Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
Resource
win10v2004-20241007-en
General
-
Target
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
-
Size
80KB
-
MD5
13febf7a5e39b4716d743ca0131af98f
-
SHA1
3398a7640d466fb0fcf5973c53047af0a1fbab22
-
SHA256
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da
-
SHA512
df06af8c2dae2eaf10b62f5ac080ac636177e1a728502ad26e6db89769a9716217f8a1a9577c6461828f18d3f5b02b2c27f8729f74947bf9c7f04c82bde2f703
-
SSDEEP
768:qGHV45EDE477AZbUJx0rZGE3jCELoiMMj6hZ3nE+EXVmkDbjRL8Khc15Z6J1S:qG14P477AxUYrZGoC09k0SkTRHhWqP
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 16 3968 rundll32.exe 17 3968 rundll32.exe 19 3968 rundll32.exe -
Deletes itself 1 IoCs
Processes:
pnrxlofur.exepid process 400 pnrxlofur.exe -
Executes dropped EXE 1 IoCs
Processes:
pnrxlofur.exepid process 400 pnrxlofur.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3968 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\pwhclic\\nsoaz.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exePING.EXEpnrxlofur.exerundll32.exe9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnrxlofur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid process 4268 PING.EXE 4068 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3968 rundll32.exe 3968 rundll32.exe 3968 rundll32.exe 3968 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3968 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exepnrxlofur.exepid process 2928 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe 400 pnrxlofur.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.execmd.exepnrxlofur.exedescription pid process target process PID 2928 wrote to memory of 4068 2928 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 2928 wrote to memory of 4068 2928 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 2928 wrote to memory of 4068 2928 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe cmd.exe PID 4068 wrote to memory of 4268 4068 cmd.exe PING.EXE PID 4068 wrote to memory of 4268 4068 cmd.exe PING.EXE PID 4068 wrote to memory of 4268 4068 cmd.exe PING.EXE PID 4068 wrote to memory of 400 4068 cmd.exe pnrxlofur.exe PID 4068 wrote to memory of 400 4068 cmd.exe pnrxlofur.exe PID 4068 wrote to memory of 400 4068 cmd.exe pnrxlofur.exe PID 400 wrote to memory of 3968 400 pnrxlofur.exe rundll32.exe PID 400 wrote to memory of 3968 400 pnrxlofur.exe rundll32.exe PID 400 wrote to memory of 3968 400 pnrxlofur.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\pnrxlofur.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4268 -
\??\c:\pnrxlofur.exec:\pnrxlofur.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\pwhclic\nsoaz.dll",init c:\pnrxlofur.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5e926b08ff37a69ef93b18974596f07a8
SHA14d6eec391ea269fa4f5ba663f899e8ce1237091f
SHA25685ad9fe165c030001edc50de1fb4e12cc837206f049f0bb1f94da965ca0e0893
SHA5124f886a7b3d0426e4c72eccf5f28bbd96a9c7a366686cbb57872ec47dd057c313daaa2e01d0aedcf430d9e60c900fb7af1e7f5b42a93a8a9ac60e475adec512e7
-
Filesize
42KB
MD536e3fb5964d663272cf1169e1e1ca478
SHA158115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442