Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe
Resource
win7-20240708-en
General
-
Target
e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe
-
Size
93KB
-
MD5
cee1433a4a69a9e53652636ccbd49b90
-
SHA1
702234b757e139fa57474aba42bb355a7bdf7a1e
-
SHA256
e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25
-
SHA512
faae51f15c6a0b095bf1c6bd4fb40d4315723c9e0d9c749b71f15e39a715ae0d4d40d7e3659c2e3b2c2d9cf608b6d4a85c3afec153a943409857cbd90fb3d871
-
SSDEEP
1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSj:11PgEOng1d66jRVa+n4NmNNouukrD7HI
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 3 2920 rundll32.exe 5 2920 rundll32.exe 8 2920 rundll32.exe 9 2920 rundll32.exe 10 2920 rundll32.exe 13 2920 rundll32.exe 14 2920 rundll32.exe 15 2920 rundll32.exe 17 2920 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2200 mdssq.exe -
Executes dropped EXE 1 IoCs
pid Process 2200 mdssq.exe -
Loads dropped DLL 3 IoCs
pid Process 2324 cmd.exe 2324 cmd.exe 2920 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\vfwtt\\immmxis.mmi\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral1/files/0x000c000000014345-11.dat upx behavioral1/memory/2920-13-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2920-14-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2920-18-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2920-19-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2920-20-0x0000000010000000-0x0000000010022000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdssq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1532 PING.EXE 2324 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 2864 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1532 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2920 rundll32.exe 2920 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2920 rundll32.exe Token: SeDebugPrivilege 2864 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2560 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 2200 mdssq.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2324 2560 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 30 PID 2560 wrote to memory of 2324 2560 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 30 PID 2560 wrote to memory of 2324 2560 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 30 PID 2560 wrote to memory of 2324 2560 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 30 PID 2324 wrote to memory of 1532 2324 cmd.exe 32 PID 2324 wrote to memory of 1532 2324 cmd.exe 32 PID 2324 wrote to memory of 1532 2324 cmd.exe 32 PID 2324 wrote to memory of 1532 2324 cmd.exe 32 PID 2324 wrote to memory of 2200 2324 cmd.exe 33 PID 2324 wrote to memory of 2200 2324 cmd.exe 33 PID 2324 wrote to memory of 2200 2324 cmd.exe 33 PID 2324 wrote to memory of 2200 2324 cmd.exe 33 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2200 wrote to memory of 2920 2200 mdssq.exe 34 PID 2920 wrote to memory of 2864 2920 rundll32.exe 35 PID 2920 wrote to memory of 2864 2920 rundll32.exe 35 PID 2920 wrote to memory of 2864 2920 rundll32.exe 35 PID 2920 wrote to memory of 2864 2920 rundll32.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mdssq.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\mdssq.exeC:\Users\Admin\AppData\Local\Temp\\mdssq.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\vfwtt\immmxis.mmi",crc32 C:\Users\Admin\AppData\Local\Temp\mdssq.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218
-
Filesize
93KB
MD56564211148a514180a0eb98b690426ee
SHA1473102beca3f996f9f2fa030e8a77be8fd5547fb
SHA256724fad6494867cda137a6ffd3f1dd8c279e1f996a5726023b25ac5a1ea4f706a
SHA5122318789c0e7153d63a76010c289d93a1c93ad530c3e779ab3c2acfc01f74a91984caee0b643cf000a05c046f6acf84a654b407b99c19d3baf7b9cee09245097c