Analysis
-
max time kernel
119s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 21:50
Static task
static1
Behavioral task
behavioral1
Sample
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
Resource
win7-20241023-en
General
-
Target
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe
-
Size
90KB
-
MD5
f50262fa3d9465a6c3a30bc59e2ba200
-
SHA1
37ac287ff0bf4c5f6d3a174be95d6b76b71c0ff6
-
SHA256
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502a
-
SHA512
5be09a7ba82557c834eb71a245b92e1e6d9a6ab2aabea0dd39e8120a9f2ab54046aec13ffa39943935c52ca52f060f61e9253a494101a0d810bf9dbc4cf8aaa6
-
SSDEEP
1536:vICQCfd/UV2FyVw4zp6G5XKy1E6w8J52gw0JNqyFzWu9W5uyWZ07M:v1t1E2FyVw4zINy1FxJ5y07qluM5A
Malware Config
Signatures
-
Blocklisted process makes network request 11 IoCs
Processes:
rundll32.exeflow pid process 8 2420 rundll32.exe 22 2420 rundll32.exe 23 2420 rundll32.exe 24 2420 rundll32.exe 35 2420 rundll32.exe 39 2420 rundll32.exe 40 2420 rundll32.exe 41 2420 rundll32.exe 45 2420 rundll32.exe 48 2420 rundll32.exe 53 2420 rundll32.exe -
Deletes itself 1 IoCs
Processes:
nrino.exepid process 1988 nrino.exe -
Executes dropped EXE 1 IoCs
Processes:
nrino.exepid process 1988 nrino.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2420 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ugexdi\\hoazt.ozh\",ShowModalDialog" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Processes:
resource yara_rule \??\c:\ugexdi\hoazt.ozh upx behavioral2/memory/2420-12-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/2420-13-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/2420-15-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/2420-18-0x0000000010000000-0x000000001002A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.execmd.exePING.EXEnrino.exerundll32.exetaskkill.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 3472 cmd.exe 4144 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3156 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe 2420 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2420 rundll32.exe Token: SeDebugPrivilege 3156 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exenrino.exepid process 3288 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe 1988 nrino.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.execmd.exenrino.exerundll32.exedescription pid process target process PID 3288 wrote to memory of 3472 3288 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 3288 wrote to memory of 3472 3288 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 3288 wrote to memory of 3472 3288 d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe cmd.exe PID 3472 wrote to memory of 4144 3472 cmd.exe PING.EXE PID 3472 wrote to memory of 4144 3472 cmd.exe PING.EXE PID 3472 wrote to memory of 4144 3472 cmd.exe PING.EXE PID 3472 wrote to memory of 1988 3472 cmd.exe nrino.exe PID 3472 wrote to memory of 1988 3472 cmd.exe nrino.exe PID 3472 wrote to memory of 1988 3472 cmd.exe nrino.exe PID 1988 wrote to memory of 2420 1988 nrino.exe rundll32.exe PID 1988 wrote to memory of 2420 1988 nrino.exe rundll32.exe PID 1988 wrote to memory of 2420 1988 nrino.exe rundll32.exe PID 2420 wrote to memory of 3156 2420 rundll32.exe taskkill.exe PID 2420 wrote to memory of 3156 2420 rundll32.exe taskkill.exe PID 2420 wrote to memory of 3156 2420 rundll32.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\nrino.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\nrino.exeC:\Users\Admin\AppData\Local\Temp\\nrino.exe "C:\Users\Admin\AppData\Local\Temp\d843c6f394af2638f72501c5bb4aee7aaf6bf1a102f7879c36714d2c2ab3502aN.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\ugexdi\hoazt.ozh",ShowModalDialog C:\Users\Admin\AppData\Local\Temp\nrino.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD579bbc920e4f4c339f1380ba7eab424ed
SHA1f7408c4fa82e39251f622fe9bdfd24c93d01d8ee
SHA256f64c18f4166e1ebb82a9dd708a79d78dcbdd5bce7a4b715363f9aa88b5dd28f4
SHA512f1805041c21d3dbfcb478b1ac9935c7b0699f1c199194f735f538e6884a2ec8e698e772fa37f6cdfab494b8e063d8171a123299be9ae3ea2abc43efbb7aa3eb3
-
Filesize
52KB
MD54b27ac9d5bcf039b63d01e808de1ab3e
SHA1e5cf9870ce6cb7869b0b27e7115f886ca10241aa
SHA256592e0464cff8b91353b9510a63487c40451af914fcd063b62de2fbbb41b94d91
SHA5125f2e91e29c743f5016d7575dd895b0562245ebc100dda816b953b06776cbe7ab67158722289d61ffbd8a5f5c59e059b47ae1f2c35012bc71aa9fc90931c6633e