Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
Resource
win10v2004-20241007-en
General
-
Target
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
-
Size
80KB
-
MD5
13febf7a5e39b4716d743ca0131af98f
-
SHA1
3398a7640d466fb0fcf5973c53047af0a1fbab22
-
SHA256
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da
-
SHA512
df06af8c2dae2eaf10b62f5ac080ac636177e1a728502ad26e6db89769a9716217f8a1a9577c6461828f18d3f5b02b2c27f8729f74947bf9c7f04c82bde2f703
-
SSDEEP
768:qGHV45EDE477AZbUJx0rZGE3jCELoiMMj6hZ3nE+EXVmkDbjRL8Khc15Z6J1S:qG14P477AxUYrZGoC09k0SkTRHhWqP
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 5 2748 rundll32.exe 6 2748 rundll32.exe 7 2748 rundll32.exe 8 2748 rundll32.exe -
Deletes itself 1 IoCs
Processes:
zqnxyuax.exepid process 2456 zqnxyuax.exe -
Executes dropped EXE 1 IoCs
Processes:
zqnxyuax.exepid process 2456 zqnxyuax.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 2748 rundll32.exe 2748 rundll32.exe 2748 rundll32.exe 2748 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\vimcq\\nkodcw.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.execmd.exePING.EXEzqnxyuax.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zqnxyuax.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 3032 cmd.exe 2000 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2748 rundll32.exe 2748 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2748 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exezqnxyuax.exepid process 804 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe 2456 zqnxyuax.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.execmd.exezqnxyuax.exedescription pid process target process PID 804 wrote to memory of 3032 804 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 804 wrote to memory of 3032 804 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 804 wrote to memory of 3032 804 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 804 wrote to memory of 3032 804 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 3032 wrote to memory of 2000 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 2000 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 2000 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 2000 3032 cmd.exe PING.EXE PID 3032 wrote to memory of 2456 3032 cmd.exe zqnxyuax.exe PID 3032 wrote to memory of 2456 3032 cmd.exe zqnxyuax.exe PID 3032 wrote to memory of 2456 3032 cmd.exe zqnxyuax.exe PID 3032 wrote to memory of 2456 3032 cmd.exe zqnxyuax.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe PID 2456 wrote to memory of 2748 2456 zqnxyuax.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\zqnxyuax.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000 -
\??\c:\zqnxyuax.exec:\zqnxyuax.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\vimcq\nkodcw.dll",init c:\zqnxyuax.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD536e3fb5964d663272cf1169e1e1ca478
SHA158115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442
-
Filesize
80KB
MD5e3e6fb9cccc3915e26bfdcbdb60c97d5
SHA12c09b3ebc554e48434cba8d1bd29aad98ae60c5b
SHA256417f4b0763a2a36145cff32aa3113be9ce6361b283a28f04c1790f78949c0a71
SHA5121ec3838813ed2cad4f93931bc71f26ac8329aaeefc08a42d9de95303b633b52f5da5e6067dbbc6d42a82e1f114ce27d3b9cd8dc1eecae234bd662dc9ffb0128d