Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe
Resource
win10v2004-20240508-en
General
-
Target
759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe
-
Size
407KB
-
MD5
147db7770a8a10681410d486af5d6281
-
SHA1
e320833c225052530ec97c6a76e30a81e293ec5c
-
SHA256
759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436
-
SHA512
d247b268f15eacaab44de82870825561e69a1db04d011b2970ec77e7d8c28951fd5d3cdb59b425ee7da07092721f582e94761c51e4efd4f03195f48ce240e274
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH41:gtRfJcNYFNm8UhlZGse1
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 2 4444 rundll32.exe 7 4444 rundll32.exe 8 4444 rundll32.exe 9 4444 rundll32.exe 15 4444 rundll32.exe 16 4444 rundll32.exe 17 4444 rundll32.exe 18 4444 rundll32.exe -
Deletes itself 1 IoCs
Processes:
fpnzx.exepid process 4220 fpnzx.exe -
Executes dropped EXE 1 IoCs
Processes:
fpnzx.exepid process 4220 fpnzx.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4444 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\qhagapok\\xmckn.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\j: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4444 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
fpnzx.exedescription ioc process File opened for modification \??\c:\Program Files\qhagapok fpnzx.exe File created \??\c:\Program Files\qhagapok\xmckn.dll fpnzx.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe 4444 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4444 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exefpnzx.exepid process 988 759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe 4220 fpnzx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.execmd.exefpnzx.exedescription pid process target process PID 988 wrote to memory of 1576 988 759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe cmd.exe PID 988 wrote to memory of 1576 988 759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe cmd.exe PID 988 wrote to memory of 1576 988 759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe cmd.exe PID 1576 wrote to memory of 2284 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2284 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2284 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 4220 1576 cmd.exe fpnzx.exe PID 1576 wrote to memory of 4220 1576 cmd.exe fpnzx.exe PID 1576 wrote to memory of 4220 1576 cmd.exe fpnzx.exe PID 4220 wrote to memory of 4444 4220 fpnzx.exe rundll32.exe PID 4220 wrote to memory of 4444 4220 fpnzx.exe rundll32.exe PID 4220 wrote to memory of 4444 4220 fpnzx.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe"C:\Users\Admin\AppData\Local\Temp\759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fpnzx.exe "C:\Users\Admin\AppData\Local\Temp\759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\fpnzx.exeC:\Users\Admin\AppData\Local\Temp\\fpnzx.exe "C:\Users\Admin\AppData\Local\Temp\759e36d3b80dbb4a591891665c0c639e62051f583ae9ef22dfe335f77a55b436.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\qhagapok\xmckn.dll",Verify C:\Users\Admin\AppData\Local\Temp\fpnzx.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD57ea84d59a12eb22e52053d2fa114f884
SHA1b7bfd51918c22eb428ad031f8033374e99182e4f
SHA25637d2250b276f71263ab5a26942c00246ad086552ef188c0a8b7e085fb523c608
SHA5120f2ee6903d69af915cf772900a4081e3ece19286db2854f4ce4ae6867b72d9e4bc8a5636bc9684e0f84b897eb8f006424e4c9157f338523e5ec4fdf9db92b66b
-
Filesize
228KB
MD555313b256fa3d0d3e508221acffd7bc4
SHA17f5f8db070995436578dee2989e7ba7e97274bd6
SHA25651fc74c4fba233c44b22029df9cbad6400a1830ade7f0b707dd61332041a1138
SHA512ba58cb41992dff1142773ab80f8e5aae8f67d7cd1e25b714a8e8ceceeecc35474587b8ac3a5f48f8d02765d473c5cefc5c5b0d58f981506b39a38e5041424cbd