Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe
Resource
win10v2004-20240508-en
General
-
Target
f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe
-
Size
88KB
-
MD5
8ac3c62e0e68635085c1707709125fbc
-
SHA1
72e7f3ccc1d40e31c1952c8b9fa2d45595300c51
-
SHA256
f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25
-
SHA512
502ae3e69782541551b0965305abab850430bce03e7f09186ad1de713a4e1586a8625fbf63226cc6ae565f1263c1598796d078ff1415cdc5d5d908d9cf6097bd
-
SSDEEP
1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSj:11PgEOng1d66jRVa+n4NmNNouukrD7HI
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 3 IoCs
resource yara_rule behavioral2/memory/2256-13-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2256-15-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2256-17-0x0000000010000000-0x0000000010022000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/4880-9-0x0000000000400000-0x0000000000428000-memory.dmp UPX behavioral2/files/0x00080000000233b7-10.dat UPX behavioral2/memory/2256-12-0x0000000010000000-0x0000000010022000-memory.dmp UPX behavioral2/memory/2256-13-0x0000000010000000-0x0000000010022000-memory.dmp UPX behavioral2/memory/2256-15-0x0000000010000000-0x0000000010022000-memory.dmp UPX behavioral2/memory/2256-17-0x0000000010000000-0x0000000010022000-memory.dmp UPX -
Blocklisted process makes network request 9 IoCs
flow pid Process 14 2256 rundll32.exe 21 2256 rundll32.exe 22 2256 rundll32.exe 23 2256 rundll32.exe 34 2256 rundll32.exe 35 2256 rundll32.exe 39 2256 rundll32.exe 45 2256 rundll32.exe 46 2256 rundll32.exe -
Deletes itself 1 IoCs
pid Process 4880 xdgdt.exe -
Executes dropped EXE 1 IoCs
pid Process 4880 xdgdt.exe -
Loads dropped DLL 1 IoCs
pid Process 2256 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x00080000000233b7-10.dat upx behavioral2/memory/2256-12-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/2256-13-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/2256-15-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/2256-17-0x0000000010000000-0x0000000010022000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\kkwtv\\etrpd.tpe\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 3956 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2904 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2256 rundll32.exe 2256 rundll32.exe 2256 rundll32.exe 2256 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2256 rundll32.exe Token: SeDebugPrivilege 3956 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4280 f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe 4880 xdgdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4704 4280 f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe 81 PID 4280 wrote to memory of 4704 4280 f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe 81 PID 4280 wrote to memory of 4704 4280 f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe 81 PID 4704 wrote to memory of 2904 4704 cmd.exe 83 PID 4704 wrote to memory of 2904 4704 cmd.exe 83 PID 4704 wrote to memory of 2904 4704 cmd.exe 83 PID 4704 wrote to memory of 4880 4704 cmd.exe 84 PID 4704 wrote to memory of 4880 4704 cmd.exe 84 PID 4704 wrote to memory of 4880 4704 cmd.exe 84 PID 4880 wrote to memory of 2256 4880 xdgdt.exe 85 PID 4880 wrote to memory of 2256 4880 xdgdt.exe 85 PID 4880 wrote to memory of 2256 4880 xdgdt.exe 85 PID 2256 wrote to memory of 3956 2256 rundll32.exe 86 PID 2256 wrote to memory of 3956 2256 rundll32.exe 86 PID 2256 wrote to memory of 3956 2256 rundll32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\xdgdt.exe "C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\xdgdt.exeC:\Users\Admin\AppData\Local\Temp\\xdgdt.exe "C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\kkwtv\etrpd.tpe",crc32 C:\Users\Admin\AppData\Local\Temp\xdgdt.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD587fbb5fef345b0baaada6d209db2f8fe
SHA17c52c47798cc6c353df2abe1494202cdbfe8e6e0
SHA256f9b118cbcb83bf37c0fef1717928d923268eb19a0bcc045adb1e2ec5912f8051
SHA512a3ae1774b6e017fbe41141f14714cbedad7cebe9f662dbc41f93c012638940e6dc95e4605f440a90327604acf753cde887418a71313a415dee87da47000d423d
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218