Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe
Resource
win10v2004-20241007-en
General
-
Target
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe
-
Size
158KB
-
MD5
e726627099bd0cba196099010c280316
-
SHA1
2d9839b8217932de9bbb4c5b119dbf2f45702ac7
-
SHA256
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c
-
SHA512
558b1c1d26b641be88f4b0b3de84fd7af8a44490bf1ba2a99612d03fce9bea93a28b03cf93d5250b45df783425d4c76d1b845e29a687af10cdc5ef0d640de805
-
SSDEEP
3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dI:OPjEl6jLiQ1JW+Oy3p/
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Program Files\bzzul\lvxcv.dll acprotect -
Deletes itself 1 IoCs
Processes:
dpbaqhkr.exepid process 2936 dpbaqhkr.exe -
Executes dropped EXE 2 IoCs
Processes:
dpbaqhkr.exelvx.exepid process 2936 dpbaqhkr.exe 2700 lvx.exe -
Loads dropped DLL 7 IoCs
Processes:
cmd.exedpbaqhkr.exelvx.exepid process 2780 cmd.exe 2780 cmd.exe 2936 dpbaqhkr.exe 2700 lvx.exe 2700 lvx.exe 2700 lvx.exe 2700 lvx.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lvx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\bzzul\\lvx.exe \"c:\\Program Files\\bzzul\\lvxcv.dll\",SetHandle" lvx.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lvx.exedescription ioc process File opened (read-only) \??\e: lvx.exe File opened (read-only) \??\s: lvx.exe File opened (read-only) \??\u: lvx.exe File opened (read-only) \??\w: lvx.exe File opened (read-only) \??\r: lvx.exe File opened (read-only) \??\b: lvx.exe File opened (read-only) \??\g: lvx.exe File opened (read-only) \??\i: lvx.exe File opened (read-only) \??\j: lvx.exe File opened (read-only) \??\k: lvx.exe File opened (read-only) \??\o: lvx.exe File opened (read-only) \??\q: lvx.exe File opened (read-only) \??\t: lvx.exe File opened (read-only) \??\x: lvx.exe File opened (read-only) \??\l: lvx.exe File opened (read-only) \??\n: lvx.exe File opened (read-only) \??\p: lvx.exe File opened (read-only) \??\y: lvx.exe File opened (read-only) \??\z: lvx.exe File opened (read-only) \??\a: lvx.exe File opened (read-only) \??\h: lvx.exe File opened (read-only) \??\m: lvx.exe File opened (read-only) \??\v: lvx.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lvx.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 lvx.exe -
Drops file in Program Files directory 4 IoCs
Processes:
dpbaqhkr.exedescription ioc process File opened for modification \??\c:\Program Files\bzzul dpbaqhkr.exe File created \??\c:\Program Files\bzzul\lvxcv.dll dpbaqhkr.exe File created \??\c:\Program Files\bzzul\lvx.exe dpbaqhkr.exe File opened for modification \??\c:\Program Files\bzzul\lvx.exe dpbaqhkr.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.execmd.exePING.EXEdpbaqhkr.exelvx.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpbaqhkr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvx.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 2780 cmd.exe 2488 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lvx.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lvx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString lvx.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
lvx.exepid process 2700 lvx.exe 2700 lvx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lvx.exedescription pid process Token: SeDebugPrivilege 2700 lvx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exedpbaqhkr.exepid process 2992 ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe 2936 dpbaqhkr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.execmd.exedpbaqhkr.exedescription pid process target process PID 2992 wrote to memory of 2780 2992 ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe cmd.exe PID 2992 wrote to memory of 2780 2992 ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe cmd.exe PID 2992 wrote to memory of 2780 2992 ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe cmd.exe PID 2992 wrote to memory of 2780 2992 ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe cmd.exe PID 2780 wrote to memory of 2488 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2488 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2488 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2488 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2936 2780 cmd.exe dpbaqhkr.exe PID 2780 wrote to memory of 2936 2780 cmd.exe dpbaqhkr.exe PID 2780 wrote to memory of 2936 2780 cmd.exe dpbaqhkr.exe PID 2780 wrote to memory of 2936 2780 cmd.exe dpbaqhkr.exe PID 2936 wrote to memory of 2700 2936 dpbaqhkr.exe lvx.exe PID 2936 wrote to memory of 2700 2936 dpbaqhkr.exe lvx.exe PID 2936 wrote to memory of 2700 2936 dpbaqhkr.exe lvx.exe PID 2936 wrote to memory of 2700 2936 dpbaqhkr.exe lvx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe"C:\Users\Admin\AppData\Local\Temp\ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\dpbaqhkr.exe "C:\Users\Admin\AppData\Local\Temp\ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\dpbaqhkr.exeC:\Users\Admin\AppData\Local\Temp\\dpbaqhkr.exe "C:\Users\Admin\AppData\Local\Temp\ee79086edc21f4723f07bfc1f1d3fdb52f75d56c2c8cf4bc8241481c4aa93a9c.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\Program Files\bzzul\lvx.exe"c:\Program Files\bzzul\lvx.exe" "c:\Program Files\bzzul\lvxcv.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\dpbaqhkr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
128KB
MD5b9966cb8d94c55ea21ea39e482502ae3
SHA1ecb7c1c8e7a99775210596f3b301c93264093a8a
SHA25684bc9fcc4895f9529f2d7318e9db49b5c4d17967c70f4f94b76cd60a32cd1e83
SHA512e08a4d486e9d87218511c598b853c30924f18e08c160dcc8f82e71879cdeb1ffe5c0f361d4fbc9dd52e73f1d38fecceda9073b6e64813597f65836634c44ef64
-
Filesize
159KB
MD5ed3bc09e7b1ee62b2f93a0838dac7cba
SHA10aee5f093f6620db1aef3b96d53d0ca27e573ea9
SHA256456c11ab5fe6a1d740fa3efd32357ee7bed5754c7e8dce6ac2e6fa9e7cc61196
SHA512102a04498985c20c37f8f290d4d4e3fe325d2662d266eae8b8f15a8f3c800eb10cb9c0c8596392ac6de756b4b7940a26ab6f9988f36f2ea1cd729cc6b7112617