Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe
Resource
win10v2004-20241007-en
General
-
Target
189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe
-
Size
158KB
-
MD5
75dc72ddff388d4c2e6ba9695fa50448
-
SHA1
dbf6f71a79c56fc3b7bdd9bfe3e3681d30fdda0e
-
SHA256
189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4
-
SHA512
bf73916f69c6d76037d2a5b6aefc051a727f6260ba17fd613eb5c868d389b59c84ee2a6e17434c362bc194361bbcfc5b3ec17285c8a357be2b67cb67eeaf3c54
-
SSDEEP
3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dI:OPjEl6jLiQ1JW+Oy3p/
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \??\c:\Program Files\vfrib\lutstvktx.dll acprotect -
Deletes itself 1 IoCs
Processes:
swxxs.exepid process 4136 swxxs.exe -
Executes dropped EXE 2 IoCs
Processes:
swxxs.exelutstvktx.exepid process 4136 swxxs.exe 3656 lutstvktx.exe -
Loads dropped DLL 1 IoCs
Processes:
lutstvktx.exepid process 3656 lutstvktx.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lutstvktx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\vfrib\\lutstvktx.exe \"c:\\Program Files\\vfrib\\lutstvktx.dll\",SetHandle" lutstvktx.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lutstvktx.exedescription ioc process File opened (read-only) \??\v: lutstvktx.exe File opened (read-only) \??\b: lutstvktx.exe File opened (read-only) \??\h: lutstvktx.exe File opened (read-only) \??\q: lutstvktx.exe File opened (read-only) \??\u: lutstvktx.exe File opened (read-only) \??\y: lutstvktx.exe File opened (read-only) \??\m: lutstvktx.exe File opened (read-only) \??\n: lutstvktx.exe File opened (read-only) \??\s: lutstvktx.exe File opened (read-only) \??\t: lutstvktx.exe File opened (read-only) \??\p: lutstvktx.exe File opened (read-only) \??\r: lutstvktx.exe File opened (read-only) \??\z: lutstvktx.exe File opened (read-only) \??\a: lutstvktx.exe File opened (read-only) \??\e: lutstvktx.exe File opened (read-only) \??\g: lutstvktx.exe File opened (read-only) \??\l: lutstvktx.exe File opened (read-only) \??\w: lutstvktx.exe File opened (read-only) \??\x: lutstvktx.exe File opened (read-only) \??\i: lutstvktx.exe File opened (read-only) \??\j: lutstvktx.exe File opened (read-only) \??\k: lutstvktx.exe File opened (read-only) \??\o: lutstvktx.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
lutstvktx.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 lutstvktx.exe -
Drops file in Program Files directory 4 IoCs
Processes:
swxxs.exedescription ioc process File created \??\c:\Program Files\vfrib\lutstvktx.dll swxxs.exe File created \??\c:\Program Files\vfrib\lutstvktx.exe swxxs.exe File opened for modification \??\c:\Program Files\vfrib\lutstvktx.exe swxxs.exe File opened for modification \??\c:\Program Files\vfrib swxxs.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
swxxs.exelutstvktx.exe189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.execmd.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swxxs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lutstvktx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 2720 cmd.exe 404 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lutstvktx.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lutstvktx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString lutstvktx.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
lutstvktx.exepid process 3656 lutstvktx.exe 3656 lutstvktx.exe 3656 lutstvktx.exe 3656 lutstvktx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lutstvktx.exedescription pid process Token: SeDebugPrivilege 3656 lutstvktx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exeswxxs.exepid process 4660 189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe 4136 swxxs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.execmd.exeswxxs.exedescription pid process target process PID 4660 wrote to memory of 2720 4660 189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe cmd.exe PID 4660 wrote to memory of 2720 4660 189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe cmd.exe PID 4660 wrote to memory of 2720 4660 189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe cmd.exe PID 2720 wrote to memory of 404 2720 cmd.exe PING.EXE PID 2720 wrote to memory of 404 2720 cmd.exe PING.EXE PID 2720 wrote to memory of 404 2720 cmd.exe PING.EXE PID 2720 wrote to memory of 4136 2720 cmd.exe swxxs.exe PID 2720 wrote to memory of 4136 2720 cmd.exe swxxs.exe PID 2720 wrote to memory of 4136 2720 cmd.exe swxxs.exe PID 4136 wrote to memory of 3656 4136 swxxs.exe lutstvktx.exe PID 4136 wrote to memory of 3656 4136 swxxs.exe lutstvktx.exe PID 4136 wrote to memory of 3656 4136 swxxs.exe lutstvktx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe"C:\Users\Admin\AppData\Local\Temp\189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\swxxs.exe "C:\Users\Admin\AppData\Local\Temp\189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:404 -
C:\Users\Admin\AppData\Local\Temp\swxxs.exeC:\Users\Admin\AppData\Local\Temp\\swxxs.exe "C:\Users\Admin\AppData\Local\Temp\189ddfb3acd27b09cc86ef8c06d984c5a62882dd5b7dcf903bb33c37c6726be4.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\Program Files\vfrib\lutstvktx.exe"c:\Program Files\vfrib\lutstvktx.exe" "c:\Program Files\vfrib\lutstvktx.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\swxxs.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
158KB
MD5c1e7e77a37760322d2ca8771e487880a
SHA11205379a4041e3de91e3e1861b9301fb16c02a32
SHA256ce2fdf1e49fed0dfd35adf39f0e1e63c27fe774e68d7da999e6dd252d30851d2
SHA512cc9728ebbd8b1a1ca9c511f8c5befa2eb78d8260f9bbbcec770038cf5032966cafbb3131fea5073988e55518511dab58ca97524fc09364a2a073ad06e2cc56c0
-
Filesize
128KB
MD54fbce572dacc27a33a3b72e54e7d0848
SHA1852c305d936e8f41fe99e36c56c9f2b316693446
SHA25628df686f26473a559eb8ad39b47b25a5eed6093773c4121a4948e54562f57436
SHA512d5d301b9dd9568ef751171f67cec8f036407dce8934539e8e2003224e8d1574c9e31447c15b9be93098e467cad9aca8a584d7c63c27bfab855d674f02cebb8b1