Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe
Resource
win7-20240903-en
General
-
Target
6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe
-
Size
91KB
-
MD5
92db78fa570ad872a03e97e8d8ba0680
-
SHA1
f40cfa3478719cc732007426d2fb019f5decccda
-
SHA256
6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0
-
SHA512
1aa5f1cb424bc764a6841742cacb37085e2f213da41e21795d17ac4da9d5d07ab0d4b10b7c4b322fbd3006dc3ed9a380d15711a8f4f798023f1d2c5da6170d36
-
SSDEEP
1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSiV:11PgEOng1d66jRVa+n4NmNNouukrD7HI
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 21 1536 rundll32.exe 29 1536 rundll32.exe 30 1536 rundll32.exe 31 1536 rundll32.exe 45 1536 rundll32.exe 46 1536 rundll32.exe 55 1536 rundll32.exe 71 1536 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1520 flfxg.exe -
Executes dropped EXE 1 IoCs
pid Process 1520 flfxg.exe -
Loads dropped DLL 1 IoCs
pid Process 1536 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\xpymj\\ryelx.ylr\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral2/files/0x0002000000022efc-11.dat upx behavioral2/memory/1536-13-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/1536-14-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/1536-16-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/1536-18-0x0000000010000000-0x0000000010022000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2520 cmd.exe 460 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 1436 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 460 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1536 rundll32.exe 1536 rundll32.exe 1536 rundll32.exe 1536 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1536 rundll32.exe Token: SeDebugPrivilege 1436 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4068 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 1520 flfxg.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4068 wrote to memory of 2520 4068 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 86 PID 4068 wrote to memory of 2520 4068 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 86 PID 4068 wrote to memory of 2520 4068 6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe 86 PID 2520 wrote to memory of 460 2520 cmd.exe 88 PID 2520 wrote to memory of 460 2520 cmd.exe 88 PID 2520 wrote to memory of 460 2520 cmd.exe 88 PID 2520 wrote to memory of 1520 2520 cmd.exe 90 PID 2520 wrote to memory of 1520 2520 cmd.exe 90 PID 2520 wrote to memory of 1520 2520 cmd.exe 90 PID 1520 wrote to memory of 1536 1520 flfxg.exe 92 PID 1520 wrote to memory of 1536 1520 flfxg.exe 92 PID 1520 wrote to memory of 1536 1520 flfxg.exe 92 PID 1536 wrote to memory of 1436 1536 rundll32.exe 93 PID 1536 wrote to memory of 1436 1536 rundll32.exe 93 PID 1536 wrote to memory of 1436 1536 rundll32.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\flfxg.exe "C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:460
-
-
C:\Users\Admin\AppData\Local\Temp\flfxg.exeC:\Users\Admin\AppData\Local\Temp\\flfxg.exe "C:\Users\Admin\AppData\Local\Temp\6813bedc32b9694d55bd450673e003ab230a078009cdc071fdea19948ff2e9a0N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\xpymj\ryelx.ylr",crc32 C:\Users\Admin\AppData\Local\Temp\flfxg.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5dc67212b11fa4353d234ecb958e78e27
SHA1b13b90d2425e32e4734b2d1c720e047970bf4acf
SHA256edf8da334b37c112753f36f41f650536a092a18a1df4280c8db8dbeff9d0563e
SHA512375d3c2a1f248c35b9026808703669d3db65f474ec5c67d4fcae455010315b1ebbbcda90d95122a8481ae6d2b5e07cef4d4f5693e98ba195c20e02ac278fa558
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218