Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe
Resource
win10v2004-20241007-en
General
-
Target
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe
-
Size
414KB
-
MD5
8ed6fc461fb1cad41bbbe997fc33524b
-
SHA1
c8ab52a0ac4be3b5a87e029e4d19fae59318069e
-
SHA256
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273
-
SHA512
9e18a5f23c9f27c8798b136c9d88ae2d918643623bf96c4c9f5b85aa85cc2bd26cb974b8f8376e34cc8cd8f13229a99921defb963456d7129c87fc74868970b7
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2844 rundll32.exe 7 2844 rundll32.exe 8 2844 rundll32.exe 9 2844 rundll32.exe 10 2844 rundll32.exe 13 2844 rundll32.exe 14 2844 rundll32.exe 15 2844 rundll32.exe 17 2844 rundll32.exe 18 2844 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2836 kthtke.exe -
Executes dropped EXE 1 IoCs
pid Process 2836 kthtke.exe -
Loads dropped DLL 6 IoCs
pid Process 2696 cmd.exe 2696 cmd.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\mwkayoqlu\\dswxs.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2844 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\mwkayoqlu kthtke.exe File created \??\c:\Program Files\mwkayoqlu\dswxs.dll kthtke.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kthtke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2564 PING.EXE 2696 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2564 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe 2844 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2844 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2088 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 2836 kthtke.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2696 2088 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 30 PID 2088 wrote to memory of 2696 2088 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 30 PID 2088 wrote to memory of 2696 2088 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 30 PID 2088 wrote to memory of 2696 2088 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 30 PID 2696 wrote to memory of 2564 2696 cmd.exe 32 PID 2696 wrote to memory of 2564 2696 cmd.exe 32 PID 2696 wrote to memory of 2564 2696 cmd.exe 32 PID 2696 wrote to memory of 2564 2696 cmd.exe 32 PID 2696 wrote to memory of 2836 2696 cmd.exe 33 PID 2696 wrote to memory of 2836 2696 cmd.exe 33 PID 2696 wrote to memory of 2836 2696 cmd.exe 33 PID 2696 wrote to memory of 2836 2696 cmd.exe 33 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34 PID 2836 wrote to memory of 2844 2836 kthtke.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kthtke.exe "C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\kthtke.exeC:\Users\Admin\AppData\Local\Temp\\kthtke.exe "C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\mwkayoqlu\dswxs.dll",Verify C:\Users\Admin\AppData\Local\Temp\kthtke.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD54ede2ccd6260b9fc85d1adba56b24841
SHA1602718d81a41dc2a3f919c16dfaca46210ea8ac6
SHA25664a5e0e8e9332c49429c2f77822e03dedc90a2336779c1601f6cf879cc241e66
SHA5126751550b914b714641fab7e11bf37627f8bbdbbda7b0f343772981a5fffddfe46c00237a1d72afc42933a3d9052f80d3b5072909815fbdfd69832a8f1d8d17bf
-
Filesize
414KB
MD580e3d5961d1b9e93a898e5ba2bba4d17
SHA13ec73d915975d5a163adc0896d912d606a62224a
SHA256958d63354ca951dc0bb895391665ed48ac1ed20ac213226af232e85a4761c10a
SHA51262c237013f0e1835c86c4617190fec0a8c041fb6ef2a8977402b08a78318a7607ff3b600f2dce869bd858202e1bbe342cc241f2e99d68e46ebc1333867979ccd