919e5fd1dba49bda9a162570
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
Processes:
rundll32.exeflow pid process 14 3664 rundll32.exe 24 3664 rundll32.exe 25 3664 rundll32.exe 26 3664 rundll32.exe 37 3664 rundll32.exe 38 3664 rundll32.exe 50 3664 rundll32.exe 72 3664 rundll32.exe 73 3664 rundll32.exe -
Deletes itself 1 IoCs
Processes:
odzon.exepid process 2436 odzon.exe -
Executes dropped EXE 1 IoCs
Processes:
odzon.exepid process 2436 odzon.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3664 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ihavn\\gmzblq.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 3664 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
odzon.exedescription ioc process File opened for modification \??\c:\Program Files\ihavn odzon.exe File created \??\c:\Program Files\ihavn\gmzblq.dll odzon.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe 3664 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3664 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exeodzon.exepid process 920 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe 2436 odzon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.execmd.exeodzon.exedescription pid process target process PID 920 wrote to memory of 372 920 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 920 wrote to memory of 372 920 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 920 wrote to memory of 372 920 158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe cmd.exe PID 372 wrote to memory of 1668 372 cmd.exe PING.EXE PID 372 wrote to memory of 1668 372 cmd.exe PING.EXE PID 372 wrote to memory of 1668 372 cmd.exe PING.EXE PID 372 wrote to memory of 2436 372 cmd.exe odzon.exe PID 372 wrote to memory of 2436 372 cmd.exe odzon.exe PID 372 wrote to memory of 2436 372 cmd.exe odzon.exe PID 2436 wrote to memory of 3664 2436 odzon.exe rundll32.exe PID 2436 wrote to memory of 3664 2436 odzon.exe rundll32.exe PID 2436 wrote to memory of 3664 2436 odzon.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\odzon.exe "C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\odzon.exeC:\Users\Admin\AppData\Local\Temp\\odzon.exe "C:\Users\Admin\AppData\Local\Temp\158f86c2cdba0511336ded483a51d3f67cc905bbe03920b2d48a2906217b1828.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\ihavn\gmzblq.dll",Verify C:\Users\Admin\AppData\Local\Temp\odzon.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\ihavn\gmzblq.dllFilesize
228KB
MD5e0060065423937be1f598fd1575aac00
SHA1106c71f3d3fff9a10183604456eb316269f3e29b
SHA256b7fe351e26de2476e81b65572cd3dd324d9c41079b46de9534c05b992133e85a
SHA5120a738bb1463026c599348a08459371af326b8bb5708bab00224cc5dba460ae2a50cd39c4aac5c41772bd0b2d08b37d55c67ca1c0fbb1827e856a3cf4a497a469
-
C:\Users\Admin\AppData\Local\Temp\odzon.exeFilesize
405KB
MD5042d18b7caae69c3b4f9e9762d765e3b
SHA103f33404bf7bd189a44930b5598df0e78b8ef462
SHA2564cf037e75f4155d4ff648a659eecb6bd0030f178b6b4e0d472faddf8a2486ebf
SHA51260aaaa9f7797d77c98fb48d3a8144a7a73039791a0eebc09928adf15a175d5a494ec131f21a5790feacf546a6e6af032e20e2d3036999ca5b6765614eb0366a0
-
memory/920-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/920-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2436-6-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2436-8-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3664-11-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3664-12-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3664-14-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB