Analysis
-
max time kernel
140s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 03:34
Static task
static1
Behavioral task
behavioral1
Sample
eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe
Resource
win10v2004-20240508-en
General
-
Target
eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe
-
Size
264KB
-
MD5
b07f706f25b6c1d3f9a62e3dd285f7c7
-
SHA1
86a683855feb8ef56ae0060c10eef3cdbed4c4dc
-
SHA256
eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446
-
SHA512
0f82fa6f36b770e4f0b79d2cffd2ba25be34037308650b503bc099979e07241da05ca07888e264120700fa7bef9b5746ebab247d99da13f5138e3285885f6ea2
-
SSDEEP
6144:uf4/sJYWEbhtwaBV5ZFDQH7i6aEaS/vsd9YoeVjs:uf4QlGD3BV5ZFDfSRsd9YRBs
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3052-16-0x0000000010000000-0x000000001006F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3052-18-0x0000000010000000-0x000000001006F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Deletes itself 1 IoCs
Processes:
pylzd.exepid process 4796 pylzd.exe -
Executes dropped EXE 2 IoCs
Processes:
pylzd.exebykksnqp.exepid process 4796 pylzd.exe 3052 bykksnqp.exe -
Loads dropped DLL 1 IoCs
Processes:
bykksnqp.exepid process 3052 bykksnqp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bykksnqp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cache = "c:\\Program Files\\zrrkb\\bykksnqp.exe \"c:\\Program Files\\zrrkb\\bykksnqp.dll\",Cache" bykksnqp.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bykksnqp.exedescription ioc process File opened (read-only) \??\s: bykksnqp.exe File opened (read-only) \??\w: bykksnqp.exe File opened (read-only) \??\y: bykksnqp.exe File opened (read-only) \??\g: bykksnqp.exe File opened (read-only) \??\l: bykksnqp.exe File opened (read-only) \??\p: bykksnqp.exe File opened (read-only) \??\r: bykksnqp.exe File opened (read-only) \??\z: bykksnqp.exe File opened (read-only) \??\h: bykksnqp.exe File opened (read-only) \??\i: bykksnqp.exe File opened (read-only) \??\m: bykksnqp.exe File opened (read-only) \??\b: bykksnqp.exe File opened (read-only) \??\k: bykksnqp.exe File opened (read-only) \??\x: bykksnqp.exe File opened (read-only) \??\n: bykksnqp.exe File opened (read-only) \??\o: bykksnqp.exe File opened (read-only) \??\q: bykksnqp.exe File opened (read-only) \??\t: bykksnqp.exe File opened (read-only) \??\u: bykksnqp.exe File opened (read-only) \??\a: bykksnqp.exe File opened (read-only) \??\e: bykksnqp.exe File opened (read-only) \??\j: bykksnqp.exe File opened (read-only) \??\v: bykksnqp.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bykksnqp.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 bykksnqp.exe -
Drops file in Program Files directory 4 IoCs
Processes:
pylzd.exedescription ioc process File opened for modification \??\c:\Program Files\zrrkb pylzd.exe File created \??\c:\Program Files\zrrkb\bykksnqp.dll pylzd.exe File created \??\c:\Program Files\zrrkb\bykksnqp.exe pylzd.exe File opened for modification \??\c:\Program Files\zrrkb\bykksnqp.exe pylzd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bykksnqp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bykksnqp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bykksnqp.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bykksnqp.exepid process 3052 bykksnqp.exe 3052 bykksnqp.exe 3052 bykksnqp.exe 3052 bykksnqp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bykksnqp.exedescription pid process Token: SeDebugPrivilege 3052 bykksnqp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exepylzd.exepid process 4128 eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe 4796 pylzd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.execmd.exepylzd.exedescription pid process target process PID 4128 wrote to memory of 3044 4128 eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe cmd.exe PID 4128 wrote to memory of 3044 4128 eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe cmd.exe PID 4128 wrote to memory of 3044 4128 eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe cmd.exe PID 3044 wrote to memory of 1664 3044 cmd.exe PING.EXE PID 3044 wrote to memory of 1664 3044 cmd.exe PING.EXE PID 3044 wrote to memory of 1664 3044 cmd.exe PING.EXE PID 3044 wrote to memory of 4796 3044 cmd.exe pylzd.exe PID 3044 wrote to memory of 4796 3044 cmd.exe pylzd.exe PID 3044 wrote to memory of 4796 3044 cmd.exe pylzd.exe PID 4796 wrote to memory of 3052 4796 pylzd.exe bykksnqp.exe PID 4796 wrote to memory of 3052 4796 pylzd.exe bykksnqp.exe PID 4796 wrote to memory of 3052 4796 pylzd.exe bykksnqp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe"C:\Users\Admin\AppData\Local\Temp\eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\pylzd.exe "C:\Users\Admin\AppData\Local\Temp\eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\pylzd.exeC:\Users\Admin\AppData\Local\Temp\\pylzd.exe "C:\Users\Admin\AppData\Local\Temp\eecbe0ee158252e585f11e95a43462649a90440717091cecc2d8b4e030ce6446.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\Program Files\zrrkb\bykksnqp.exe"c:\Program Files\zrrkb\bykksnqp.exe" "c:\Program Files\zrrkb\bykksnqp.dll",Cache C:\Users\Admin\AppData\Local\Temp\pylzd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\zrrkb\bykksnqp.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Users\Admin\AppData\Local\Temp\pylzd.exeFilesize
264KB
MD5e235de10ee0e1064948a14803a51e772
SHA171ff6a28492854a33c5f9b8755d01e6a4e7a7117
SHA2562399d86ab0e9708d38b28571c609616235e27dbc59d205467bf5ee48abe14e2f
SHA512264d7a54138ca7c71d85ed64531f0566496454c55a470f7f65ff6f52bd7d44ac8f8da7d18e5fe6d73d0c259182bc02d4d2b5964c8fcf812a961ad364e17e1d13
-
\??\c:\Program Files\zrrkb\bykksnqp.dllFilesize
188KB
MD5721b43c9cec5114c7dc3bb7c3961638a
SHA166460771e6876e6a9aee546682e2c30a3881f15c
SHA256858bc90f161a3bdf8b38613c369a2c2e7252d4f9b9ae0528e5ab3350689bcef0
SHA512f6697ac3c29c776ed292c571dac7ca11de4eca69e2a5b7ab0419c66bbc074f3dad87efcbbd4b3fa4a2f1cc4c6976a8ba7a164a2fd152ec4388ea4f230183d4fc
-
memory/3052-15-0x0000000010000000-0x000000001006F000-memory.dmpFilesize
444KB
-
memory/3052-16-0x0000000010000000-0x000000001006F000-memory.dmpFilesize
444KB
-
memory/3052-18-0x0000000010000000-0x000000001006F000-memory.dmpFilesize
444KB
-
memory/4128-0-0x0000000000400000-0x000000000048C050-memory.dmpFilesize
560KB
-
memory/4128-2-0x0000000000400000-0x000000000048C050-memory.dmpFilesize
560KB
-
memory/4796-6-0x0000000000400000-0x000000000048C050-memory.dmpFilesize
560KB
-
memory/4796-11-0x0000000000400000-0x000000000048C050-memory.dmpFilesize
560KB