Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 12:29

General

  • Target

    13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe

  • Size

    407KB

  • MD5

    87de50af2be2c65124dd39f215bee7d3

  • SHA1

    d59f6bb4171b6663f4a52d847cb1f53cd26d24d0

  • SHA256

    13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368

  • SHA512

    906af19c2ba2f8f24db3b4266c751a8c15dd8a0ff873d9adf9eb01da83dfef5f199093a5994db059e38c4ce835616d9133cfd2b7f9911cbcc7b6a21f4832d436

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Malware Config

Signatures

  • Blocklisted process makes network request 10 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe
    "C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kmqcp.exe "C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2632
      • C:\Users\Admin\AppData\Local\Temp\kmqcp.exe
        C:\Users\Admin\AppData\Local\Temp\\kmqcp.exe "C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2260
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\eqdyxyvjx\ntomdplb.dll",Verify C:\Users\Admin\AppData\Local\Temp\kmqcp.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\Program Files\eqdyxyvjx\ntomdplb.dll

    Filesize

    228KB

    MD5

    af4b38c20a1b5f8fd093289e4fcee615

    SHA1

    edd4d9716c4ff81fab2d8150a8c7b0ec1a6c7f85

    SHA256

    c364182b8ac7c531a967d4c01512b4efbd951999ede72cb33b8c2f77823cc411

    SHA512

    e3781fc16a397d78f2036552686115822f93367c00f0b5f7d68ee0f8474a50abe630fedf5e915c3639c7b1df07a3c47e9e901e5dd2d2e171ee726fd3ca10264c

  • \Users\Admin\AppData\Local\Temp\kmqcp.exe

    Filesize

    407KB

    MD5

    346f847f5090469633439118ccce1008

    SHA1

    5e0753147c7c4dca82ec06e766f152a1b000ea03

    SHA256

    42c7231a711ee25867d35b51b870ef5a38ba9954e79128a803ea136596ec2b83

    SHA512

    d4ef11a5b7a0a38546342ef180ea84a6a115a1ee016693af9a0553fa9007f51bb8a7ac078f336581f999c07e60690e958bf89e5451d135643a9fdb4e2e9201df

  • memory/1996-0-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

  • memory/1996-2-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

  • memory/2260-9-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

  • memory/2700-16-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/2700-17-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/2700-14-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/2700-18-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/2700-20-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/2772-5-0x0000000000150000-0x00000000001B4000-memory.dmp

    Filesize

    400KB