Analysis
-
max time kernel
112s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe
Resource
win7-20240903-en
General
-
Target
6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe
-
Size
91KB
-
MD5
92db78fa570ad872a03e97e8d8ba0680
-
SHA1
f40cfa3478719cc732007426d2fb019f5decccda
-
SHA256
6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0
-
SHA512
1aa5f1cb424bc764a6841742cacb37085e2f213da41e21795d17ac4da9d5d07ab0d4b10b7c4b322fbd3006dc3ed9a380d15711a8f4f798023f1d2c5da6170d36
-
SSDEEP
1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSiV:11PgEOng1d66jRVa+n4NmNNouukrD7HI
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 4 2292 rundll32.exe 7 2292 rundll32.exe 8 2292 rundll32.exe 9 2292 rundll32.exe 10 2292 rundll32.exe 13 2292 rundll32.exe 14 2292 rundll32.exe 15 2292 rundll32.exe 17 2292 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2844 ifdyg.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 ifdyg.exe -
Loads dropped DLL 3 IoCs
pid Process 2368 cmd.exe 2368 cmd.exe 2292 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\gahtc\\kshjhwtmm.sjk\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral1/files/0x0009000000016399-13.dat upx behavioral1/memory/2292-15-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2292-16-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2292-20-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2292-21-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral1/memory/2292-22-0x0000000010000000-0x0000000010022000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ifdyg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2296 PING.EXE 2368 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 2672 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2296 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2292 rundll32.exe 2292 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2292 rundll32.exe Token: SeDebugPrivilege 2672 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2340 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 2844 ifdyg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2368 2340 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 30 PID 2340 wrote to memory of 2368 2340 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 30 PID 2340 wrote to memory of 2368 2340 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 30 PID 2340 wrote to memory of 2368 2340 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 30 PID 2368 wrote to memory of 2296 2368 cmd.exe 32 PID 2368 wrote to memory of 2296 2368 cmd.exe 32 PID 2368 wrote to memory of 2296 2368 cmd.exe 32 PID 2368 wrote to memory of 2296 2368 cmd.exe 32 PID 2368 wrote to memory of 2844 2368 cmd.exe 33 PID 2368 wrote to memory of 2844 2368 cmd.exe 33 PID 2368 wrote to memory of 2844 2368 cmd.exe 33 PID 2368 wrote to memory of 2844 2368 cmd.exe 33 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2844 wrote to memory of 2292 2844 ifdyg.exe 34 PID 2292 wrote to memory of 2672 2292 rundll32.exe 35 PID 2292 wrote to memory of 2672 2292 rundll32.exe 35 PID 2292 wrote to memory of 2672 2292 rundll32.exe 35 PID 2292 wrote to memory of 2672 2292 rundll32.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ifdyg.exe "C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\ifdyg.exeC:\Users\Admin\AppData\Local\Temp\\ifdyg.exe "C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\gahtc\kshjhwtmm.sjk",crc32 C:\Users\Admin\AppData\Local\Temp\ifdyg.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218
-
Filesize
91KB
MD5733959d916324402ddbdbeab82f01039
SHA178a9d63bf7a2c1976cae6140c49b4fcaa9fa5e5d
SHA25615b78b50c41fefb37fac9c315b69bf98d2ebb885d74bbaa016f9ea9b1d32f9b7
SHA5125a67c32e138431a5f2e73a358b4f3c2b8eafcc0ee8a124777d6eb3c8aea8831fd877aa3d9a284c86f84353ef27c575b1a72c6c0f6e9738b9709aff83ffd577c5