Analysis
-
max time kernel
119s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 23:34
Behavioral task
behavioral1
Sample
e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe
Resource
win7-20240903-en
General
-
Target
e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe
-
Size
411KB
-
MD5
5f6c23dcf1a8d12220ae0e78131d7e00
-
SHA1
99f13208b3a48dfcf94a520c7b3ff501e21bcd8c
-
SHA256
e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6
-
SHA512
c1ffec0107f13bb8e80a01b7e56ed48a8be94c03f33a5d5c868511e6f6d2df142ca9518f47fad4564477c1ae3bc4bd663f80edc18747ccc065aefe210d11b801
-
SSDEEP
6144:2jMPGGAn37FQXSzjBi9awI2WXyZPbwdpLG:HPGk6jnCCdpG
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 3 2592 rundll32.exe 7 2592 rundll32.exe 9 2592 rundll32.exe 10 2592 rundll32.exe 11 2592 rundll32.exe 14 2592 rundll32.exe -
Processes:
resource yara_rule \??\c:\ofhrx\siotyb.its aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
lzkcc.exepid process 2312 lzkcc.exe -
Executes dropped EXE 1 IoCs
Processes:
lzkcc.exepid process 2312 lzkcc.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exerundll32.exepid process 2756 cmd.exe 2756 cmd.exe 2592 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \??\c:\ofhrx\siotyb.its vmprotect behavioral1/memory/2592-11-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect behavioral1/memory/2592-14-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect behavioral1/memory/2592-13-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect behavioral1/memory/2592-15-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect behavioral1/memory/2592-20-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect behavioral1/memory/2592-21-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect behavioral1/memory/2592-22-0x0000000010000000-0x0000000010037000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ofhrx\\siotyb.its\",Exit" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2708-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2708-2-0x0000000000400000-0x0000000000466000-memory.dmp upx \Users\Admin\AppData\Local\Temp\lzkcc.exe upx behavioral1/memory/2312-8-0x0000000000400000-0x0000000000466000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PING.EXElzkcc.exerundll32.exee42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lzkcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 2756 cmd.exe 2740 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
rundll32.exepid process 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe 2592 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2592 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exelzkcc.exepid process 2708 e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe 2312 lzkcc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.execmd.exelzkcc.exedescription pid process target process PID 2708 wrote to memory of 2756 2708 e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe cmd.exe PID 2708 wrote to memory of 2756 2708 e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe cmd.exe PID 2708 wrote to memory of 2756 2708 e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe cmd.exe PID 2708 wrote to memory of 2756 2708 e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe cmd.exe PID 2756 wrote to memory of 2740 2756 cmd.exe PING.EXE PID 2756 wrote to memory of 2740 2756 cmd.exe PING.EXE PID 2756 wrote to memory of 2740 2756 cmd.exe PING.EXE PID 2756 wrote to memory of 2740 2756 cmd.exe PING.EXE PID 2756 wrote to memory of 2312 2756 cmd.exe lzkcc.exe PID 2756 wrote to memory of 2312 2756 cmd.exe lzkcc.exe PID 2756 wrote to memory of 2312 2756 cmd.exe lzkcc.exe PID 2756 wrote to memory of 2312 2756 cmd.exe lzkcc.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe PID 2312 wrote to memory of 2592 2312 lzkcc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lzkcc.exe "C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\lzkcc.exeC:\Users\Admin\AppData\Local\Temp\\lzkcc.exe "C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\ofhrx\siotyb.its",Exit C:\Users\Admin\AppData\Local\Temp\lzkcc.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD564597ebd5759f1c96d9c89ba91e6b9ae
SHA122b5c32c02e7d98384b5d364d4e88805a988e58a
SHA2568fe1d9492012107c64090e2bbed51ca84f46f0828bd95b18326f776e694e3bcb
SHA51288cf508773b316acafafc5882dd6a50f895a4f444cfa0ef25781c0c5bbd8eba69e38b777460e66ee2cb25e6c61b699b0120788e00b2a0018bc02d07d644d076f
-
Filesize
412KB
MD561924c1b93d03499299a9f485e1bc33c
SHA1d1eaa167a23cd65206b477e1de41be9813f7e4e6
SHA2560797e5cd8a2b461d09863dba4c8eb4e6c4fdad354519370a4aa4a092036e2f0b
SHA512c0e22d11e3858b30c2734d1ea7b1a27efc0b099ba1c96efae0e5294baebf890c88f20bcee0816d41e61a8b08405f396825ae57ee46a7ea1e9c8729724b485264