Analysis
-
max time kernel
146s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 00:40
Behavioral task
behavioral1
Sample
849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe
Resource
win7-20240903-en
General
-
Target
849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe
-
Size
202KB
-
MD5
ee4f1bb44ebde2bd97c7627c92016842
-
SHA1
70e1a087bc87ede1bf33897df9a4a20dab64778e
-
SHA256
849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00
-
SHA512
d610e258a7d5a7e6c60dcbcc71d9b200fe5f399ec293b51bfc2a715d68e26a49da05719dce27a2505ff5d1f58fbf6edfa30fdb85bbbe2ae2286fdd4c14a133f9
-
SSDEEP
3072:a74MyJjjlLzVjN50BdQqlYgp72xzbuawaGO0OJw8KWs6IgVLE7QkfIA9:awj30dlZ+GVaRVLE7QkfIG
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 3 2844 rundll32.exe 5 2844 rundll32.exe 6 2844 rundll32.exe 7 2844 rundll32.exe 8 2844 rundll32.exe 9 2844 rundll32.exe 10 2844 rundll32.exe 12 2844 rundll32.exe 13 2844 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2560 aghkx.exe -
Executes dropped EXE 1 IoCs
pid Process 2560 aghkx.exe -
Loads dropped DLL 6 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Micro = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\qwfek\\yvdmm.dll\",method" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral1/memory/2412-0-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2412-2-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/memory/2744-5-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral1/files/0x0007000000012116-4.dat upx behavioral1/memory/2560-10-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\qwfek aghkx.exe File created \??\c:\Program Files\qwfek\yvdmm.dll aghkx.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aghkx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2744 cmd.exe 2772 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2772 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2844 rundll32.exe 2844 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2844 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2412 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 2560 aghkx.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2744 2412 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 30 PID 2412 wrote to memory of 2744 2412 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 30 PID 2412 wrote to memory of 2744 2412 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 30 PID 2412 wrote to memory of 2744 2412 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 30 PID 2744 wrote to memory of 2772 2744 cmd.exe 32 PID 2744 wrote to memory of 2772 2744 cmd.exe 32 PID 2744 wrote to memory of 2772 2744 cmd.exe 32 PID 2744 wrote to memory of 2772 2744 cmd.exe 32 PID 2744 wrote to memory of 2560 2744 cmd.exe 33 PID 2744 wrote to memory of 2560 2744 cmd.exe 33 PID 2744 wrote to memory of 2560 2744 cmd.exe 33 PID 2744 wrote to memory of 2560 2744 cmd.exe 33 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34 PID 2560 wrote to memory of 2844 2560 aghkx.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\aghkx.exe "C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\aghkx.exeC:\Users\Admin\AppData\Local\Temp\\aghkx.exe "C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\qwfek\yvdmm.dll",method C:\Users\Admin\AppData\Local\Temp\aghkx.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD529b7739bc8482905228587fc9baec782
SHA14b9ef7954e79cdebba1a368ef74190dabeb4c505
SHA2562072edbd9914a8b75dd098c93867f68365340ef7892fe53c1874f40027efa50e
SHA51257f369f5165426d41534bce64939970a0f7ed73ba3443718939aed69107cc698b9e2dc2c5e645713474f06da5799fbc063f84b20054613f9e1e38025a92bde4a
-
Filesize
148KB
MD552f3889622c6fda06c372098fd0aa79a
SHA1bdef8676e5bbce3b911f80d0f00b676ab7c786eb
SHA256a03eaee22fa57f760996788660a22b1e62820546c2fd9ded5ee9a5b18e6d28c8
SHA512ed2e92303f763c0faffd70f7250c7668eb7d354127a908acae65c7c169d0cbbd833efaff05136d93b9754dc6a6d15f4d00ef9cb19f3a302be1ab14fac2d56fdc