Analysis Overview
SHA256
9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da
Threat Level: Likely malicious
The file 9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Enumerates connected drives
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:46
Reported
2024-11-10 00:48
Platform
win7-20241010-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\zqnxyuax.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\zqnxyuax.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\vimcq\\nkodcw.dll\",init" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\zqnxyuax.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe | N/A |
| N/A | N/A | \??\c:\zqnxyuax.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\zqnxyuax.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\zqnxyuax.exe
c:\zqnxyuax.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\vimcq\nkodcw.dll",init c:\zqnxyuax.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp |
Files
memory/804-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/804-1-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/804-3-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\zqnxyuax.exe
| MD5 | e3e6fb9cccc3915e26bfdcbdb60c97d5 |
| SHA1 | 2c09b3ebc554e48434cba8d1bd29aad98ae60c5b |
| SHA256 | 417f4b0763a2a36145cff32aa3113be9ce6361b283a28f04c1790f78949c0a71 |
| SHA512 | 1ec3838813ed2cad4f93931bc71f26ac8329aaeefc08a42d9de95303b633b52f5da5e6067dbbc6d42a82e1f114ce27d3b9cd8dc1eecae234bd662dc9ffb0128d |
memory/3032-6-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2456-8-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\vimcq\nkodcw.dll
| MD5 | 36e3fb5964d663272cf1169e1e1ca478 |
| SHA1 | 58115e08b49505bcbbb5c88a28a86222ba18d5d4 |
| SHA256 | c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7 |
| SHA512 | daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442 |
memory/2748-14-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2748-15-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2748-17-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2748-16-0x0000000010021000-0x0000000010022000-memory.dmp
memory/2748-18-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2748-19-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2748-20-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2748-21-0x0000000010021000-0x0000000010022000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 00:46
Reported
2024-11-10 00:48
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\pnrxlofur.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\pnrxlofur.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\pwhclic\\nsoaz.dll\",init" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\pnrxlofur.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe | N/A |
| N/A | N/A | \??\c:\pnrxlofur.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe
"C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\pnrxlofur.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\pnrxlofur.exe
c:\pnrxlofur.exe "C:\Users\Admin\AppData\Local\Temp\9775e0b681fcab10caa2a5f2bc9e29a42089631aa280a3584edb25f0697153da.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\pwhclic\nsoaz.dll",init c:\pnrxlofur.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
Files
memory/2928-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2928-1-0x0000000000930000-0x0000000000931000-memory.dmp
memory/2928-3-0x0000000000400000-0x0000000000425000-memory.dmp
C:\pnrxlofur.exe
| MD5 | e926b08ff37a69ef93b18974596f07a8 |
| SHA1 | 4d6eec391ea269fa4f5ba663f899e8ce1237091f |
| SHA256 | 85ad9fe165c030001edc50de1fb4e12cc837206f049f0bb1f94da965ca0e0893 |
| SHA512 | 4f886a7b3d0426e4c72eccf5f28bbd96a9c7a366686cbb57872ec47dd057c313daaa2e01d0aedcf430d9e60c900fb7af1e7f5b42a93a8a9ac60e475adec512e7 |
memory/400-7-0x0000000000630000-0x0000000000631000-memory.dmp
memory/400-9-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\pwhclic\nsoaz.dll
| MD5 | 36e3fb5964d663272cf1169e1e1ca478 |
| SHA1 | 58115e08b49505bcbbb5c88a28a86222ba18d5d4 |
| SHA256 | c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7 |
| SHA512 | daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442 |
memory/3968-12-0x0000000010000000-0x000000001002E000-memory.dmp
memory/3968-13-0x0000000010000000-0x000000001002E000-memory.dmp
memory/3968-14-0x0000000010000000-0x000000001002E000-memory.dmp
memory/3968-15-0x00000000010C0000-0x00000000010C1000-memory.dmp