Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 16:21

General

  • Target

    SecuriteInfo.com.FileRepMalware.6479.21607.exe

  • Size

    1.6MB

  • MD5

    5e96050ed8827efeb9c90d59ce708f10

  • SHA1

    83dca0d791cfaeca7fe8ad68fed370c37ef48ce1

  • SHA256

    0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075

  • SHA512

    7fe2d4986f2331eb2d780f3326bba9dfeff8f773094bf1eb08c4ac601bc0579c9649c1f0646bde1043202d2261914f649ea7fa8fa2c8ee5ac370a880071fdb37

  • SSDEEP

    24576:G1cfyJ8m1Z79b6BMxWcrJfO/RIweCJK3VmmsPEq9lDBff3hVYpPGf69tC:wrz1Z7YBkWcpO/RTrD9lNffxVY2m8

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
      "C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5004
    • C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
      "C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4780

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsbB085.tmp\FindProcDLL.dll

          Filesize

          3KB

          MD5

          8614c450637267afacad1645e23ba24a

          SHA1

          e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

          SHA256

          0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

          SHA512

          af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

        • C:\Users\Admin\AppData\Local\Temp\nsbB085.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • C:\Users\Admin\AppData\Roaming\mk-jzcq\Lander.ini

          Filesize

          412B

          MD5

          2c50cf60647cb651d7828f8aa66c0b68

          SHA1

          aa3ba89fc7adc865a13169d6449443ee63dfd910

          SHA256

          7549fdb2859a659368e06fe95abb06fdbc91ec3dafd6c062bff8b67317db6eb4

          SHA512

          46e3256a785ff494b375062ebe4543fd9ded68b34928f71812b1742bb25f3a153335646e4bd547f19c128c48a1a98dda336e1e8c759140c708be8019a0168769

        • C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe

          Filesize

          1.4MB

          MD5

          75a7cc387d1e24de8ba1275e81a840d1

          SHA1

          8a21d186efb66be5db46925518e0b70861bf6dab

          SHA256

          d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc

          SHA512

          550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158

        • C:\Users\Admin\AppData\Roaming\mk-jzcq\lander.ini

          Filesize

          361B

          MD5

          bd3d2a63852000b334df43694b413842

          SHA1

          c2352468953156292e7e1a3ec8f3fb007ca008b8

          SHA256

          0e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19

          SHA512

          463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08

        • memory/408-15-0x0000000004811000-0x0000000004812000-memory.dmp

          Filesize

          4KB

        • memory/408-14-0x0000000004810000-0x0000000004813000-memory.dmp

          Filesize

          12KB

        • memory/408-55-0x0000000000480000-0x0000000000483000-memory.dmp

          Filesize

          12KB

        • memory/408-61-0x0000000000481000-0x0000000000482000-memory.dmp

          Filesize

          4KB

        • memory/408-60-0x0000000000480000-0x0000000000483000-memory.dmp

          Filesize

          12KB

        • memory/4780-69-0x0000000003170000-0x0000000003171000-memory.dmp

          Filesize

          4KB

        • memory/4780-70-0x0000000003170000-0x0000000003171000-memory.dmp

          Filesize

          4KB