Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe
Resource
win10v2004-20241007-en
General
-
Target
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe
-
Size
61KB
-
MD5
e69a172830cb820693df6a5925dd90a3
-
SHA1
74174acc18a1258f1e841f88862ff71d94b1e3ec
-
SHA256
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c
-
SHA512
8a58c2c03e7b560b2fa5bbf4dde6a2f0de511e4090b1ba71aa608b7702b69b16eb58922a8271817611cb7ab948d9d962f4597939e7cc3cfca541fefc7bed70d8
-
SSDEEP
768:qGHV45EDE477AZbUJx0rZGE3jCELoiMMj6hZ3nE+EXVmkDbjRL8Khc15Z6J1Sq:qG14P477AxUYrZGoC09k0SkTRHhWqPJ
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 2176 rundll32.exe 6 2176 rundll32.exe 7 2176 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2684 bibug.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 bibug.exe -
Loads dropped DLL 4 IoCs
pid Process 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe 2176 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dnbqfnrm\\uauol.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bibug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2636 cmd.exe 2780 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2780 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2176 rundll32.exe 2176 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2176 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3044 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 2684 bibug.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2636 3044 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 30 PID 3044 wrote to memory of 2636 3044 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 30 PID 3044 wrote to memory of 2636 3044 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 30 PID 3044 wrote to memory of 2636 3044 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 30 PID 2636 wrote to memory of 2780 2636 cmd.exe 32 PID 2636 wrote to memory of 2780 2636 cmd.exe 32 PID 2636 wrote to memory of 2780 2636 cmd.exe 32 PID 2636 wrote to memory of 2780 2636 cmd.exe 32 PID 2636 wrote to memory of 2684 2636 cmd.exe 33 PID 2636 wrote to memory of 2684 2636 cmd.exe 33 PID 2636 wrote to memory of 2684 2636 cmd.exe 33 PID 2636 wrote to memory of 2684 2636 cmd.exe 33 PID 2684 wrote to memory of 2176 2684 bibug.exe 34 PID 2684 wrote to memory of 2176 2684 bibug.exe 34 PID 2684 wrote to memory of 2176 2684 bibug.exe 34 PID 2684 wrote to memory of 2176 2684 bibug.exe 34 PID 2684 wrote to memory of 2176 2684 bibug.exe 34 PID 2684 wrote to memory of 2176 2684 bibug.exe 34 PID 2684 wrote to memory of 2176 2684 bibug.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\bibug.exe "C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
\??\c:\bibug.exec:\bibug.exe "C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\dnbqfnrm\uauol.dll",init c:\bibug.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5d220a8c806a32eaedf8687157846ddc6
SHA18f58cee4e8d26332d2487136ab73aa72b246c390
SHA256afc70f62819c2f764c9bd9ee88dab5048b8e3282e6bcde3b1a352a156a0f0e7f
SHA512ecadf9df83717cf232cad8d81ec9a4b5cce3f8794c0a24d3fa205052e6ecc7a71da3fc4a5e4861b9f011e06e5246fbfb33e6d611a5020123b5336708c6d04f27
-
Filesize
42KB
MD536e3fb5964d663272cf1169e1e1ca478
SHA158115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442