Overview

overview

8

Static

static

3

e264d04ff1...5a.exe

windows7-x64

8

e264d04ff1...5a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e264d04ff1ffa9d994b11f15154295c5820fd26a954b3b30f99c5c603cb5045a.exe

  • Size

    405KB

  • MD5

    9b9127a962a1348c4ccc6a119e893a9d

  • SHA1

    af39c850e9a28d1a9ea6107ec4f4d0b969e1f9d0

  • SHA256

    e264d04ff1ffa9d994b11f15154295c5820fd26a954b3b30f99c5c603cb5045a

  • SHA512

    d3dc5901b15cc44eafb73d0d0b96397271cba3d16e12a113634d0590c774fc740a9400917b2ff6d6a9620009a65b0345b2f16f38b74b8033a05f658e5ba62881

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4+:gtRfJcNYFNm8UhlZGse+

Score
8/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e264d04ff1ffa9d994b11f15154295c5820fd26a954b3b30f99c5c603cb5045a.exe
    "C:\Users\Admin\AppData\Local\Temp\e264d04ff1ffa9d994b11f15154295c5820fd26a954b3b30f99c5c603cb5045a.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\coccig.exe "C:\Users\Admin\AppData\Local\Temp\e264d04ff1ffa9d994b11f15154295c5820fd26a954b3b30f99c5c603cb5045a.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2052
      • C:\Users\Admin\AppData\Local\Temp\coccig.exe
        C:\Users\Admin\AppData\Local\Temp\\coccig.exe "C:\Users\Admin\AppData\Local\Temp\e264d04ff1ffa9d994b11f15154295c5820fd26a954b3b30f99c5c603cb5045a.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2988
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\hxanpfv\zritt.dll",Verify C:\Users\Admin\AppData\Local\Temp\coccig.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\coccig.exe
    Filesize

    405KB

    MD5

    415b46e18d510eff5a4b3fbd169fc849

    SHA1

    283f7692153bbdc3c7d2d9c0ac4b04ff2fd9e5c7

    SHA256

    096a85efcb391a4e6048f8a81427e0e4a7abcc250507cbddc7990b86c8911667

    SHA512

    e734035497dcfbab27128326f00553b16d1ed73a694d1f3bfd406473649cd985b52050cdb7fed8693b3bc9d2dcd63bb6c08f8b3125675f9de6dbf515d54015c6

    Download Submit

  • \??\c:\Program Files\hxanpfv\zritt.dll
    Filesize

    228KB

    MD5

    8fc88fffbbc93471c200664d21b43b78

    SHA1

    c2508465b69302996eb09905febd805d4ba95461

    SHA256

    01ea6e68606aaecfcb58ff634ab7e990fc1aaf8fbf0c8e04996b9ce53b494bc8

    SHA512

    3b081508c50f5c00a942d6b5408ac94a631d649b410e8c52f2178bb1025ef8821cb2b323682135c682e10dbb33d064dc440fb8f5ff0c8194d14fa0c56dbf1fba

    Download Submit

  • memory/60-0-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/60-2-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2988-7-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4804-10-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4804-12-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4804-13-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

    Download