Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 21:50

General

  • Target

    d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe

  • Size

    90KB

  • MD5

    f50262fa3d9465a6c3a30bc59e2ba200

  • SHA1

    37ac287ff0bf4c5f6d3a174be95d6b76b71c0ff6

  • SHA256

    d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502a

  • SHA512

    5be09a7ba82557c834eb71a245b92e1e6d9a6ab2aabea0dd39e8120a9f2ab54046aec13ffa39943935c52ca52f060f61e9253a494101a0d810bf9dbc4cf8aaa6

  • SSDEEP

    1536:vICQCfd/UV2FyVw4zp6G5XKy1E6w8J52gw0JNqyFzWu9W5uyWZ07M:v1t1E2FyVw4zINy1FxJ5y07qluM5A

Malware Config

Signatures

  • Blocklisted process makes network request 12 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
    "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gctkbnm.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2564
      • C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe
        C:\Users\Admin\AppData\Local\Temp\\gctkbnm.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:904
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\qekyw\xdqqbtz.dqx",ShowModalDialog C:\Users\Admin\AppData\Local\Temp\gctkbnm.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2504
          • \??\c:\windows\SysWOW64\taskkill.exe
            taskkill /f /im attrib.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\qekyw\xdqqbtz.dqx

    Filesize

    52KB

    MD5

    4b27ac9d5bcf039b63d01e808de1ab3e

    SHA1

    e5cf9870ce6cb7869b0b27e7115f886ca10241aa

    SHA256

    592e0464cff8b91353b9510a63487c40451af914fcd063b62de2fbbb41b94d91

    SHA512

    5f2e91e29c743f5016d7575dd895b0562245ebc100dda816b953b06776cbe7ab67158722289d61ffbd8a5f5c59e059b47ae1f2c35012bc71aa9fc90931c6633e

  • \Users\Admin\AppData\Local\Temp\gctkbnm.exe

    Filesize

    90KB

    MD5

    220157b3940afcfb9cfdae54f5d15236

    SHA1

    31df1001c0aacc7dbd9798e267190ed881fd75a4

    SHA256

    9c81aa01e22881a30654a170c63ce3882291661898d02f72ac598e90f1e3afb6

    SHA512

    92dd8dc966b2f7ea1772660d43c41c6c22c610c510fa2c6f0d7ea5e833ed12c8edd1af4ad03ad35ad8287071332883caf6eba76210656b2c05067230ddfdcf77

  • memory/836-7-0x0000000000130000-0x0000000000159000-memory.dmp

    Filesize

    164KB

  • memory/836-6-0x0000000000130000-0x0000000000159000-memory.dmp

    Filesize

    164KB

  • memory/904-11-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB

  • memory/2504-14-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2504-15-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2504-17-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2504-19-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2504-20-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

  • memory/2536-0-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB

  • memory/2536-2-0x0000000000400000-0x0000000000428208-memory.dmp

    Filesize

    160KB