Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe
Resource
win10v2004-20241007-en
General
-
Target
5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe
-
Size
414KB
-
MD5
e5348a7741e1f455018922f88bda740b
-
SHA1
5c2e410ff8dacc75d794dcbd23487206b32bcaab
-
SHA256
5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2
-
SHA512
6c40a2d5aa12c0acd9ced775a8360487cf9518229d140f25853805cdf87c0ac1fbbea229cc0b8d110884dea61e05a8790d2d8e301ff04c9f98dd9c3e87107234
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 22 3388 rundll32.exe 30 3388 rundll32.exe 31 3388 rundll32.exe 32 3388 rundll32.exe 46 3388 rundll32.exe 47 3388 rundll32.exe 56 3388 rundll32.exe 70 3388 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2784 spmmg.exe -
Executes dropped EXE 1 IoCs
pid Process 2784 spmmg.exe -
Loads dropped DLL 1 IoCs
pid Process 3388 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\dykhs\\kotfy.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3388 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\Program Files\dykhs\kotfy.dll spmmg.exe File opened for modification \??\c:\Program Files\dykhs spmmg.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spmmg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3456 cmd.exe 4588 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4588 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe 3388 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3388 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1492 5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe 2784 spmmg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3456 1492 5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe 85 PID 1492 wrote to memory of 3456 1492 5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe 85 PID 1492 wrote to memory of 3456 1492 5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe 85 PID 3456 wrote to memory of 4588 3456 cmd.exe 87 PID 3456 wrote to memory of 4588 3456 cmd.exe 87 PID 3456 wrote to memory of 4588 3456 cmd.exe 87 PID 3456 wrote to memory of 2784 3456 cmd.exe 90 PID 3456 wrote to memory of 2784 3456 cmd.exe 90 PID 3456 wrote to memory of 2784 3456 cmd.exe 90 PID 2784 wrote to memory of 3388 2784 spmmg.exe 91 PID 2784 wrote to memory of 3388 2784 spmmg.exe 91 PID 2784 wrote to memory of 3388 2784 spmmg.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe"C:\Users\Admin\AppData\Local\Temp\5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\spmmg.exe "C:\Users\Admin\AppData\Local\Temp\5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\spmmg.exeC:\Users\Admin\AppData\Local\Temp\\spmmg.exe "C:\Users\Admin\AppData\Local\Temp\5dfe02a2c169a30a3c6530c859206277e638f91fd11e1d7c9e88ac626534b2d2.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\dykhs\kotfy.dll",Verify C:\Users\Admin\AppData\Local\Temp\spmmg.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD59472e71d58a07bebae20faac5e5d56d0
SHA15cee8c26ff4a3e9933e36960ba4795d7f6d33db3
SHA2562e3854c9bfa15abb0c4dae99989834714b85cadc42a2a7bf405eeaf7cf23758f
SHA51202bdc0fe9dbb3f84eb09021f21417edcacbea55be352853d3222f4b12b8f3376780f5938990a33a3838878fd5782ca9df50b9e3d4c4dc89d3caa5d6a02550e37
-
Filesize
228KB
MD5f723a018634dabbd53a6c06ee2752a2d
SHA1dd6c10ecabf443ff590a2a1ba046b4d29b56ce67
SHA256cbd0766d14731c8c04ad047eaa77c1bdc92ce7c2ce88fd724936fbe253c32b60
SHA51260f3783edec1f04fd19285416fd8175912b8c877daf8aa305bc74a0e0e2d73ae12d1209d9956f9e56a913fc01730f7aff382dffc6974c8164e1daece020099d3