Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 19:03
Static task
static1
Behavioral task
behavioral1
Sample
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe
Resource
win10v2004-20241007-en
General
-
Target
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe
-
Size
158KB
-
MD5
e2a98bfcab2a0340857e17c262fd6498
-
SHA1
dc53f223dab50dc942a8856df50a1a78b525665b
-
SHA256
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66
-
SHA512
6729582dc791b71748755465c86d1219bdd0b4f1ab11f1ecfb912f9b1d72a68bbeda85607bc5a3a2191598480425563de2f9dce399d55f7f4edf1d7e8d20f906
-
SSDEEP
3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dI:OPjEl6jLiQ1JW+Oy3p/
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \??\c:\Program Files\bupesoog\ojzcxa.dll acprotect -
Deletes itself 1 IoCs
Processes:
kfnpnyw.exepid process 1996 kfnpnyw.exe -
Executes dropped EXE 2 IoCs
Processes:
kfnpnyw.exeojzcxa.exepid process 1996 kfnpnyw.exe 2268 ojzcxa.exe -
Loads dropped DLL 1 IoCs
Processes:
ojzcxa.exepid process 2268 ojzcxa.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ojzcxa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\bupesoog\\ojzcxa.exe \"c:\\Program Files\\bupesoog\\ojzcxa.dll\",SetHandle" ojzcxa.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ojzcxa.exedescription ioc process File opened (read-only) \??\z: ojzcxa.exe File opened (read-only) \??\i: ojzcxa.exe File opened (read-only) \??\j: ojzcxa.exe File opened (read-only) \??\k: ojzcxa.exe File opened (read-only) \??\u: ojzcxa.exe File opened (read-only) \??\v: ojzcxa.exe File opened (read-only) \??\x: ojzcxa.exe File opened (read-only) \??\y: ojzcxa.exe File opened (read-only) \??\b: ojzcxa.exe File opened (read-only) \??\g: ojzcxa.exe File opened (read-only) \??\l: ojzcxa.exe File opened (read-only) \??\p: ojzcxa.exe File opened (read-only) \??\t: ojzcxa.exe File opened (read-only) \??\a: ojzcxa.exe File opened (read-only) \??\h: ojzcxa.exe File opened (read-only) \??\m: ojzcxa.exe File opened (read-only) \??\s: ojzcxa.exe File opened (read-only) \??\w: ojzcxa.exe File opened (read-only) \??\e: ojzcxa.exe File opened (read-only) \??\n: ojzcxa.exe File opened (read-only) \??\o: ojzcxa.exe File opened (read-only) \??\q: ojzcxa.exe File opened (read-only) \??\r: ojzcxa.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ojzcxa.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ojzcxa.exe -
Drops file in Program Files directory 4 IoCs
Processes:
kfnpnyw.exedescription ioc process File opened for modification \??\c:\Program Files\bupesoog kfnpnyw.exe File created \??\c:\Program Files\bupesoog\ojzcxa.dll kfnpnyw.exe File created \??\c:\Program Files\bupesoog\ojzcxa.exe kfnpnyw.exe File opened for modification \??\c:\Program Files\bupesoog\ojzcxa.exe kfnpnyw.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.execmd.exePING.EXEkfnpnyw.exeojzcxa.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kfnpnyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojzcxa.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 4488 cmd.exe 1556 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ojzcxa.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ojzcxa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ojzcxa.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ojzcxa.exepid process 2268 ojzcxa.exe 2268 ojzcxa.exe 2268 ojzcxa.exe 2268 ojzcxa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ojzcxa.exedescription pid process Token: SeDebugPrivilege 2268 ojzcxa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exekfnpnyw.exepid process 4852 1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe 1996 kfnpnyw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.execmd.exekfnpnyw.exedescription pid process target process PID 4852 wrote to memory of 4488 4852 1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe cmd.exe PID 4852 wrote to memory of 4488 4852 1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe cmd.exe PID 4852 wrote to memory of 4488 4852 1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe cmd.exe PID 4488 wrote to memory of 1556 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 1556 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 1556 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 1996 4488 cmd.exe kfnpnyw.exe PID 4488 wrote to memory of 1996 4488 cmd.exe kfnpnyw.exe PID 4488 wrote to memory of 1996 4488 cmd.exe kfnpnyw.exe PID 1996 wrote to memory of 2268 1996 kfnpnyw.exe ojzcxa.exe PID 1996 wrote to memory of 2268 1996 kfnpnyw.exe ojzcxa.exe PID 1996 wrote to memory of 2268 1996 kfnpnyw.exe ojzcxa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe"C:\Users\Admin\AppData\Local\Temp\1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kfnpnyw.exe "C:\Users\Admin\AppData\Local\Temp\1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\kfnpnyw.exeC:\Users\Admin\AppData\Local\Temp\\kfnpnyw.exe "C:\Users\Admin\AppData\Local\Temp\1f887796678784eba74b5451e5419f77b3c85b17dbd3ef7502693ed65cea4d66.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\Program Files\bupesoog\ojzcxa.exe"c:\Program Files\bupesoog\ojzcxa.exe" "c:\Program Files\bupesoog\ojzcxa.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\kfnpnyw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
158KB
MD58861fb5c54d507e68f62b6ece73c3bd7
SHA1aed458224932b9eef613d9b0b9be7ec61b74cd90
SHA256e86d2e2e85cf7406842e857073cfe24b60774e8a75c519ea72bdef747366b2fc
SHA512d75260849fc69d28a908b491faa6f62846dd5d08ec5a9502c1453672d6e15f311d1a32e0747a0df52e8f53863e91bea4f768fe70f5c7e2d572f6ce746ca8413c
-
Filesize
128KB
MD5a158053e725e710f1de6aa0a66b91c79
SHA199014362b6e7aeffe054855d02175ec3e9c0d451
SHA2564f2e34993e71337ecdfee80a2b622e62f1c386eea415ef12f0879b75d5c9cc89
SHA5124918c23805e8d0c299d20a6096c8bb13549247459554033e516de1bc274b8136e1a3289b0abcd7fe046763bb52b85747153e30d8a15b0ee68f2e37b6c15bdb90