Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 23:26

General

  • Target

    1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe

  • Size

    198KB

  • MD5

    2f17895be3b294a645e1553340c98535

  • SHA1

    58b51f05c8f36ae43f9732234934e0d926e82380

  • SHA256

    1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629

  • SHA512

    2f827224a7b8225d9c083cb6dea892ad90c9092260f1f21fe2ebfe9f339978bb69dd3bc011435784302a67e3ac6d01e5a3e656e840e8b728ceec0131f4edef95

  • SSDEEP

    3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
    "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\nstqd.exe "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2652
      • C:\Users\Admin\AppData\Local\Temp\nstqd.exe
        C:\Users\Admin\AppData\Local\Temp\\nstqd.exe "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2764
        • \??\c:\Program Files\trkjgjvan\zcqij.exe
          "c:\Program Files\trkjgjvan\zcqij.exe" "c:\Program Files\trkjgjvan\zcqij.dll",Compliance C:\Users\Admin\AppData\Local\Temp\nstqd.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2704

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \??\c:\Program Files\trkjgjvan\zcqij.dll

          Filesize

          141KB

          MD5

          954464b2582ae900aefb768e20758a24

          SHA1

          bbe9ebe1dd4b355c58d49da47cbcca89cb3a03fe

          SHA256

          497cd69ab936342a17a8db64614abd27bd764cb8fb06b921c24de1eb5875864c

          SHA512

          8977267d8fd537675bb7cf7bf5fe94a9a536ae7f7adcd148bdc667bb6185c03657aed55bfa405fb25cc352d5d591e57db82f916f31d120429ac6a932e5a9662a

        • \Program Files\trkjgjvan\zcqij.exe

          Filesize

          43KB

          MD5

          51138beea3e2c21ec44d0932c71762a8

          SHA1

          8939cf35447b22dd2c6e6f443446acc1bf986d58

          SHA256

          5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

          SHA512

          794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        • \Users\Admin\AppData\Local\Temp\nstqd.exe

          Filesize

          198KB

          MD5

          93ac9f7b661580bfa3a10c2bca2296e7

          SHA1

          559524bf1b3cb678b5807500a5c468fec4553b87

          SHA256

          009fd81b2abf75f57ef463ed8c0658c3b24fa706b08762f37f995c666c2d5571

          SHA512

          a8704a9624c104744be96ebd9bb385d133a117e5a72a3da3c3fcca4fd69d4de289740582edced2b135ecd0e616c16304ad29ce42b6c277a300aa87a824b67d38

        • memory/2184-9-0x0000000000440000-0x000000000048A000-memory.dmp

          Filesize

          296KB

        • memory/2184-7-0x0000000000440000-0x000000000048A000-memory.dmp

          Filesize

          296KB

        • memory/2704-27-0x0000000010000000-0x000000001004E000-memory.dmp

          Filesize

          312KB

        • memory/2704-28-0x0000000010000000-0x000000001004E000-memory.dmp

          Filesize

          312KB

        • memory/2704-31-0x0000000010000000-0x000000001004E000-memory.dmp

          Filesize

          312KB

        • memory/2764-11-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB

        • memory/2764-12-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB

        • memory/2764-20-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB

        • memory/3024-4-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB

        • memory/3024-0-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB

        • memory/3024-2-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB

        • memory/3024-1-0x0000000000400000-0x000000000044901D-memory.dmp

          Filesize

          292KB