Malware Analysis Report

2025-01-03 09:27

Sample ID 240604-w71z6agc67
Target 0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a
SHA256 0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a
Tags
bootkit persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a

Threat Level: Likely malicious

The file 0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Detects executables containing base64 encoded User Agent

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 18:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 18:34

Reported

2024-06-04 18:37

Platform

win7-20240508-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\fxvtd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\fxvtd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\floyh\\nqxgq.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe N/A
N/A N/A \??\c:\fxvtd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2008 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\fxvtd.exe
PID 2008 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\fxvtd.exe
PID 2008 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\fxvtd.exe
PID 2008 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\fxvtd.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 3040 N/A \??\c:\fxvtd.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe

"C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\fxvtd.exe "C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\fxvtd.exe

c:\fxvtd.exe "C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\floyh\nqxgq.dll",GetWindowClass c:\fxvtd.exe

Network

Country Destination Domain Proto
US 67.198.215.210:803 tcp
US 67.198.215.210:803 tcp
US 67.198.215.210:3204 tcp
US 67.198.215.211:805 tcp
US 67.198.215.211:805 tcp
US 67.198.215.211:805 tcp
US 67.198.215.211:805 tcp
US 67.198.215.210:3204 tcp
US 67.198.215.210:3204 tcp
US 67.198.215.210:3204 tcp

Files

memory/3052-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3052-2-0x0000000000400000-0x000000000041D000-memory.dmp

\??\c:\fxvtd.exe

MD5 3c4b0d66502d8af8610849b74f13b22e
SHA1 a7197ad263ce596815f5695614ae9f967770b204
SHA256 fc85cf233448e0fc89437614c745b720b428fa49d58445afe3fdc43d36ecb257
SHA512 da9c81dc5a54b707d1336da79ad089a4328568ed93fc4f628e0535a7876019bbcd89a085861e879a9eb5116d22687dca2a188761960d694839d3e52d2b14ea61

memory/2008-6-0x0000000000160000-0x000000000017D000-memory.dmp

memory/2008-5-0x0000000000160000-0x000000000017D000-memory.dmp

memory/2188-8-0x0000000000400000-0x000000000041D000-memory.dmp

\??\c:\floyh\nqxgq.dll

MD5 06c39ca503305efbf7274f6bf9394f28
SHA1 bec4daadab49f1f58a951d9cc1b2d7c1e2ae8450
SHA256 19f33ba32f20dae1ea6a6b87824dc8e3e74527b34f9cd01a6e4f67e3e79dd867
SHA512 e6c8b19892b5ce5108909824ad37b0fe0eed2459939f0249133bf3e3c1470308d6d51aa3fbf42aabcbf37bb2412c8a27bff445e23dc0495910ec5f445055d931

memory/3040-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3040-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3040-16-0x0000000010033000-0x0000000010034000-memory.dmp

memory/3040-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3040-18-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3040-20-0x0000000010033000-0x0000000010034000-memory.dmp

memory/3040-23-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3040-24-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3040-25-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 18:34

Reported

2024-06-04 18:37

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\rjvbiprzp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\rjvbiprzp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\jswzo\\dgoan.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe N/A
N/A N/A \??\c:\rjvbiprzp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe

"C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\rjvbiprzp.exe "C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\rjvbiprzp.exe

c:\rjvbiprzp.exe "C:\Users\Admin\AppData\Local\Temp\0bcfb7bc4f7dda6da5c6d7949b5fbce030fd9f00dec0be09ab312ffa0ae43c3a.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\jswzo\dgoan.dll",GetWindowClass c:\rjvbiprzp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 67.198.215.210:803 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 67.198.215.210:3204 tcp
US 67.198.215.211:805 tcp
US 67.198.215.211:805 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 67.198.215.211:805 tcp
US 67.198.215.210:3204 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 67.198.215.210:3204 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 67.198.215.210:3204 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3320-0-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3320-2-0x0000000000400000-0x000000000041D000-memory.dmp

C:\rjvbiprzp.exe

MD5 05e8e827827aeca9fadbc64337a583f6
SHA1 c43eb031d282845a06a3b5b074c96075b74be245
SHA256 c750944dfd4abefe914fde7ee92ac9ccaa0ee26e8a348a8e3bbc58579bc0f83c
SHA512 b6ea7e68b63efa2587b23d62a1150e5a16d893074aa37ed6874cc85a3ff0840a2cec5c6e3e4df95a0f39c7537c016a745dd03c7ed3cf5c0695532ce1221c93bc

memory/3812-6-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3812-8-0x0000000000400000-0x000000000041D000-memory.dmp

\??\c:\jswzo\dgoan.dll

MD5 06c39ca503305efbf7274f6bf9394f28
SHA1 bec4daadab49f1f58a951d9cc1b2d7c1e2ae8450
SHA256 19f33ba32f20dae1ea6a6b87824dc8e3e74527b34f9cd01a6e4f67e3e79dd867
SHA512 e6c8b19892b5ce5108909824ad37b0fe0eed2459939f0249133bf3e3c1470308d6d51aa3fbf42aabcbf37bb2412c8a27bff445e23dc0495910ec5f445055d931

memory/2484-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2484-12-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

memory/2484-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2484-15-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

memory/2484-16-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2484-18-0x0000000010000000-0x0000000010036000-memory.dmp