Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
Resource
win10v2004-20241007-en
General
-
Target
7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe
-
Size
415KB
-
MD5
4fe603cf723f900e85718269da63d171
-
SHA1
f67285d5a17e2fb0baffc4664d03d24188ea0fae
-
SHA256
7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861
-
SHA512
7d7e908c3b0a35c00727ce3055c4fc87bd62eb4b9b53de28e3d6d1099fb4c9f823f75780a1e527f8c85423b6d2411c7184ad71447c82bb78f40ce086b1321fa7
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 21 3964 rundll32.exe 27 3964 rundll32.exe 28 3964 rundll32.exe 29 3964 rundll32.exe 43 3964 rundll32.exe 44 3964 rundll32.exe 51 3964 rundll32.exe 70 3964 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1736 smdjvzg.exe -
Executes dropped EXE 1 IoCs
pid Process 1736 smdjvzg.exe -
Loads dropped DLL 1 IoCs
pid Process 3964 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\emuut\\viacxznbg.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3964 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\emuut smdjvzg.exe File created \??\c:\Program Files\emuut\viacxznbg.dll smdjvzg.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smdjvzg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3456 cmd.exe 1672 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1672 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe 3964 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3964 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2776 7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe 1736 smdjvzg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2776 wrote to memory of 3456 2776 7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe 84 PID 2776 wrote to memory of 3456 2776 7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe 84 PID 2776 wrote to memory of 3456 2776 7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe 84 PID 3456 wrote to memory of 1672 3456 cmd.exe 87 PID 3456 wrote to memory of 1672 3456 cmd.exe 87 PID 3456 wrote to memory of 1672 3456 cmd.exe 87 PID 3456 wrote to memory of 1736 3456 cmd.exe 90 PID 3456 wrote to memory of 1736 3456 cmd.exe 90 PID 3456 wrote to memory of 1736 3456 cmd.exe 90 PID 1736 wrote to memory of 3964 1736 smdjvzg.exe 91 PID 1736 wrote to memory of 3964 1736 smdjvzg.exe 91 PID 1736 wrote to memory of 3964 1736 smdjvzg.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\smdjvzg.exe "C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\smdjvzg.exeC:\Users\Admin\AppData\Local\Temp\\smdjvzg.exe "C:\Users\Admin\AppData\Local\Temp\7289be2eb7aa856a600494b3505c299963d0dbac068c965753bfd481d8ffa861.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\emuut\viacxznbg.dll",Verify C:\Users\Admin\AppData\Local\Temp\smdjvzg.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD582f3d2297683d10cf92f5847eb737c78
SHA1be09e4c7a03673bc6dd4c993394cdae3ba9e4e16
SHA2565d63ccb75a49ac175ce2d786df8dd375775930a63f4dc5221d1d4e6156f8c5ae
SHA512181d561ba5fdb37d779c2b8ba26bc581fa0fd9d2606045132df836bd1803070c31411f8e786288c8bbe047ba70b61dc0097e99679f6eb3d847357ba5f5071df4
-
Filesize
228KB
MD5d925929ac9903cf005f98176d3b2bb34
SHA1b1fc8835af9d6788b27ea44513a7d94e17fd630b
SHA256d572ded547c03010f751c909d8e62d89fc31286d772266cfcfeab1ddb16c3728
SHA512c5a315b31e52518e53cc2767c7f86123bf18260ef0ef38d4cf5cfdc4a847648266ca1af88fdb5c585d1d90ad32784bb8fe1ab0876b1b77882af2d683b1c2ce5c