Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 15:33

General

  • Target

    fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe

  • Size

    407KB

  • MD5

    ffba07a5701366399cfafa6e489dee91

  • SHA1

    4905817f27d651cfef4021426e476b37f6a25a0d

  • SHA256

    fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa

  • SHA512

    b71ba8015cd7b65148f7ddf16f8015b70a045e50931c9b00bc41b89f7cff141854fde5deb8ca39708629b440365dd21acfd8058b27695c44a2e7f1f8d642077d

  • SSDEEP

    6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe
    "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lkcpc.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:220
      • C:\Users\Admin\AppData\Local\Temp\lkcpc.exe
        C:\Users\Admin\AppData\Local\Temp\\lkcpc.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4816
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\nfjbtb\ohmmy.dll",Verify C:\Users\Admin\AppData\Local\Temp\lkcpc.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lkcpc.exe

    Filesize

    407KB

    MD5

    91811aeb971dc80606734b16447f071c

    SHA1

    4c2e86986cab4509cb28dda07fdc842957c939aa

    SHA256

    08d9bdb4ce922dca35ca8802c1542ef08e29dd75515dcf7b7727b027238453aa

    SHA512

    ed8efe6d05c4d9250799e7c5b39fdf78cce79dd45ba8b1326234ac8f7146a0fe25c2e45890650b994910216cdeb82b3df758ffc35429b9a858ac9466355c84cc

  • \??\c:\Program Files\nfjbtb\ohmmy.dll

    Filesize

    228KB

    MD5

    7714c6ef582fe8164e7ba84dd83cdaf5

    SHA1

    24e147cf93d5a2c3446a178b7dabff8610a10d30

    SHA256

    fec53849b1122f00824df194904cf2eea31d3af2a37a6f7e715ed79535afd691

    SHA512

    67a0039669e572c692d4ed1b91b1d51f4989a7cb87c33a518d94c774942ef22debdbf9f1e35769e72d393d3ad5f95882621af6bd5e25661a8837ed2d9d25e01c

  • memory/1580-0-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

  • memory/1580-2-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

  • memory/3628-11-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/3628-12-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/3628-14-0x0000000010000000-0x0000000010080000-memory.dmp

    Filesize

    512KB

  • memory/4816-6-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

  • memory/4816-8-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB