Analysis
-
max time kernel
113s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 21:54
Static task
static1
Behavioral task
behavioral1
Sample
3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe
Resource
win7-20241010-en
General
-
Target
3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe
-
Size
98KB
-
MD5
df46def194ea28b5509e2cc130635bc0
-
SHA1
e4bc07ab6c3c28730a1be80b5ba3704eee399f60
-
SHA256
3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43
-
SHA512
f67a6e142e684554f6bbe0b6e03d95998efaa8bce49ca048d4661abfbf5a60bf3fa68151e0d6e2f7ec6909e6ef1e5fe20cb7d6372aaada0b258378b5ec7243d3
-
SSDEEP
3072:11PgEOng1d66jRVa+n4NmNNouukrD7HNS:TpOg1xFV54eNobG7H
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 3 2948 rundll32.exe 5 2948 rundll32.exe 8 2948 rundll32.exe 9 2948 rundll32.exe 10 2948 rundll32.exe 13 2948 rundll32.exe 14 2948 rundll32.exe 15 2948 rundll32.exe 17 2948 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2204 cewks.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 cewks.exe -
Loads dropped DLL 3 IoCs
pid Process 2616 cmd.exe 2616 cmd.exe 2948 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\erwrb\\vbhtkml.btv\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\n: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral1/files/0x00080000000195a9-12.dat upx behavioral1/memory/2948-14-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2948-15-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2948-19-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2948-20-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2948-21-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2948-26-0x0000000010000000-0x0000000010022000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cewks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2616 cmd.exe 2608 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 2896 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2608 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2948 rundll32.exe 2948 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2948 rundll32.exe Token: SeDebugPrivilege 2896 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2328 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 2204 cewks.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2616 2328 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 30 PID 2328 wrote to memory of 2616 2328 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 30 PID 2328 wrote to memory of 2616 2328 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 30 PID 2328 wrote to memory of 2616 2328 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 30 PID 2616 wrote to memory of 2608 2616 cmd.exe 32 PID 2616 wrote to memory of 2608 2616 cmd.exe 32 PID 2616 wrote to memory of 2608 2616 cmd.exe 32 PID 2616 wrote to memory of 2608 2616 cmd.exe 32 PID 2616 wrote to memory of 2204 2616 cmd.exe 33 PID 2616 wrote to memory of 2204 2616 cmd.exe 33 PID 2616 wrote to memory of 2204 2616 cmd.exe 33 PID 2616 wrote to memory of 2204 2616 cmd.exe 33 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2204 wrote to memory of 2948 2204 cewks.exe 34 PID 2948 wrote to memory of 2896 2948 rundll32.exe 35 PID 2948 wrote to memory of 2896 2948 rundll32.exe 35 PID 2948 wrote to memory of 2896 2948 rundll32.exe 35 PID 2948 wrote to memory of 2896 2948 rundll32.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\cewks.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\cewks.exeC:\Users\Admin\AppData\Local\Temp\\cewks.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\erwrb\vbhtkml.btv",crc32 C:\Users\Admin\AppData\Local\Temp\cewks.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218
-
Filesize
98KB
MD583f115c11fee444b9e62c58a9f94b66a
SHA1fcd89b1a255535a343c374814951ee7fa1cf9f59
SHA256e14ac228da14bff6ed9acb02ac522c5f3e69aad9ceaf88f21db9872bce88c9ba
SHA51296e88d5af8900f7281299c1cf2f7b8422c5ad93ad76c56f61c2a2c15cdd17edb1973dd45cae7a691ba145df37c04145d0b2dce85937e5529230facc08abff9fb