Analysis Overview
SHA256
9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab
Threat Level: Likely malicious
The file 9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Enumerates connected drives
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 01:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 01:35
Reported
2024-10-16 01:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\fytjuhv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\fytjuhv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\cnfde\\jbudw.dll\",DoVirusScan" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\fytjuhv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe | N/A |
| N/A | N/A | \??\c:\fytjuhv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe
"C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\fytjuhv.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\fytjuhv.exe
c:\fytjuhv.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\cnfde\jbudw.dll",DoVirusScan c:\fytjuhv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/2284-0-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2284-2-0x0000000000400000-0x0000000000417000-memory.dmp
C:\fytjuhv.exe
| MD5 | 012b52b30fcba353718a19cba796bb5a |
| SHA1 | d99d8c607e00580edf47f327f910ed7b97e5c9e4 |
| SHA256 | 89167f31763ab46812ac0e2a43d7a50c1c5012dcbe77df262c5fe91c43ff85cc |
| SHA512 | 519d8dd14c835e979b4cf7bda4ce71b67eff974a1f85b3420a3cfe6ab23ca862a2ebcdd1cd5a2697158a6432733ea8f645c408c8fc184a42b7a829528c0696a9 |
memory/2060-7-0x0000000000400000-0x0000000000417000-memory.dmp
\??\c:\cnfde\jbudw.dll
| MD5 | cbfc06794d16ace6adf42210183fc1b9 |
| SHA1 | 74fc68a2af225b0aca954b3684940747511013c5 |
| SHA256 | b2d21c40c5bfc0f7695945946fa1cdd4eaf2f66a8391ddde6307c5f765fbf525 |
| SHA512 | 181dbe8b63e28a81cb8e0b7240df8745da350e1ab433b157b8b4fd36aa10f0782e807c09563bcffe37cfe64aa1b514b2cc1f179fbcba422d96867179d88e13c9 |
memory/3652-10-0x0000000010000000-0x0000000010032000-memory.dmp
memory/3652-11-0x0000000010001000-0x0000000010021000-memory.dmp
memory/3652-12-0x0000000010000000-0x0000000010032000-memory.dmp
memory/3652-13-0x0000000010001000-0x0000000010021000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 01:35
Reported
2024-10-16 01:38
Platform
win7-20240903-en
Max time kernel
144s
Max time network
144s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\umqyn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\umqyn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\tktni\\cewymhr.dll\",DoVirusScan" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\umqyn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe | N/A |
| N/A | N/A | \??\c:\umqyn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe
"C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\umqyn.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\umqyn.exe
c:\umqyn.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\tktni\cewymhr.dll",DoVirusScan c:\umqyn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp |
Files
memory/2244-0-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2244-2-0x0000000000400000-0x0000000000417000-memory.dmp
\??\c:\umqyn.exe
| MD5 | e368bc1abdf9ace70440ca3828cb7105 |
| SHA1 | de7e6e97f84b383e118a38c902324b4fa4c0135b |
| SHA256 | bf537b8dc07eeb08a8761e5d3cad3ac0fd68ea5cd20e35546194a5b4b76c7dce |
| SHA512 | 35a36ae562eb390b555d7c4cac4d89fc6400aa0ff0332a81f086f2230ef8378065b77234bbbd22a65151cf1cbbaea542b5c5fc9bcb867b603cef62063c95f1cf |
memory/2428-6-0x0000000000400000-0x0000000000417000-memory.dmp
\??\c:\tktni\cewymhr.dll
| MD5 | cbfc06794d16ace6adf42210183fc1b9 |
| SHA1 | 74fc68a2af225b0aca954b3684940747511013c5 |
| SHA256 | b2d21c40c5bfc0f7695945946fa1cdd4eaf2f66a8391ddde6307c5f765fbf525 |
| SHA512 | 181dbe8b63e28a81cb8e0b7240df8745da350e1ab433b157b8b4fd36aa10f0782e807c09563bcffe37cfe64aa1b514b2cc1f179fbcba422d96867179d88e13c9 |
memory/2580-15-0x000000001002C000-0x000000001002D000-memory.dmp
memory/2580-14-0x0000000010000000-0x0000000010032000-memory.dmp
memory/2580-13-0x0000000010000000-0x0000000010032000-memory.dmp
memory/2580-11-0x0000000010000000-0x0000000010032000-memory.dmp
memory/2580-16-0x0000000010000000-0x0000000010032000-memory.dmp
memory/2580-17-0x0000000010000000-0x0000000010032000-memory.dmp
memory/2580-18-0x0000000010000000-0x0000000010032000-memory.dmp
memory/2580-19-0x0000000010000000-0x0000000010032000-memory.dmp