Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 15:33
Static task
static1
Behavioral task
behavioral1
Sample
fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe
Resource
win10v2004-20240508-en
General
-
Target
fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe
-
Size
407KB
-
MD5
ffba07a5701366399cfafa6e489dee91
-
SHA1
4905817f27d651cfef4021426e476b37f6a25a0d
-
SHA256
fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa
-
SHA512
b71ba8015cd7b65148f7ddf16f8015b70a045e50931c9b00bc41b89f7cff141854fde5deb8ca39708629b440365dd21acfd8058b27695c44a2e7f1f8d642077d
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 2 3628 rundll32.exe 7 3628 rundll32.exe 9 3628 rundll32.exe 10 3628 rundll32.exe 15 3628 rundll32.exe 16 3628 rundll32.exe 17 3628 rundll32.exe 18 3628 rundll32.exe -
Deletes itself 1 IoCs
Processes:
lkcpc.exepid process 4816 lkcpc.exe -
Executes dropped EXE 1 IoCs
Processes:
lkcpc.exepid process 4816 lkcpc.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3628 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\nfjbtb\\ohmmy.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 3628 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
lkcpc.exedescription ioc process File opened for modification \??\c:\Program Files\nfjbtb lkcpc.exe File created \??\c:\Program Files\nfjbtb\ohmmy.dll lkcpc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe 3628 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3628 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exelkcpc.exepid process 1580 fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe 4816 lkcpc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.execmd.exelkcpc.exedescription pid process target process PID 1580 wrote to memory of 4856 1580 fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe cmd.exe PID 1580 wrote to memory of 4856 1580 fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe cmd.exe PID 1580 wrote to memory of 4856 1580 fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe cmd.exe PID 4856 wrote to memory of 220 4856 cmd.exe PING.EXE PID 4856 wrote to memory of 220 4856 cmd.exe PING.EXE PID 4856 wrote to memory of 220 4856 cmd.exe PING.EXE PID 4856 wrote to memory of 4816 4856 cmd.exe lkcpc.exe PID 4856 wrote to memory of 4816 4856 cmd.exe lkcpc.exe PID 4856 wrote to memory of 4816 4856 cmd.exe lkcpc.exe PID 4816 wrote to memory of 3628 4816 lkcpc.exe rundll32.exe PID 4816 wrote to memory of 3628 4816 lkcpc.exe rundll32.exe PID 4816 wrote to memory of 3628 4816 lkcpc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lkcpc.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:220 -
C:\Users\Admin\AppData\Local\Temp\lkcpc.exeC:\Users\Admin\AppData\Local\Temp\\lkcpc.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\nfjbtb\ohmmy.dll",Verify C:\Users\Admin\AppData\Local\Temp\lkcpc.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD591811aeb971dc80606734b16447f071c
SHA14c2e86986cab4509cb28dda07fdc842957c939aa
SHA25608d9bdb4ce922dca35ca8802c1542ef08e29dd75515dcf7b7727b027238453aa
SHA512ed8efe6d05c4d9250799e7c5b39fdf78cce79dd45ba8b1326234ac8f7146a0fe25c2e45890650b994910216cdeb82b3df758ffc35429b9a858ac9466355c84cc
-
Filesize
228KB
MD57714c6ef582fe8164e7ba84dd83cdaf5
SHA124e147cf93d5a2c3446a178b7dabff8610a10d30
SHA256fec53849b1122f00824df194904cf2eea31d3af2a37a6f7e715ed79535afd691
SHA51267a0039669e572c692d4ed1b91b1d51f4989a7cb87c33a518d94c774942ef22debdbf9f1e35769e72d393d3ad5f95882621af6bd5e25661a8837ed2d9d25e01c