Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe
Resource
win10v2004-20240508-en
General
-
Target
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe
-
Size
405KB
-
MD5
084bcdd74cb92ded9d77465cf3045236
-
SHA1
b36700160924ee92cdd6972564f8b6b759ec1ed1
-
SHA256
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac
-
SHA512
843d87147c283b2540fd8cbc67c14adcbc42de31cfa6fe231a765224c5b7ae697ef448e547c2aaa34fd7a6c11475fb5a82c8bc7cfbeab82a2e0972a723659a6f
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4Z:gtRfJcNYFNm8UhlZGseZ
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 3 2796 rundll32.exe 5 2796 rundll32.exe 8 2796 rundll32.exe 9 2796 rundll32.exe 10 2796 rundll32.exe 13 2796 rundll32.exe 14 2796 rundll32.exe 15 2796 rundll32.exe 17 2796 rundll32.exe 18 2796 rundll32.exe -
Deletes itself 1 IoCs
Processes:
cditc.exepid process 2928 cditc.exe -
Executes dropped EXE 1 IoCs
Processes:
cditc.exepid process 2928 cditc.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exerundll32.exepid process 2964 cmd.exe 2964 cmd.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\hwanz\\ksgyd.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\v: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2796 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
cditc.exedescription ioc process File opened for modification \??\c:\Program Files\hwanz cditc.exe File created \??\c:\Program Files\hwanz\ksgyd.dll cditc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2796 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.execditc.exepid process 2924 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe 2928 cditc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.execmd.execditc.exedescription pid process target process PID 2924 wrote to memory of 2964 2924 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 2924 wrote to memory of 2964 2924 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 2924 wrote to memory of 2964 2924 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 2924 wrote to memory of 2964 2924 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 2964 wrote to memory of 3040 2964 cmd.exe PING.EXE PID 2964 wrote to memory of 3040 2964 cmd.exe PING.EXE PID 2964 wrote to memory of 3040 2964 cmd.exe PING.EXE PID 2964 wrote to memory of 3040 2964 cmd.exe PING.EXE PID 2964 wrote to memory of 2928 2964 cmd.exe cditc.exe PID 2964 wrote to memory of 2928 2964 cmd.exe cditc.exe PID 2964 wrote to memory of 2928 2964 cmd.exe cditc.exe PID 2964 wrote to memory of 2928 2964 cmd.exe cditc.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe PID 2928 wrote to memory of 2796 2928 cditc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\cditc.exe "C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\cditc.exeC:\Users\Admin\AppData\Local\Temp\\cditc.exe "C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\hwanz\ksgyd.dll",Verify C:\Users\Admin\AppData\Local\Temp\cditc.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\Program Files\hwanz\ksgyd.dllFilesize
228KB
MD5c211e93476a5630b23116b68da58c047
SHA15480cede5d6a9776613d5f50ff235eed420d19dc
SHA25601d4be9baf9e1ad7a46fbcb62c141139cf69723f92118171e1bccfec69962350
SHA512754afa6296cc81d129b0621e4abb99d9874d29393122f9574ff783b596b21a62c365a51f0d5f63d4cce694ed57e009dc866a6ff11851503006d82032441a9d56
-
\Users\Admin\AppData\Local\Temp\cditc.exeFilesize
405KB
MD5c87c12dfe4f52af9e256541cfbe330cb
SHA14de3ba0e67984ac056b28c3bc8f407f59d4392b6
SHA2567327c4735f17989155376a616ca9eba88adb5ff9b1f4d8a1a948ba5683bf9e1c
SHA5122553bc6650b06a742a54483ae214af28de177db4441c074b837b65a0122b6b23bc0e97c75782da2a3fa3040a7424ff57847e0d3215db4db8b57108e9639b696a
-
memory/2796-18-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2796-16-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2796-19-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2796-20-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2796-17-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2796-22-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2924-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2924-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2928-10-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2964-8-0x0000000000160000-0x00000000001C4000-memory.dmpFilesize
400KB
-
memory/2964-7-0x0000000000160000-0x00000000001C4000-memory.dmpFilesize
400KB