Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe
Resource
win10v2004-20240508-en
General
-
Target
13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe
-
Size
407KB
-
MD5
87de50af2be2c65124dd39f215bee7d3
-
SHA1
d59f6bb4171b6663f4a52d847cb1f53cd26d24d0
-
SHA256
13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368
-
SHA512
906af19c2ba2f8f24db3b4266c751a8c15dd8a0ff873d9adf9eb01da83dfef5f199093a5994db059e38c4ce835616d9133cfd2b7f9911cbcc7b6a21f4832d436
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 3 2700 rundll32.exe 7 2700 rundll32.exe 8 2700 rundll32.exe 9 2700 rundll32.exe 10 2700 rundll32.exe 13 2700 rundll32.exe 14 2700 rundll32.exe 15 2700 rundll32.exe 17 2700 rundll32.exe 18 2700 rundll32.exe -
Deletes itself 1 IoCs
Processes:
kmqcp.exepid process 2260 kmqcp.exe -
Executes dropped EXE 1 IoCs
Processes:
kmqcp.exepid process 2260 kmqcp.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exerundll32.exepid process 2772 cmd.exe 2772 cmd.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\eqdyxyvjx\\ntomdplb.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2700 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
kmqcp.exedescription ioc process File opened for modification \??\c:\Program Files\eqdyxyvjx kmqcp.exe File created \??\c:\Program Files\eqdyxyvjx\ntomdplb.dll kmqcp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe 2700 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2700 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exekmqcp.exepid process 1996 13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe 2260 kmqcp.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.execmd.exekmqcp.exedescription pid process target process PID 1996 wrote to memory of 2772 1996 13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe cmd.exe PID 1996 wrote to memory of 2772 1996 13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe cmd.exe PID 1996 wrote to memory of 2772 1996 13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe cmd.exe PID 1996 wrote to memory of 2772 1996 13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe cmd.exe PID 2772 wrote to memory of 2632 2772 cmd.exe PING.EXE PID 2772 wrote to memory of 2632 2772 cmd.exe PING.EXE PID 2772 wrote to memory of 2632 2772 cmd.exe PING.EXE PID 2772 wrote to memory of 2632 2772 cmd.exe PING.EXE PID 2772 wrote to memory of 2260 2772 cmd.exe kmqcp.exe PID 2772 wrote to memory of 2260 2772 cmd.exe kmqcp.exe PID 2772 wrote to memory of 2260 2772 cmd.exe kmqcp.exe PID 2772 wrote to memory of 2260 2772 cmd.exe kmqcp.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe PID 2260 wrote to memory of 2700 2260 kmqcp.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kmqcp.exe "C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\kmqcp.exeC:\Users\Admin\AppData\Local\Temp\\kmqcp.exe "C:\Users\Admin\AppData\Local\Temp\13bb7979d20c85394c2576859e34d73d87343b1c9dfeedd0ddea399fab472368.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\eqdyxyvjx\ntomdplb.dll",Verify C:\Users\Admin\AppData\Local\Temp\kmqcp.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5af4b38c20a1b5f8fd093289e4fcee615
SHA1edd4d9716c4ff81fab2d8150a8c7b0ec1a6c7f85
SHA256c364182b8ac7c531a967d4c01512b4efbd951999ede72cb33b8c2f77823cc411
SHA512e3781fc16a397d78f2036552686115822f93367c00f0b5f7d68ee0f8474a50abe630fedf5e915c3639c7b1df07a3c47e9e901e5dd2d2e171ee726fd3ca10264c
-
Filesize
407KB
MD5346f847f5090469633439118ccce1008
SHA15e0753147c7c4dca82ec06e766f152a1b000ea03
SHA25642c7231a711ee25867d35b51b870ef5a38ba9954e79128a803ea136596ec2b83
SHA512d4ef11a5b7a0a38546342ef180ea84a6a115a1ee016693af9a0553fa9007f51bb8a7ac078f336581f999c07e60690e958bf89e5451d135643a9fdb4e2e9201df