Analysis
-
max time kernel
111s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe
Resource
win10v2004-20241007-en
General
-
Target
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe
-
Size
610KB
-
MD5
9b4e432cbfc2ee313c6cc3a455ff26a0
-
SHA1
57295c087af7ffad7fd5c98323c9ffd835580848
-
SHA256
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871
-
SHA512
86a7eea6f1a377ba585ab9d9111697b264ab8ebc686b9548d2e56e9c9d0ef256e51cd2cd86d70091b92dc0808f9a55a0ffae24b4b08cc71dd340fe9d7ffdc586
-
SSDEEP
12288:EVRTE3het1yJh2HduH7GqjTyiVRTE3het1yJh2HduH7GqjTy:IX1AwHsH7hTyOX1AwHsH7hTy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2392 qajrl.exe -
Executes dropped EXE 2 IoCs
pid Process 2392 qajrl.exe 2780 nil.exe -
Loads dropped DLL 7 IoCs
pid Process 2336 cmd.exe 2336 cmd.exe 2392 qajrl.exe 2780 nil.exe 2780 nil.exe 2780 nil.exe 2780 nil.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SHR = "c:\\Program Files\\vmrxf\\nil.exe \"c:\\Program Files\\vmrxf\\nilul.dll\",Scheduler" nil.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: nil.exe File opened (read-only) \??\y: nil.exe File opened (read-only) \??\a: nil.exe File opened (read-only) \??\h: nil.exe File opened (read-only) \??\m: nil.exe File opened (read-only) \??\s: nil.exe File opened (read-only) \??\v: nil.exe File opened (read-only) \??\b: nil.exe File opened (read-only) \??\j: nil.exe File opened (read-only) \??\l: nil.exe File opened (read-only) \??\n: nil.exe File opened (read-only) \??\o: nil.exe File opened (read-only) \??\p: nil.exe File opened (read-only) \??\t: nil.exe File opened (read-only) \??\x: nil.exe File opened (read-only) \??\z: nil.exe File opened (read-only) \??\e: nil.exe File opened (read-only) \??\g: nil.exe File opened (read-only) \??\i: nil.exe File opened (read-only) \??\k: nil.exe File opened (read-only) \??\q: nil.exe File opened (read-only) \??\u: nil.exe File opened (read-only) \??\w: nil.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 nil.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\vmrxf qajrl.exe File created \??\c:\Program Files\vmrxf\nilul.dll qajrl.exe File created \??\c:\Program Files\vmrxf\nil.exe qajrl.exe File opened for modification \??\c:\Program Files\vmrxf\nil.exe qajrl.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qajrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2336 cmd.exe 2412 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nil.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nil.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2412 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 nil.exe 2780 nil.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2780 nil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2372 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 2392 qajrl.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2336 2372 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 30 PID 2372 wrote to memory of 2336 2372 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 30 PID 2372 wrote to memory of 2336 2372 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 30 PID 2372 wrote to memory of 2336 2372 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 30 PID 2336 wrote to memory of 2412 2336 cmd.exe 32 PID 2336 wrote to memory of 2412 2336 cmd.exe 32 PID 2336 wrote to memory of 2412 2336 cmd.exe 32 PID 2336 wrote to memory of 2412 2336 cmd.exe 32 PID 2336 wrote to memory of 2392 2336 cmd.exe 33 PID 2336 wrote to memory of 2392 2336 cmd.exe 33 PID 2336 wrote to memory of 2392 2336 cmd.exe 33 PID 2336 wrote to memory of 2392 2336 cmd.exe 33 PID 2392 wrote to memory of 2780 2392 qajrl.exe 34 PID 2392 wrote to memory of 2780 2392 qajrl.exe 34 PID 2392 wrote to memory of 2780 2392 qajrl.exe 34 PID 2392 wrote to memory of 2780 2392 qajrl.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qajrl.exe "C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\qajrl.exeC:\Users\Admin\AppData\Local\Temp\\qajrl.exe "C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\Program Files\vmrxf\nil.exe"c:\Program Files\vmrxf\nil.exe" "c:\Program Files\vmrxf\nilul.dll",Scheduler C:\Users\Admin\AppData\Local\Temp\qajrl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
610KB
MD5f18c064f44552f38ffb7061cfe86a3b4
SHA19a8e86babd8f0808b053df87352bf7f48bcaf8ed
SHA25698c3ffe02b906bac74a8e235d6beaf72f60eb95699e2b9d51943a41b017323fc
SHA512ff565309b9f942ac36cd81aeb6b1305368f6e4a791c03ff118107cffd72095fa5faf56cc2764aa30e776774ef02b1c34b5d35e3f6b48f0cb0cb1cfc020ce1f06
-
Filesize
184KB
MD52adab9ca10fdd07ea2c08bb5a926e42c
SHA12c39c60e4aee123900bc0fc652ee726374af251c
SHA256207ba44b149457fd916d1d7717bd675bd3b387a6ff2d43246c00bf7656ffea79
SHA512bf548d8f05dfda212a8c16c1e9c50c427a7086311c7569b93637bdb305a791c9b909a5b010384b113b82de74f61e88ec3bf66856e883b41a24960097897e56e6
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d