7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861

General

Target

7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
Size

415KB
MD5

4fe603cf723f900e85718269da63d171
SHA1

f67285d5a17e2fb0baffc4664d03d24188ea0fae
SHA256

7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861
SHA512

7d7e908c3b0a35c00727ce3055c4fc87bd62eb4b9b53de28e3d6d1099fb4c9f823f75780a1e527f8c85423b6d2411c7184ad71447c82bb78f40ce086b1321fa7
SSDEEP

6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
21	3964	rundll32.exe
27	3964	rundll32.exe
28	3964	rundll32.exe
29	3964	rundll32.exe
43	3964	rundll32.exe
44	3964	rundll32.exe
51	3964	rundll32.exe
70	3964	rundll32.exe

Deletes itself 1 IoCs

Processes:

smdjvzg.exe

pid process

1736 smdjvzg.exe
Executes dropped EXE 1 IoCs

Processes:

smdjvzg.exe

pid process

1736 smdjvzg.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3964 rundll32.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1736	smdjvzg.exe

pid	process
1736	smdjvzg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\emuut\\viacxznbg.dll\",Verify"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\s:	rundll32.exe
File opened (read-only)	\??\x:	rundll32.exe
File opened (read-only)	\??\y:	rundll32.exe
File opened (read-only)	\??\z:	rundll32.exe
File opened (read-only)	\??\a:	rundll32.exe
File opened (read-only)	\??\h:	rundll32.exe
File opened (read-only)	\??\r:	rundll32.exe
File opened (read-only)	\??\l:	rundll32.exe
File opened (read-only)	\??\o:	rundll32.exe
File opened (read-only)	\??\b:	rundll32.exe
File opened (read-only)	\??\e:	rundll32.exe
File opened (read-only)	\??\g:	rundll32.exe
File opened (read-only)	\??\j:	rundll32.exe
File opened (read-only)	\??\n:	rundll32.exe
File opened (read-only)	\??\p:	rundll32.exe
File opened (read-only)	\??\q:	rundll32.exe
File opened (read-only)	\??\t:	rundll32.exe
File opened (read-only)	\??\u:	rundll32.exe
File opened (read-only)	\??\i:	rundll32.exe
File opened (read-only)	\??\k:	rundll32.exe
File opened (read-only)	\??\m:	rundll32.exe
File opened (read-only)	\??\v:	rundll32.exe
File opened (read-only)	\??\w:	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

3964 rundll32.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	rundll32.exe

Drops file in Program Files directory 2 IoCs

Processes:

smdjvzg.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\emuut	smdjvzg.exe
File created	\??\c:\Program Files\emuut\viacxznbg.dll	smdjvzg.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exe7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.execmd.exePING.EXEsmdjvzg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smdjvzg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

3456 cmd.exe
1672 PING.EXE

pid	process
3456	cmd.exe
1672	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1672 PING.EXE

pid	process
1672	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3964 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exesmdjvzg.exe

pid process

2776 7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
1736 smdjvzg.exe

description	pid	process
Token: SeDebugPrivilege	3964	rundll32.exe

pid	process
2776	7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
1736	smdjvzg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.execmd.exesmdjvzg.exe

description	pid	process	target process
PID 2776 wrote to memory of 3456	2776	7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe	cmd.exe
PID 2776 wrote to memory of 3456	2776	7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe	cmd.exe
PID 2776 wrote to memory of 3456	2776	7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe	cmd.exe
PID 3456 wrote to memory of 1672	3456	cmd.exe	PING.EXE
PID 3456 wrote to memory of 1672	3456	cmd.exe	PING.EXE
PID 3456 wrote to memory of 1672	3456	cmd.exe	PING.EXE
PID 3456 wrote to memory of 1736	3456	cmd.exe	smdjvzg.exe
PID 3456 wrote to memory of 1736	3456	cmd.exe	smdjvzg.exe
PID 3456 wrote to memory of 1736	3456	cmd.exe	smdjvzg.exe
PID 1736 wrote to memory of 3964	1736	smdjvzg.exe	rundll32.exe
PID 1736 wrote to memory of 3964	1736	smdjvzg.exe	rundll32.exe
PID 1736 wrote to memory of 3964	1736	smdjvzg.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
"C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\smdjvzg.exe "C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"
2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672

C:\Users\Admin\AppData\Local\Temp\smdjvzg.exe
C:\Users\Admin\AppData\Local\Temp\\smdjvzg.exe "C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\Program Files\emuut\viacxznbg.dll",Verify C:\Users\Admin\AppData\Local\Temp\smdjvzg.exe
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smdjvzg.exe

Filesize
416KB

MD5
82f3d2297683d10cf92f5847eb737c78

SHA1
be09e4c7a03673bc6dd4c993394cdae3ba9e4e16

SHA256
5d63ccb75a49ac175ce2d786df8dd375775930a63f4dc5221d1d4e6156f8c5ae

SHA512
181d561ba5fdb37d779c2b8ba26bc581fa0fd9d2606045132df836bd1803070c31411f8e786288c8bbe047ba70b61dc0097e99679f6eb3d847357ba5f5071df4

Download Submit
\??\c:\Program Files\emuut\viacxznbg.dll

Filesize
228KB

MD5
d925929ac9903cf005f98176d3b2bb34

SHA1
b1fc8835af9d6788b27ea44513a7d94e17fd630b

SHA256
d572ded547c03010f751c909d8e62d89fc31286d772266cfcfeab1ddb16c3728

SHA512
c5a315b31e52518e53cc2767c7f86123bf18260ef0ef38d4cf5cfdc4a847648266ca1af88fdb5c585d1d90ad32784bb8fe1ab0876b1b77882af2d683b1c2ce5c

Download Submit
memory/1736-7-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2776-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2776-2-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3964-10-0x0000000010000000-0x0000000010080000-memory.dmp

Filesize
512KB

Download
memory/3964-11-0x0000000010000000-0x0000000010080000-memory.dmp

Filesize
512KB

Download
memory/3964-13-0x0000000010000000-0x0000000010080000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads