Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 23:21

General

  • Target

    85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe

  • Size

    199KB

  • MD5

    e9992c2a025407bc6620f7072c5f5208

  • SHA1

    0b2a7bd44a0eb46974cee4eb5b11ea52414ed794

  • SHA256

    85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5

  • SHA512

    419c8dffa745ad64c037fd265558bba0c94c63078b5477b58520273e71644958df82cf7dd6d5c210d618a7ada1d1a8582a7598b954aabba648b0208761d59556

  • SSDEEP

    3072:a74MyJjjlLzVjN50BdQqlYgp72xzbuawaGO0OJw8KWs6IgVLE7QkfIA:awj30dlZ+GVaRVLE7QkfI

Malware Config

Signatures

  • Detects executables containing base64 encoded User Agent 3 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
    "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\dcmxuy.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3020
      • C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe
        C:\Users\Admin\AppData\Local\Temp\\dcmxuy.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1548
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\Program Files\ulmzl\geyza.dll",method C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe

      Filesize

      199KB

      MD5

      a1b9ed224cb2f14ff07edb60bee7458a

      SHA1

      508b5d5d299623e4f434b7895de5faf8c70c06d6

      SHA256

      2c0d5c85f5589228554ae6ccd7cfdcb70aaf52efff03d20e41b6a8ac6b9c0d87

      SHA512

      5c9f10f9dbc872a7bcc7ea6c808226f8b755e7e2975d449ed4a234e7fd5d3ac054d7a6f94f2d0ecc6679cbecf90d871719e80274fc9225201b30fb2fe4ddf7b3

    • \??\c:\Program Files\ulmzl\geyza.dll

      Filesize

      148KB

      MD5

      21f3e95ceabc201f87c4527cc2a7de2a

      SHA1

      9bea9b5d7d58d6dbb9ca81055903f0e0ff073675

      SHA256

      a4a40afee2e833a5a582d7b9d146d3c3e12fbaf10f522ff51939fbe512a5a8f3

      SHA512

      2e7c161b885b265ab680f113fd3b6055a3d04651e60be7f69a7a28c9597b36da87d8e50cabf91c99bcea9d27ec4eeba818c69c89f70ec8e066d601a41f72a2d3

    • memory/1052-13-0x0000000010000000-0x0000000010056000-memory.dmp

      Filesize

      344KB

    • memory/1052-14-0x0000000010050000-0x0000000010051000-memory.dmp

      Filesize

      4KB

    • memory/1052-11-0x0000000010000000-0x0000000010056000-memory.dmp

      Filesize

      344KB

    • memory/1052-15-0x0000000010000000-0x0000000010056000-memory.dmp

      Filesize

      344KB

    • memory/1548-6-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/1548-8-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/4024-0-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/4024-2-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB