Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe
Resource
win7-20240708-en
General
-
Target
e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe
-
Size
93KB
-
MD5
cee1433a4a69a9e53652636ccbd49b90
-
SHA1
702234b757e139fa57474aba42bb355a7bdf7a1e
-
SHA256
e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25
-
SHA512
faae51f15c6a0b095bf1c6bd4fb40d4315723c9e0d9c749b71f15e39a715ae0d4d40d7e3659c2e3b2c2d9cf608b6d4a85c3afec153a943409857cbd90fb3d871
-
SSDEEP
1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSj:11PgEOng1d66jRVa+n4NmNNouukrD7HI
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 17 3068 rundll32.exe 32 3068 rundll32.exe 33 3068 rundll32.exe 34 3068 rundll32.exe 50 3068 rundll32.exe 51 3068 rundll32.exe 60 3068 rundll32.exe 75 3068 rundll32.exe -
Deletes itself 1 IoCs
pid Process 3156 gjdtv.exe -
Executes dropped EXE 1 IoCs
pid Process 3156 gjdtv.exe -
Loads dropped DLL 1 IoCs
pid Process 3068 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\aecih\\rtbsq.tsr\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral2/files/0x0008000000023cae-10.dat upx behavioral2/memory/3068-12-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/3068-13-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/3068-15-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/3068-17-0x0000000010000000-0x0000000010022000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjdtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3888 cmd.exe 3992 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 2772 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3992 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3068 rundll32.exe Token: SeDebugPrivilege 2772 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1448 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 3156 gjdtv.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1448 wrote to memory of 3888 1448 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 85 PID 1448 wrote to memory of 3888 1448 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 85 PID 1448 wrote to memory of 3888 1448 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe 85 PID 3888 wrote to memory of 3992 3888 cmd.exe 88 PID 3888 wrote to memory of 3992 3888 cmd.exe 88 PID 3888 wrote to memory of 3992 3888 cmd.exe 88 PID 3888 wrote to memory of 3156 3888 cmd.exe 90 PID 3888 wrote to memory of 3156 3888 cmd.exe 90 PID 3888 wrote to memory of 3156 3888 cmd.exe 90 PID 3156 wrote to memory of 3068 3156 gjdtv.exe 91 PID 3156 wrote to memory of 3068 3156 gjdtv.exe 91 PID 3156 wrote to memory of 3068 3156 gjdtv.exe 91 PID 3068 wrote to memory of 2772 3068 rundll32.exe 92 PID 3068 wrote to memory of 2772 3068 rundll32.exe 92 PID 3068 wrote to memory of 2772 3068 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gjdtv.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\gjdtv.exeC:\Users\Admin\AppData\Local\Temp\\gjdtv.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\aecih\rtbsq.tsr",crc32 C:\Users\Admin\AppData\Local\Temp\gjdtv.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5e06f1eef31bfb5761294c274b862aca0
SHA198bf8504e076a0147898757ffacdc1a2e2653867
SHA256b65fcd5c248418d3fd6f254e8af81e22250350c930b467beb720997e10d88b1e
SHA5128d86675c357b67fbe04b7ce5b71c11149293da2f0a8ca19fb7b7e2e55c65053f230a63907dcf942882d5dd89db7a6b7639870c313772449efc34810e8b17729a
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218