Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 23:21
Behavioral task
behavioral1
Sample
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
Resource
win10v2004-20240226-en
General
-
Target
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe
-
Size
199KB
-
MD5
e9992c2a025407bc6620f7072c5f5208
-
SHA1
0b2a7bd44a0eb46974cee4eb5b11ea52414ed794
-
SHA256
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5
-
SHA512
419c8dffa745ad64c037fd265558bba0c94c63078b5477b58520273e71644958df82cf7dd6d5c210d618a7ada1d1a8582a7598b954aabba648b0208761d59556
-
SSDEEP
3072:a74MyJjjlLzVjN50BdQqlYgp72xzbuawaGO0OJw8KWs6IgVLE7QkfIA:awj30dlZ+GVaRVLE7QkfI
Malware Config
Signatures
-
Detects executables containing base64 encoded User Agent 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1052-13-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/1052-11-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/1052-15-0x0000000010000000-0x0000000010056000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 15 1052 rundll32.exe 41 1052 rundll32.exe 43 1052 rundll32.exe 42 1052 rundll32.exe 44 1052 rundll32.exe 45 1052 rundll32.exe 53 1052 rundll32.exe 59 1052 rundll32.exe -
Deletes itself 1 IoCs
Processes:
dcmxuy.exepid process 1548 dcmxuy.exe -
Executes dropped EXE 1 IoCs
Processes:
dcmxuy.exepid process 1548 dcmxuy.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1052 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4024-0-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4024-2-0x0000000000400000-0x000000000044A000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe upx behavioral2/memory/1548-6-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1548-8-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micro = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ulmzl\\geyza.dll\",method" rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
dcmxuy.exedescription ioc process File opened for modification \??\c:\Program Files\ulmzl dcmxuy.exe File created \??\c:\Program Files\ulmzl\geyza.dll dcmxuy.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1052 rundll32.exe 1052 rundll32.exe 1052 rundll32.exe 1052 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1052 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exedcmxuy.exepid process 4024 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe 1548 dcmxuy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.execmd.exedcmxuy.exedescription pid process target process PID 4024 wrote to memory of 3764 4024 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 4024 wrote to memory of 3764 4024 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 4024 wrote to memory of 3764 4024 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe cmd.exe PID 3764 wrote to memory of 3020 3764 cmd.exe PING.EXE PID 3764 wrote to memory of 3020 3764 cmd.exe PING.EXE PID 3764 wrote to memory of 3020 3764 cmd.exe PING.EXE PID 3764 wrote to memory of 1548 3764 cmd.exe dcmxuy.exe PID 3764 wrote to memory of 1548 3764 cmd.exe dcmxuy.exe PID 3764 wrote to memory of 1548 3764 cmd.exe dcmxuy.exe PID 1548 wrote to memory of 1052 1548 dcmxuy.exe rundll32.exe PID 1548 wrote to memory of 1052 1548 dcmxuy.exe rundll32.exe PID 1548 wrote to memory of 1052 1548 dcmxuy.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\dcmxuy.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\dcmxuy.exeC:\Users\Admin\AppData\Local\Temp\\dcmxuy.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\ulmzl\geyza.dll",method C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:2368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD5a1b9ed224cb2f14ff07edb60bee7458a
SHA1508b5d5d299623e4f434b7895de5faf8c70c06d6
SHA2562c0d5c85f5589228554ae6ccd7cfdcb70aaf52efff03d20e41b6a8ac6b9c0d87
SHA5125c9f10f9dbc872a7bcc7ea6c808226f8b755e7e2975d449ed4a234e7fd5d3ac054d7a6f94f2d0ecc6679cbecf90d871719e80274fc9225201b30fb2fe4ddf7b3
-
Filesize
148KB
MD521f3e95ceabc201f87c4527cc2a7de2a
SHA19bea9b5d7d58d6dbb9ca81055903f0e0ff073675
SHA256a4a40afee2e833a5a582d7b9d146d3c3e12fbaf10f522ff51939fbe512a5a8f3
SHA5122e7c161b885b265ab680f113fd3b6055a3d04651e60be7f69a7a28c9597b36da87d8e50cabf91c99bcea9d27ec4eeba818c69c89f70ec8e066d601a41f72a2d3