Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
Resource
win10v2004-20241007-en
General
-
Target
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
-
Size
198KB
-
MD5
2f17895be3b294a645e1553340c98535
-
SHA1
58b51f05c8f36ae43f9732234934e0d926e82380
-
SHA256
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629
-
SHA512
2f827224a7b8225d9c083cb6dea892ad90c9092260f1f21fe2ebfe9f339978bb69dd3bc011435784302a67e3ac6d01e5a3e656e840e8b728ceec0131f4edef95
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2764 nstqd.exe -
Executes dropped EXE 2 IoCs
pid Process 2764 nstqd.exe 2704 zcqij.exe -
Loads dropped DLL 7 IoCs
pid Process 2184 cmd.exe 2184 cmd.exe 2764 nstqd.exe 2704 zcqij.exe 2704 zcqij.exe 2704 zcqij.exe 2704 zcqij.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\trkjgjvan\\zcqij.exe \"c:\\Program Files\\trkjgjvan\\zcqij.dll\",Compliance" zcqij.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: zcqij.exe File opened (read-only) \??\x: zcqij.exe File opened (read-only) \??\y: zcqij.exe File opened (read-only) \??\a: zcqij.exe File opened (read-only) \??\o: zcqij.exe File opened (read-only) \??\q: zcqij.exe File opened (read-only) \??\w: zcqij.exe File opened (read-only) \??\e: zcqij.exe File opened (read-only) \??\j: zcqij.exe File opened (read-only) \??\k: zcqij.exe File opened (read-only) \??\l: zcqij.exe File opened (read-only) \??\m: zcqij.exe File opened (read-only) \??\t: zcqij.exe File opened (read-only) \??\u: zcqij.exe File opened (read-only) \??\v: zcqij.exe File opened (read-only) \??\g: zcqij.exe File opened (read-only) \??\h: zcqij.exe File opened (read-only) \??\n: zcqij.exe File opened (read-only) \??\r: zcqij.exe File opened (read-only) \??\s: zcqij.exe File opened (read-only) \??\z: zcqij.exe File opened (read-only) \??\b: zcqij.exe File opened (read-only) \??\i: zcqij.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 zcqij.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\trkjgjvan nstqd.exe File created \??\c:\Program Files\trkjgjvan\zcqij.dll nstqd.exe File created \??\c:\Program Files\trkjgjvan\zcqij.exe nstqd.exe File opened for modification \??\c:\Program Files\trkjgjvan\zcqij.exe nstqd.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nstqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zcqij.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2184 cmd.exe 2652 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 zcqij.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString zcqij.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2652 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2704 zcqij.exe 2704 zcqij.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2704 zcqij.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3024 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 2764 nstqd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2184 3024 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 31 PID 3024 wrote to memory of 2184 3024 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 31 PID 3024 wrote to memory of 2184 3024 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 31 PID 3024 wrote to memory of 2184 3024 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 31 PID 2184 wrote to memory of 2652 2184 cmd.exe 33 PID 2184 wrote to memory of 2652 2184 cmd.exe 33 PID 2184 wrote to memory of 2652 2184 cmd.exe 33 PID 2184 wrote to memory of 2652 2184 cmd.exe 33 PID 2184 wrote to memory of 2764 2184 cmd.exe 34 PID 2184 wrote to memory of 2764 2184 cmd.exe 34 PID 2184 wrote to memory of 2764 2184 cmd.exe 34 PID 2184 wrote to memory of 2764 2184 cmd.exe 34 PID 2764 wrote to memory of 2704 2764 nstqd.exe 35 PID 2764 wrote to memory of 2704 2764 nstqd.exe 35 PID 2764 wrote to memory of 2704 2764 nstqd.exe 35 PID 2764 wrote to memory of 2704 2764 nstqd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\nstqd.exe "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\nstqd.exeC:\Users\Admin\AppData\Local\Temp\\nstqd.exe "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\Program Files\trkjgjvan\zcqij.exe"c:\Program Files\trkjgjvan\zcqij.exe" "c:\Program Files\trkjgjvan\zcqij.dll",Compliance C:\Users\Admin\AppData\Local\Temp\nstqd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5954464b2582ae900aefb768e20758a24
SHA1bbe9ebe1dd4b355c58d49da47cbcca89cb3a03fe
SHA256497cd69ab936342a17a8db64614abd27bd764cb8fb06b921c24de1eb5875864c
SHA5128977267d8fd537675bb7cf7bf5fe94a9a536ae7f7adcd148bdc667bb6185c03657aed55bfa405fb25cc352d5d591e57db82f916f31d120429ac6a932e5a9662a
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
198KB
MD593ac9f7b661580bfa3a10c2bca2296e7
SHA1559524bf1b3cb678b5807500a5c468fec4553b87
SHA256009fd81b2abf75f57ef463ed8c0658c3b24fa706b08762f37f995c666c2d5571
SHA512a8704a9624c104744be96ebd9bb385d133a117e5a72a3da3c3fcca4fd69d4de289740582edced2b135ecd0e616c16304ad29ce42b6c277a300aa87a824b67d38