Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 23:21
Behavioral task
behavioral1
Sample
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
Resource
win10v2004-20240226-en
General
-
Target
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
-
Size
199KB
-
MD5
e9992c2a025407bc6620f7072c5f5208
-
SHA1
0b2a7bd44a0eb46974cee4eb5b11ea52414ed794
-
SHA256
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5
-
SHA512
419c8dffa745ad64c037fd265558bba0c94c63078b5477b58520273e71644958df82cf7dd6d5c210d618a7ada1d1a8582a7598b954aabba648b0208761d59556
-
SSDEEP
3072:a74MyJjjlLzVjN50BdQqlYgp72xzbuawaGO0OJw8KWs6IgVLE7QkfIA:awj30dlZ+GVaRVLE7QkfI
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3064-16-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/3064-20-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/3064-18-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral1/memory/3064-22-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 4 3064 rundll32.exe 5 3064 rundll32.exe 6 3064 rundll32.exe 7 3064 rundll32.exe 8 3064 rundll32.exe 10 3064 rundll32.exe 11 3064 rundll32.exe -
Deletes itself 1 IoCs
Processes:
uxdntjqwx.exepid process 2864 uxdntjqwx.exe -
Executes dropped EXE 1 IoCs
Processes:
uxdntjqwx.exepid process 2864 uxdntjqwx.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exerundll32.exepid process 1284 cmd.exe 1284 cmd.exe 3064 rundll32.exe 3064 rundll32.exe 3064 rundll32.exe 3064 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1688-0-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/1688-3-0x0000000000400000-0x000000000044A000-memory.dmp upx \Users\Admin\AppData\Local\Temp\uxdntjqwx.exe upx behavioral1/memory/2864-10-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Micro = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ptvdu\\njxtq.dll\",method" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\n: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
uxdntjqwx.exedescription ioc process File opened for modification \??\c:\Program Files\ptvdu uxdntjqwx.exe File created \??\c:\Program Files\ptvdu\njxtq.dll uxdntjqwx.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3064 rundll32.exe 3064 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3064 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exeuxdntjqwx.exepid process 1688 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe 2864 uxdntjqwx.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.execmd.exeuxdntjqwx.exedescription pid process target process PID 1688 wrote to memory of 1284 1688 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 1688 wrote to memory of 1284 1688 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 1688 wrote to memory of 1284 1688 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 1688 wrote to memory of 1284 1688 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 1284 wrote to memory of 3044 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 3044 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 3044 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 3044 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 2864 1284 cmd.exe uxdntjqwx.exe PID 1284 wrote to memory of 2864 1284 cmd.exe uxdntjqwx.exe PID 1284 wrote to memory of 2864 1284 cmd.exe uxdntjqwx.exe PID 1284 wrote to memory of 2864 1284 cmd.exe uxdntjqwx.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe PID 2864 wrote to memory of 3064 2864 uxdntjqwx.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\uxdntjqwx.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exeC:\Users\Admin\AppData\Local\Temp\\uxdntjqwx.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\ptvdu\njxtq.dll",method C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD516574eec8585aeccf3356cf4c8375931
SHA12ce97e355ef5e3f20e3188782e317e7113b895e3
SHA256f663d5c8eddb791b948e3e50c977d8d626bb188ed6c8d90edebf32cee7350115
SHA512c8de53db42293f07a14d9db025fcc143a5e5635063823ff0ef92b679efbc46c228eedd0fc8443a5838a1eb7a3f3c439162819c1d1e2111eec4c88d6d269678da
-
Filesize
199KB
MD53d776d31259f5dd9d268a6eaa85fa393
SHA10fe77f65fe574d2ead7c7145f73987c7f95867da
SHA25668a6d9d805b326cc3f8b786407b2aa3a00a7cabd00adfd05798d9b6f872b5de9
SHA512134350208326edc4dae19dd7123d6a47a4ae342802e9fce0efee1216a7bb2f0397a7982e1e5eaf634abfdcfe324d06641bf496f900cd978fcee0bc4ce0345776