Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 00:40
Behavioral task
behavioral1
Sample
849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe
Resource
win7-20240903-en
General
-
Target
849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe
-
Size
202KB
-
MD5
ee4f1bb44ebde2bd97c7627c92016842
-
SHA1
70e1a087bc87ede1bf33897df9a4a20dab64778e
-
SHA256
849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00
-
SHA512
d610e258a7d5a7e6c60dcbcc71d9b200fe5f399ec293b51bfc2a715d68e26a49da05719dce27a2505ff5d1f58fbf6edfa30fdb85bbbe2ae2286fdd4c14a133f9
-
SSDEEP
3072:a74MyJjjlLzVjN50BdQqlYgp72xzbuawaGO0OJw8KWs6IgVLE7QkfIA9:awj30dlZ+GVaRVLE7QkfIG
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 23 5104 rundll32.exe 31 5104 rundll32.exe 33 5104 rundll32.exe 34 5104 rundll32.exe 49 5104 rundll32.exe 70 5104 rundll32.exe 71 5104 rundll32.exe -
Deletes itself 1 IoCs
pid Process 4132 znkrq.exe -
Executes dropped EXE 1 IoCs
pid Process 4132 znkrq.exe -
Loads dropped DLL 1 IoCs
pid Process 5104 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micro = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\hldak\\veojwfni.dll\",method" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral2/memory/2544-0-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2544-3-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/files/0x000c000000023bab-5.dat upx behavioral2/memory/4132-9-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\hldak znkrq.exe File created \??\c:\Program Files\hldak\veojwfni.dll znkrq.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkrq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 236 cmd.exe 4552 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4552 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5104 rundll32.exe 5104 rundll32.exe 5104 rundll32.exe 5104 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5104 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2544 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 4132 znkrq.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2544 wrote to memory of 236 2544 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 86 PID 2544 wrote to memory of 236 2544 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 86 PID 2544 wrote to memory of 236 2544 849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe 86 PID 236 wrote to memory of 4552 236 cmd.exe 88 PID 236 wrote to memory of 4552 236 cmd.exe 88 PID 236 wrote to memory of 4552 236 cmd.exe 88 PID 236 wrote to memory of 4132 236 cmd.exe 90 PID 236 wrote to memory of 4132 236 cmd.exe 90 PID 236 wrote to memory of 4132 236 cmd.exe 90 PID 4132 wrote to memory of 5104 4132 znkrq.exe 91 PID 4132 wrote to memory of 5104 4132 znkrq.exe 91 PID 4132 wrote to memory of 5104 4132 znkrq.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\znkrq.exe "C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\znkrq.exeC:\Users\Admin\AppData\Local\Temp\\znkrq.exe "C:\Users\Admin\AppData\Local\Temp\849d94512ae368e75cb0eeb13339c752f7c12254a429b887c99c6bbc6444de00.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\hldak\veojwfni.dll",method C:\Users\Admin\AppData\Local\Temp\znkrq.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD538b09391d8d0e30c2eb777f75a453bcb
SHA1d5a9cd6b7765e86cbda11659f869b3d67709cdc7
SHA2560163122e25499b5a65818f16cc023b2ce651504027d195ef1e07f5f3ab90a02b
SHA51231c38c26bfe29fe0bfdebf08ed3262042ad94b712ac4b32512d87a521b6fea2d754321fa672cbb7f6e637b49128a0e805e6bf2ec235f73aae7cc7e6fa84cca85
-
Filesize
148KB
MD561f3f88c80172e805f927e3776d6a733
SHA100a8ffeb837799f5685f619d37beddd8073da126
SHA2562967adcf4cfa79085d09dcc9a4c3a4e0ddab13aeeaf87ab94e1b562b03583e74
SHA512ed444e1778cb008afa473e543507171d93091668c382bb38ea946ba95f12bd4cdb1299447b187df61b3716c2d75011b52d76645672257bf54c04480ff4a8473f