Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 21:46
Static task
static1
Behavioral task
behavioral1
Sample
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe
Resource
win10v2004-20241007-en
General
-
Target
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe
-
Size
610KB
-
MD5
9b4e432cbfc2ee313c6cc3a455ff26a0
-
SHA1
57295c087af7ffad7fd5c98323c9ffd835580848
-
SHA256
a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871
-
SHA512
86a7eea6f1a377ba585ab9d9111697b264ab8ebc686b9548d2e56e9c9d0ef256e51cd2cd86d70091b92dc0808f9a55a0ffae24b4b08cc71dd340fe9d7ffdc586
-
SSDEEP
12288:EVRTE3het1yJh2HduH7GqjTyiVRTE3het1yJh2HduH7GqjTy:IX1AwHsH7hTyOX1AwHsH7hTy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3028 dmvaoco.exe -
Executes dropped EXE 2 IoCs
pid Process 3028 dmvaoco.exe 2152 ldi.exe -
Loads dropped DLL 1 IoCs
pid Process 2152 ldi.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHR = "c:\\Program Files\\ihopq\\ldi.exe \"c:\\Program Files\\ihopq\\ldiph.dll\",Scheduler" ldi.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: ldi.exe File opened (read-only) \??\i: ldi.exe File opened (read-only) \??\h: ldi.exe File opened (read-only) \??\n: ldi.exe File opened (read-only) \??\o: ldi.exe File opened (read-only) \??\q: ldi.exe File opened (read-only) \??\u: ldi.exe File opened (read-only) \??\v: ldi.exe File opened (read-only) \??\g: ldi.exe File opened (read-only) \??\k: ldi.exe File opened (read-only) \??\p: ldi.exe File opened (read-only) \??\w: ldi.exe File opened (read-only) \??\x: ldi.exe File opened (read-only) \??\y: ldi.exe File opened (read-only) \??\z: ldi.exe File opened (read-only) \??\e: ldi.exe File opened (read-only) \??\b: ldi.exe File opened (read-only) \??\j: ldi.exe File opened (read-only) \??\l: ldi.exe File opened (read-only) \??\m: ldi.exe File opened (read-only) \??\r: ldi.exe File opened (read-only) \??\s: ldi.exe File opened (read-only) \??\a: ldi.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 ldi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\Program Files\ihopq\ldi.exe dmvaoco.exe File opened for modification \??\c:\Program Files\ihopq\ldi.exe dmvaoco.exe File opened for modification \??\c:\Program Files\ihopq dmvaoco.exe File created \??\c:\Program Files\ihopq\ldiph.dll dmvaoco.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dmvaoco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldi.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2396 cmd.exe 1616 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ldi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ldi.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1616 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2152 ldi.exe 2152 ldi.exe 2152 ldi.exe 2152 ldi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2152 ldi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 116 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 3028 dmvaoco.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 116 wrote to memory of 2396 116 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 87 PID 116 wrote to memory of 2396 116 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 87 PID 116 wrote to memory of 2396 116 a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe 87 PID 2396 wrote to memory of 1616 2396 cmd.exe 89 PID 2396 wrote to memory of 1616 2396 cmd.exe 89 PID 2396 wrote to memory of 1616 2396 cmd.exe 89 PID 2396 wrote to memory of 3028 2396 cmd.exe 92 PID 2396 wrote to memory of 3028 2396 cmd.exe 92 PID 2396 wrote to memory of 3028 2396 cmd.exe 92 PID 3028 wrote to memory of 2152 3028 dmvaoco.exe 93 PID 3028 wrote to memory of 2152 3028 dmvaoco.exe 93 PID 3028 wrote to memory of 2152 3028 dmvaoco.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\dmvaoco.exe "C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\dmvaoco.exeC:\Users\Admin\AppData\Local\Temp\\dmvaoco.exe "C:\Users\Admin\AppData\Local\Temp\a7127366793cf3c7627ac862fbf1f3355a4ffa411c33221a638be68aaae13871N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\Program Files\ihopq\ldi.exe"c:\Program Files\ihopq\ldi.exe" "c:\Program Files\ihopq\ldiph.dll",Scheduler C:\Users\Admin\AppData\Local\Temp\dmvaoco.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
610KB
MD5902a78dc580678dc67639be8129986f2
SHA15171c58118258a74de78df47f372946232de0e08
SHA256417fc1c28fc87715c9c80c8ce9d844fd6a49b287617e815c583cff81d563c929
SHA512c38764db5300cbdc272b90d03b4ac8331f95a6d864effe3ee885571aa23d0755e7a9b75a03f7d3baf1f9206f95c35261d72364c66bc4e2caaabbf89d392ca228
-
Filesize
184KB
MD5e22bc07624dbd7c089480397ba9d9dac
SHA1a02689286289f72d1c7f03c25e9614b97ce2ce40
SHA256d7cc68bdb54534c6b8c09c88520e5b7c9eeccb8cf8c001825937931a47da911f
SHA512b3f96da1a0721a4f66615ab9fb38f1a9d457a2825779b266fc5f431fc598ae53b5bc57e9e7b688cbad5e23364a9b854fdff86743180bc1aa3dc38202ecba9d9f