Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe
Resource
win10v2004-20241007-en
General
-
Target
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe
-
Size
61KB
-
MD5
e69a172830cb820693df6a5925dd90a3
-
SHA1
74174acc18a1258f1e841f88862ff71d94b1e3ec
-
SHA256
7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c
-
SHA512
8a58c2c03e7b560b2fa5bbf4dde6a2f0de511e4090b1ba71aa608b7702b69b16eb58922a8271817611cb7ab948d9d962f4597939e7cc3cfca541fefc7bed70d8
-
SSDEEP
768:qGHV45EDE477AZbUJx0rZGE3jCELoiMMj6hZ3nE+EXVmkDbjRL8Khc15Z6J1Sq:qG14P477AxUYrZGoC09k0SkTRHhWqPJ
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 23 1384 rundll32.exe 24 1384 rundll32.exe 25 1384 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1816 knevqfmr.exe -
Executes dropped EXE 1 IoCs
pid Process 1816 knevqfmr.exe -
Loads dropped DLL 1 IoCs
pid Process 1384 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ukoya\\gzkmc.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\y: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language knevqfmr.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 224 cmd.exe 3244 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3244 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1384 rundll32.exe 1384 rundll32.exe 1384 rundll32.exe 1384 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1384 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3572 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 1816 knevqfmr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3572 wrote to memory of 224 3572 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 86 PID 3572 wrote to memory of 224 3572 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 86 PID 3572 wrote to memory of 224 3572 7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe 86 PID 224 wrote to memory of 3244 224 cmd.exe 89 PID 224 wrote to memory of 3244 224 cmd.exe 89 PID 224 wrote to memory of 3244 224 cmd.exe 89 PID 224 wrote to memory of 1816 224 cmd.exe 90 PID 224 wrote to memory of 1816 224 cmd.exe 90 PID 224 wrote to memory of 1816 224 cmd.exe 90 PID 1816 wrote to memory of 1384 1816 knevqfmr.exe 91 PID 1816 wrote to memory of 1384 1816 knevqfmr.exe 91 PID 1816 wrote to memory of 1384 1816 knevqfmr.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\knevqfmr.exe "C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3244
-
-
\??\c:\knevqfmr.exec:\knevqfmr.exe "C:\Users\Admin\AppData\Local\Temp\7bbab99f1f11c62dd3c8812dd121f1379ce2d2be536ba1b09fc28055f3fac02c.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\ukoya\gzkmc.dll",init c:\knevqfmr.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD53334b88def7b37a39ebe2f42ba7b638a
SHA1180ddb42bb10d9faf5b9feb3776faf3f549adca4
SHA25690e068b3d0dc5c6a0d8552a0cfcd13f9f01665d4cd8f7daa10d6ad14fc159f00
SHA512c6c0becf149a7eb1224179e4aecbadecb5fc94f61c41a4a27ad47b74ea0076db4fb3e7d67e737d9363a856140012efe040eeac543bdb0920143d349f3f26e9db
-
Filesize
42KB
MD536e3fb5964d663272cf1169e1e1ca478
SHA158115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442