Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 22:28
Static task
static1
Behavioral task
behavioral1
Sample
09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe
Resource
win10v2004-20241007-en
General
-
Target
09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe
-
Size
198KB
-
MD5
e131e4e26e89fb8bee844af439cf1afc
-
SHA1
e3e8cca073ee2174831f7b09d47748331ffadef9
-
SHA256
09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a
-
SHA512
6f533bf2247ff4668a4b6e8d9b09d53feef62d9a3d50b1c8e5086ce78cee9e4a9d5197dfc796744aea96f85c8639262ee2ffadb800872a48268212af713cc9c0
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4912 lwjii.exe -
Executes dropped EXE 2 IoCs
pid Process 4912 lwjii.exe 4020 flk.exe -
Loads dropped DLL 1 IoCs
pid Process 4020 flk.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\wsyot\\flk.exe \"c:\\Program Files\\wsyot\\flkny.dll\",Compliance" flk.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: flk.exe File opened (read-only) \??\y: flk.exe File opened (read-only) \??\z: flk.exe File opened (read-only) \??\b: flk.exe File opened (read-only) \??\g: flk.exe File opened (read-only) \??\k: flk.exe File opened (read-only) \??\o: flk.exe File opened (read-only) \??\p: flk.exe File opened (read-only) \??\q: flk.exe File opened (read-only) \??\v: flk.exe File opened (read-only) \??\a: flk.exe File opened (read-only) \??\l: flk.exe File opened (read-only) \??\r: flk.exe File opened (read-only) \??\s: flk.exe File opened (read-only) \??\t: flk.exe File opened (read-only) \??\x: flk.exe File opened (read-only) \??\e: flk.exe File opened (read-only) \??\h: flk.exe File opened (read-only) \??\i: flk.exe File opened (read-only) \??\j: flk.exe File opened (read-only) \??\m: flk.exe File opened (read-only) \??\u: flk.exe File opened (read-only) \??\w: flk.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 flk.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\wsyot lwjii.exe File created \??\c:\Program Files\wsyot\flkny.dll lwjii.exe File created \??\c:\Program Files\wsyot\flk.exe lwjii.exe File opened for modification \??\c:\Program Files\wsyot\flk.exe lwjii.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lwjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1368 cmd.exe 1796 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 flk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString flk.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1796 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4020 flk.exe 4020 flk.exe 4020 flk.exe 4020 flk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4020 flk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 968 09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe 4912 lwjii.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 968 wrote to memory of 1368 968 09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe 86 PID 968 wrote to memory of 1368 968 09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe 86 PID 968 wrote to memory of 1368 968 09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe 86 PID 1368 wrote to memory of 1796 1368 cmd.exe 88 PID 1368 wrote to memory of 1796 1368 cmd.exe 88 PID 1368 wrote to memory of 1796 1368 cmd.exe 88 PID 1368 wrote to memory of 4912 1368 cmd.exe 90 PID 1368 wrote to memory of 4912 1368 cmd.exe 90 PID 1368 wrote to memory of 4912 1368 cmd.exe 90 PID 4912 wrote to memory of 4020 4912 lwjii.exe 91 PID 4912 wrote to memory of 4020 4912 lwjii.exe 91 PID 4912 wrote to memory of 4020 4912 lwjii.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe"C:\Users\Admin\AppData\Local\Temp\09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lwjii.exe "C:\Users\Admin\AppData\Local\Temp\09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\lwjii.exeC:\Users\Admin\AppData\Local\Temp\\lwjii.exe "C:\Users\Admin\AppData\Local\Temp\09f6b51ca13d8f61aafc0a581541c73b1f8035d7c65c34f1ab55a9794de84a0a.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\Program Files\wsyot\flk.exe"c:\Program Files\wsyot\flk.exe" "c:\Program Files\wsyot\flkny.dll",Compliance C:\Users\Admin\AppData\Local\Temp\lwjii.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
198KB
MD562fc6e7d0512a1b891aab93fcd2485d1
SHA1a7412552cfc306a3212d7e8013f83f89633bd75f
SHA2561bdff2ea41f89976aa7cc1d1148ca912fd2e535a928ee8ebe402a39d119fd649
SHA512729f03011c5aa0254d871130f4765aaf5d10206e6e6cea6d0b4ad600cdecd932a0b7cf6b78d27bacc791576f46738d82d89a07064c8f65643f558f913145bf9c
-
Filesize
141KB
MD52d1e9e0736859b34a3764d74dda49378
SHA1ede4c0ca59aa6719dfdd6fa55e9e89e71f1049e2
SHA256c01d7f344856960f2ad65b5dd6546dead477e53bcdf828d93c92a0db95739f2f
SHA5124442234a4ae447813dcd2964cb762c4862d11753ce98fbb7555f71c1a3a79ab63b2a3b0aa0b41492b07102b1704e6ef55ba801a375f3ac2faab97ac6e605efd0