Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 00:29
Static task
static1
Behavioral task
behavioral1
Sample
55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe
Resource
win10v2004-20241007-en
General
-
Target
55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe
-
Size
414KB
-
MD5
aea5688722a46cecd76528b7796ec87d
-
SHA1
d03bf13043d96747e4b8dc01d05384e9fdbbbbc3
-
SHA256
55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c
-
SHA512
2b3520efbd81bcfdd317c8f435e8dd0ab905169f581cdcf83befc5a9a1d145b3e31c799e3342a6bc7149af7a2262d2728efb8b1d39edec09937f9eec6563f124
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4X:gtRfJcNYFNm8UhlZGseX
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 4 2792 rundll32.exe 5 2792 rundll32.exe 8 2792 rundll32.exe 9 2792 rundll32.exe 10 2792 rundll32.exe 13 2792 rundll32.exe 14 2792 rundll32.exe 15 2792 rundll32.exe 17 2792 rundll32.exe 18 2792 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2620 anmob.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 anmob.exe -
Loads dropped DLL 6 IoCs
pid Process 2080 cmd.exe 2080 cmd.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\frpaj\\ewkyxj.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2792 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\frpaj anmob.exe File created \??\c:\Program Files\frpaj\ewkyxj.dll anmob.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anmob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2080 cmd.exe 2616 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2616 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe 2792 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2792 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1712 55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe 2620 anmob.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2080 1712 55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe 30 PID 1712 wrote to memory of 2080 1712 55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe 30 PID 1712 wrote to memory of 2080 1712 55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe 30 PID 1712 wrote to memory of 2080 1712 55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe 30 PID 2080 wrote to memory of 2616 2080 cmd.exe 32 PID 2080 wrote to memory of 2616 2080 cmd.exe 32 PID 2080 wrote to memory of 2616 2080 cmd.exe 32 PID 2080 wrote to memory of 2616 2080 cmd.exe 32 PID 2080 wrote to memory of 2620 2080 cmd.exe 33 PID 2080 wrote to memory of 2620 2080 cmd.exe 33 PID 2080 wrote to memory of 2620 2080 cmd.exe 33 PID 2080 wrote to memory of 2620 2080 cmd.exe 33 PID 2620 wrote to memory of 2792 2620 anmob.exe 34 PID 2620 wrote to memory of 2792 2620 anmob.exe 34 PID 2620 wrote to memory of 2792 2620 anmob.exe 34 PID 2620 wrote to memory of 2792 2620 anmob.exe 34 PID 2620 wrote to memory of 2792 2620 anmob.exe 34 PID 2620 wrote to memory of 2792 2620 anmob.exe 34 PID 2620 wrote to memory of 2792 2620 anmob.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe"C:\Users\Admin\AppData\Local\Temp\55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\anmob.exe "C:\Users\Admin\AppData\Local\Temp\55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\anmob.exeC:\Users\Admin\AppData\Local\Temp\\anmob.exe "C:\Users\Admin\AppData\Local\Temp\55d72e541ff5d50ada69084e6a7746784caf8569e7e1576a71d3d03ea335ca5c.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\frpaj\ewkyxj.dll",Verify C:\Users\Admin\AppData\Local\Temp\anmob.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5faebb7c95db97cd7a697ab33c6ec2dc6
SHA1d429f569271ba5f85713c75e1bd1661958e14b19
SHA256edf9e93527bf024225737e0d4ddd57d5c8d541cc4afae4b6cad6116085c0debe
SHA5122427e3a6d085c012a2af912bedf894794f75b3b0e1fec519e06f0ed01ad36c4eed3b88ac5f05509182b92a919c32bf3c284e7a4a60e06051db90813fde124bce
-
Filesize
414KB
MD541c3f3b90385ec449e85762026beb663
SHA1a5d11518cee04c5f071b940e2e4e92c449bf0ffc
SHA256758fda348ba4f80286c953b47f5a534508621f58ecded9b8f9b3b49730a9fafb
SHA5125031fb532fb6e269766897fa9428aec3c125b7191af3ccc23e8d3837c55c8a8146f355b76cc26eaf4e60f29369a0b7c8b57be87e6fe14d43e7ea33ed7d44d3ba