Malware Analysis Report

2024-11-13 18:05

Sample ID 241109-3kvm7atmhx
Target e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N
SHA256 e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6
Tags
aspackv2 bootkit discovery persistence spyware stealer upx vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6

Threat Level: Likely malicious

The file e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit discovery persistence spyware stealer upx vmprotect

Blocklisted process makes network request

ASPack v2.12-2.42

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

VMProtect packed file

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Adds Run key to start application

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:34

Reported

2024-11-09 23:36

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jmnxq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jmnxq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\bupesoog\\lpiab.pal\",Exit" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jmnxq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2556 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2556 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2556 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jmnxq.exe
PID 2556 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jmnxq.exe
PID 2556 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jmnxq.exe
PID 3492 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\jmnxq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\jmnxq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\jmnxq.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe

"C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jmnxq.exe "C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\jmnxq.exe

C:\Users\Admin\AppData\Local\Temp\\jmnxq.exe "C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\bupesoog\lpiab.pal",Exit C:\Users\Admin\AppData\Local\Temp\jmnxq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 107.163.43.248:12388 107.163.43.248 tcp
US 8.8.8.8:53 248.43.163.107.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 host123.zz.am udp
US 107.163.43.245:10289 107.163.43.245 tcp
US 107.163.43.245:10289 107.163.43.245 tcp
US 8.8.8.8:53 245.43.163.107.in-addr.arpa udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 107.163.43.245:10289 tcp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp

Files

memory/3712-0-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3712-2-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jmnxq.exe

MD5 de179f35bd3e32af944a5980b2003069
SHA1 0cebb87d7787f9b0a1e7ec2ed11cd3ac28cac341
SHA256 ec4d2b98909dca7428102a3dc8c73894b751c8cb78d9ebfb7d6718075128c348
SHA512 5e1b0c3b469410c057637e3a9a3bf16ee248c01a87ef03ae22c12a8a239af8134634e7f5d627208d63a84fb4183b0f018c5d67147356cf18b280725932c39af8

memory/3492-7-0x0000000000400000-0x0000000000466000-memory.dmp

\??\c:\bupesoog\lpiab.pal

MD5 64597ebd5759f1c96d9c89ba91e6b9ae
SHA1 22b5c32c02e7d98384b5d364d4e88805a988e58a
SHA256 8fe1d9492012107c64090e2bbed51ca84f46f0828bd95b18326f776e694e3bcb
SHA512 88cf508773b316acafafc5882dd6a50f895a4f444cfa0ef25781c0c5bbd8eba69e38b777460e66ee2cb25e6c61b699b0120788e00b2a0018bc02d07d644d076f

memory/4608-10-0x0000000010000000-0x0000000010037000-memory.dmp

memory/4608-12-0x0000000010000000-0x0000000010037000-memory.dmp

memory/4608-11-0x0000000010000000-0x0000000010037000-memory.dmp

memory/4608-13-0x0000000010000000-0x0000000010037000-memory.dmp

memory/4608-16-0x0000000010000000-0x0000000010037000-memory.dmp

memory/4608-17-0x0000000010000000-0x0000000010037000-memory.dmp

memory/4608-18-0x0000000010000000-0x0000000010037000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:34

Reported

2024-11-09 23:36

Platform

win7-20240903-en

Max time kernel

119s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ofhrx\\siotyb.its\",Exit" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lzkcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2756 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lzkcc.exe
PID 2756 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lzkcc.exe
PID 2756 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lzkcc.exe
PID 2756 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lzkcc.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\lzkcc.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe

"C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lzkcc.exe "C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\lzkcc.exe

C:\Users\Admin\AppData\Local\Temp\\lzkcc.exe "C:\Users\Admin\AppData\Local\Temp\e42d44a0f1113cc3beeeec5dbf2c98e5d6529337892641911492d4158b891fd6N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\ofhrx\siotyb.its",Exit C:\Users\Admin\AppData\Local\Temp\lzkcc.exe

Network

Country Destination Domain Proto
US 107.163.43.248:12388 tcp
US 107.163.43.248:12388 tcp
US 8.8.8.8:53 host123.zz.am udp
US 107.163.43.245:10289 tcp
US 107.163.43.245:10289 tcp
US 107.163.43.245:10289 tcp
US 107.163.43.245:10289 tcp

Files

memory/2708-0-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2708-2-0x0000000000400000-0x0000000000466000-memory.dmp

\Users\Admin\AppData\Local\Temp\lzkcc.exe

MD5 61924c1b93d03499299a9f485e1bc33c
SHA1 d1eaa167a23cd65206b477e1de41be9813f7e4e6
SHA256 0797e5cd8a2b461d09863dba4c8eb4e6c4fdad354519370a4aa4a092036e2f0b
SHA512 c0e22d11e3858b30c2734d1ea7b1a27efc0b099ba1c96efae0e5294baebf890c88f20bcee0816d41e61a8b08405f396825ae57ee46a7ea1e9c8729724b485264

memory/2312-8-0x0000000000400000-0x0000000000466000-memory.dmp

\??\c:\ofhrx\siotyb.its

MD5 64597ebd5759f1c96d9c89ba91e6b9ae
SHA1 22b5c32c02e7d98384b5d364d4e88805a988e58a
SHA256 8fe1d9492012107c64090e2bbed51ca84f46f0828bd95b18326f776e694e3bcb
SHA512 88cf508773b316acafafc5882dd6a50f895a4f444cfa0ef25781c0c5bbd8eba69e38b777460e66ee2cb25e6c61b699b0120788e00b2a0018bc02d07d644d076f

memory/2592-11-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2592-12-0x0000000010034000-0x0000000010035000-memory.dmp

memory/2592-14-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2592-13-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2592-15-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2592-16-0x0000000010034000-0x0000000010035000-memory.dmp

memory/2592-20-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2592-21-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2592-22-0x0000000010000000-0x0000000010037000-memory.dmp