Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:24

General

  • Target

    cb06d1c07e401548ea6f07027cfd2646314d2c58f4d55159fe5e9c55eac30898.exe

  • Size

    157KB

  • MD5

    bcaffda374b83bd9c97568574b482b64

  • SHA1

    9418baa42ec05dfb011082dac47db22bc935413c

  • SHA256

    cb06d1c07e401548ea6f07027cfd2646314d2c58f4d55159fe5e9c55eac30898

  • SHA512

    0b8f55d71e9352a5917828445647b6d77ee092c9afb4b8813a074ba1c517f3b0908b1e65156a9fa17a5a12707630053acc9ac04508d2fc4c48885db812361fd1

  • SSDEEP

    3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dI5:OPjEl6jLiQ1JW+Oy3p/

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb06d1c07e401548ea6f07027cfd2646314d2c58f4d55159fe5e9c55eac30898.exe
    "C:\Users\Admin\AppData\Local\Temp\cb06d1c07e401548ea6f07027cfd2646314d2c58f4d55159fe5e9c55eac30898.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jiunb.exe "C:\Users\Admin\AppData\Local\Temp\cb06d1c07e401548ea6f07027cfd2646314d2c58f4d55159fe5e9c55eac30898.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\jiunb.exe
        C:\Users\Admin\AppData\Local\Temp\\jiunb.exe "C:\Users\Admin\AppData\Local\Temp\cb06d1c07e401548ea6f07027cfd2646314d2c58f4d55159fe5e9c55eac30898.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2328
        • \??\c:\Program Files\drnti\ipntbund.exe
          "c:\Program Files\drnti\ipntbund.exe" "c:\Program Files\drnti\ipntbund.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\jiunb.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\drnti\ipntbund.exe

    Filesize

    60KB

    MD5

    889b99c52a60dd49227c5e485a016679

    SHA1

    8fa889e456aa646a4d0a4349977430ce5fa5e2d7

    SHA256

    6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

    SHA512

    08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

  • C:\Users\Admin\AppData\Local\Temp\jiunb.exe

    Filesize

    157KB

    MD5

    6626d5cd12dc9057b201e4c1e413b565

    SHA1

    3866587a95f5f60620a8bb1b00ef7351562f664b

    SHA256

    01dea3adddccb2bc3e7ddd28493d87646e24b2c2aa2a51c472f6f7d8bd30be12

    SHA512

    a2c592566996063cee98f66e8dd1eed6e5fa2890e0dc8e954f8ceb5112c1d5fc42482012fe72fe981d0b1bf53e505fc916d7f6f2a74fde44378f967458ab6dab

  • \??\c:\Program Files\drnti\ipntbund.dll

    Filesize

    128KB

    MD5

    6219e3847624db3b93380dcc486529d5

    SHA1

    a22f4142b70d16526dcf99d0319a5d53cb46bf53

    SHA256

    77ff8338dd4a01e86deea3833c9f5d6ec6ca8b695bbb7ef5fba39645e67bbc37

    SHA512

    aac68aa95f75d41325725e8c0c5c68f4a2d5d66edf8827706ee6d4acd81156a212fc804cf757aac785787d37d14764a1e7b7933abf97c1cd6faa5f0f9d831d90

  • memory/2328-10-0x0000000000400000-0x000000000042F036-memory.dmp

    Filesize

    188KB

  • memory/2544-0-0x0000000000400000-0x000000000042F036-memory.dmp

    Filesize

    188KB

  • memory/2544-2-0x0000000000400000-0x000000000042F036-memory.dmp

    Filesize

    188KB

  • memory/5112-15-0x0000000010000000-0x0000000010048000-memory.dmp

    Filesize

    288KB

  • memory/5112-16-0x0000000010000000-0x0000000010048000-memory.dmp

    Filesize

    288KB

  • memory/5112-18-0x0000000010000000-0x0000000010048000-memory.dmp

    Filesize

    288KB

  • memory/5112-21-0x0000000010000000-0x0000000010048000-memory.dmp

    Filesize

    288KB