Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe
Resource
win10v2004-20240508-en
General
-
Target
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe
-
Size
405KB
-
MD5
084bcdd74cb92ded9d77465cf3045236
-
SHA1
b36700160924ee92cdd6972564f8b6b759ec1ed1
-
SHA256
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac
-
SHA512
843d87147c283b2540fd8cbc67c14adcbc42de31cfa6fe231a765224c5b7ae697ef448e547c2aaa34fd7a6c11475fb5a82c8bc7cfbeab82a2e0972a723659a6f
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4Z:gtRfJcNYFNm8UhlZGseZ
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 23 3240 rundll32.exe 30 3240 rundll32.exe 31 3240 rundll32.exe 32 3240 rundll32.exe 43 3240 rundll32.exe 44 3240 rundll32.exe 52 3240 rundll32.exe 70 3240 rundll32.exe -
Deletes itself 1 IoCs
Processes:
aaqyxd.exepid process 1612 aaqyxd.exe -
Executes dropped EXE 1 IoCs
Processes:
aaqyxd.exepid process 1612 aaqyxd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3240 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\laxcd\\wwfzv.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 3240 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
aaqyxd.exedescription ioc process File created \??\c:\Program Files\laxcd\wwfzv.dll aaqyxd.exe File opened for modification \??\c:\Program Files\laxcd aaqyxd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe 3240 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3240 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exeaaqyxd.exepid process 2280 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe 1612 aaqyxd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.execmd.exeaaqyxd.exedescription pid process target process PID 2280 wrote to memory of 1708 2280 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 2280 wrote to memory of 1708 2280 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 2280 wrote to memory of 1708 2280 4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe cmd.exe PID 1708 wrote to memory of 2848 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 2848 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 2848 1708 cmd.exe PING.EXE PID 1708 wrote to memory of 1612 1708 cmd.exe aaqyxd.exe PID 1708 wrote to memory of 1612 1708 cmd.exe aaqyxd.exe PID 1708 wrote to memory of 1612 1708 cmd.exe aaqyxd.exe PID 1612 wrote to memory of 3240 1612 aaqyxd.exe rundll32.exe PID 1612 wrote to memory of 3240 1612 aaqyxd.exe rundll32.exe PID 1612 wrote to memory of 3240 1612 aaqyxd.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\aaqyxd.exe "C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\aaqyxd.exeC:\Users\Admin\AppData\Local\Temp\\aaqyxd.exe "C:\Users\Admin\AppData\Local\Temp\4d0a8323e0e815b915357bd54cffdc9825f295005442e7d374319d4bb37195ac.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\laxcd\wwfzv.dll",Verify C:\Users\Admin\AppData\Local\Temp\aaqyxd.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aaqyxd.exeFilesize
405KB
MD50237203871c8697b90348304afb11d85
SHA1551588cc2fd69c68992bb3334f03aace9713136f
SHA256ede1076633114cdf1e5d361558a0dee4fbb17bbbcb220859d0d77159d1fc9e15
SHA51205b8b2bb71353fc53e09d2c5307223e7a21c238aa9ed6099b9a728a75b6e6873ad741fa22acc515d779097b66d24dc08ff0e8f2da3df9d480c479d55765243e2
-
\??\c:\Program Files\laxcd\wwfzv.dllFilesize
228KB
MD50d3e1006e9bf3765e0297b463009a40d
SHA1b3ea9d1492d8d9073999bfd818a80edadbc28697
SHA2566104d657c6fcdbe2021e75696be24591b5f37b7f5659856edf63bc1e21405acb
SHA512ecb344506ea9a0ea8d971eab221c4b00033281f012590ad750cc723070efa5907e18f6e1678846812237bab5a796344488e66945703565ce5c9bdea5a555ee1a
-
memory/1612-6-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1612-8-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2280-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2280-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3240-11-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3240-12-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/3240-14-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB