Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 21:50
Static task
static1
Behavioral task
behavioral1
Sample
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
Resource
win7-20241023-en
General
-
Target
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
-
Size
90KB
-
MD5
f50262fa3d9465a6c3a30bc59e2ba200
-
SHA1
37ac287ff0bf4c5f6d3a174be95d6b76b71c0ff6
-
SHA256
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502a
-
SHA512
5be09a7ba82557c834eb71a245b92e1e6d9a6ab2aabea0dd39e8120a9f2ab54046aec13ffa39943935c52ca52f060f61e9253a494101a0d810bf9dbc4cf8aaa6
-
SSDEEP
1536:vICQCfd/UV2FyVw4zp6G5XKy1E6w8J52gw0JNqyFzWu9W5uyWZ07M:v1t1E2FyVw4zINy1FxJ5y07qluM5A
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
Processes:
rundll32.exeflow pid process 4 2504 rundll32.exe 5 2504 rundll32.exe 6 2504 rundll32.exe 7 2504 rundll32.exe 8 2504 rundll32.exe 9 2504 rundll32.exe 11 2504 rundll32.exe 12 2504 rundll32.exe 13 2504 rundll32.exe 14 2504 rundll32.exe 15 2504 rundll32.exe 16 2504 rundll32.exe -
Deletes itself 1 IoCs
Processes:
gctkbnm.exepid process 904 gctkbnm.exe -
Executes dropped EXE 1 IoCs
Processes:
gctkbnm.exepid process 904 gctkbnm.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exerundll32.exepid process 836 cmd.exe 836 cmd.exe 2504 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\qekyw\\xdqqbtz.dqx\",ShowModalDialog" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Processes:
resource yara_rule \??\c:\qekyw\xdqqbtz.dqx upx behavioral1/memory/2504-14-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2504-15-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2504-17-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2504-19-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2504-20-0x0000000010000000-0x000000001002A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gctkbnm.exerundll32.exetaskkill.exed843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.execmd.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gctkbnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 836 cmd.exe 2564 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2440 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2504 rundll32.exe Token: SeDebugPrivilege 2440 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exegctkbnm.exepid process 2536 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe 904 gctkbnm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.execmd.exegctkbnm.exerundll32.exedescription pid process target process PID 2536 wrote to memory of 836 2536 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 2536 wrote to memory of 836 2536 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 2536 wrote to memory of 836 2536 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 2536 wrote to memory of 836 2536 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 836 wrote to memory of 2564 836 cmd.exe PING.EXE PID 836 wrote to memory of 2564 836 cmd.exe PING.EXE PID 836 wrote to memory of 2564 836 cmd.exe PING.EXE PID 836 wrote to memory of 2564 836 cmd.exe PING.EXE PID 836 wrote to memory of 904 836 cmd.exe gctkbnm.exe PID 836 wrote to memory of 904 836 cmd.exe gctkbnm.exe PID 836 wrote to memory of 904 836 cmd.exe gctkbnm.exe PID 836 wrote to memory of 904 836 cmd.exe gctkbnm.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 904 wrote to memory of 2504 904 gctkbnm.exe rundll32.exe PID 2504 wrote to memory of 2440 2504 rundll32.exe taskkill.exe PID 2504 wrote to memory of 2440 2504 rundll32.exe taskkill.exe PID 2504 wrote to memory of 2440 2504 rundll32.exe taskkill.exe PID 2504 wrote to memory of 2440 2504 rundll32.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gctkbnm.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\gctkbnm.exeC:\Users\Admin\AppData\Local\Temp\\gctkbnm.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\qekyw\xdqqbtz.dqx",ShowModalDialog C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD54b27ac9d5bcf039b63d01e808de1ab3e
SHA1e5cf9870ce6cb7869b0b27e7115f886ca10241aa
SHA256592e0464cff8b91353b9510a63487c40451af914fcd063b62de2fbbb41b94d91
SHA5125f2e91e29c743f5016d7575dd895b0562245ebc100dda816b953b06776cbe7ab67158722289d61ffbd8a5f5c59e059b47ae1f2c35012bc71aa9fc90931c6633e
-
Filesize
90KB
MD5220157b3940afcfb9cfdae54f5d15236
SHA131df1001c0aacc7dbd9798e267190ed881fd75a4
SHA2569c81aa01e22881a30654a170c63ce3882291661898d02f72ac598e90f1e3afb6
SHA51292dd8dc966b2f7ea1772660d43c41c6c22c610c510fa2c6f0d7ea5e833ed12c8edd1af4ad03ad35ad8287071332883caf6eba76210656b2c05067230ddfdcf77