Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe
Resource
win10v2004-20240426-en
General
-
Target
d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe
-
Size
405KB
-
MD5
bbf28709828d7d3212d88b3ad2d8eaa8
-
SHA1
fd63fd2dc5d31fae8d1237d8119045b556735d11
-
SHA256
d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527
-
SHA512
7c92811f465bfcb8553d6b72d613ee9c86bd67bf2576d24664a08fd8eb458aae5df15217fbaf4b49def3960e2a16b260700c3800cfdc289dd2e8b82eadf3b83b
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 25 5088 rundll32.exe 32 5088 rundll32.exe 33 5088 rundll32.exe 34 5088 rundll32.exe 45 5088 rundll32.exe 46 5088 rundll32.exe 57 5088 rundll32.exe 71 5088 rundll32.exe -
Deletes itself 1 IoCs
Processes:
zcwjw.exepid process 3956 zcwjw.exe -
Executes dropped EXE 1 IoCs
Processes:
zcwjw.exepid process 3956 zcwjw.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5088 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\hdcxi\\madzp.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 5088 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
zcwjw.exedescription ioc process File opened for modification \??\c:\Program Files\hdcxi zcwjw.exe File created \??\c:\Program Files\hdcxi\madzp.dll zcwjw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 5088 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exezcwjw.exepid process 3852 d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe 3956 zcwjw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.execmd.exezcwjw.exedescription pid process target process PID 3852 wrote to memory of 2012 3852 d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe cmd.exe PID 3852 wrote to memory of 2012 3852 d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe cmd.exe PID 3852 wrote to memory of 2012 3852 d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe cmd.exe PID 2012 wrote to memory of 3452 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 3452 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 3452 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 3956 2012 cmd.exe zcwjw.exe PID 2012 wrote to memory of 3956 2012 cmd.exe zcwjw.exe PID 2012 wrote to memory of 3956 2012 cmd.exe zcwjw.exe PID 3956 wrote to memory of 5088 3956 zcwjw.exe rundll32.exe PID 3956 wrote to memory of 5088 3956 zcwjw.exe rundll32.exe PID 3956 wrote to memory of 5088 3956 zcwjw.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe"C:\Users\Admin\AppData\Local\Temp\d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zcwjw.exe "C:\Users\Admin\AppData\Local\Temp\d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\zcwjw.exeC:\Users\Admin\AppData\Local\Temp\\zcwjw.exe "C:\Users\Admin\AppData\Local\Temp\d4798dc4602e154fec8aa0de70258e21d50508bce92d6984da9cac8efbdb2527.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\hdcxi\madzp.dll",Verify C:\Users\Admin\AppData\Local\Temp\zcwjw.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\hdcxi\madzp.dllFilesize
228KB
MD57a3abf1b544dbcdf7b8008a1aca1258a
SHA1d1b53aeaac0156782763346139d5b91ddc34bdd4
SHA256aecdf25d5eeb7d7def1e4aff8a08e38feb56ed37d740497e965f83d585476789
SHA512b03d107b7905db8a325c2117a76b5bf5e47951a781e462d15dda060ae7a16142b80414c921665ffa48da227f7bb9d2f1622a3310d75dd16458abf15ed1e2e75d
-
C:\Users\Admin\AppData\Local\Temp\zcwjw.exeFilesize
405KB
MD520919d7143708db249bb0ec3f505e979
SHA1f470cc6c376da5c83769677811bd74b8739a16dd
SHA2567701522ca75112ab785dc65d3bd361859f9fc33e1da42456a070f8a8fbd2cd7c
SHA512eb0277931000b1a8701d2287b07a601ff613fafac9a4861878221549e10aad75f1efca453a343a8d1a9549dcd3a77f1eb93847e742f9096e33b307656ea0ad59
-
memory/3852-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3852-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3956-7-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/5088-10-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/5088-11-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/5088-13-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB