Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe
Resource
win10v2004-20241007-en
General
-
Target
69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe
-
Size
203KB
-
MD5
5a73b24fdd56e4c1d85633b1af8599b0
-
SHA1
09ad363d090775231d8d60481ff2a873e70c5f53
-
SHA256
69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef
-
SHA512
09019becf8e0ee6d4c1e1b7bff114658b1d61074624ad36542c9f5374f2ab22addd577cf7afaee8d8764c843d78b1954248380a2fcfd0aa98bb3c684447dbacd
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
bzcnmjk.exepid Process 3932 bzcnmjk.exe -
Executes dropped EXE 2 IoCs
Processes:
bzcnmjk.execlaslc.exepid Process 3932 bzcnmjk.exe 4248 claslc.exe -
Loads dropped DLL 1 IoCs
Processes:
claslc.exepid Process 4248 claslc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
claslc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\sejzgqxc\\claslc.exe \"c:\\Program Files\\sejzgqxc\\claslc.dll\",Compliance" claslc.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
claslc.exedescription ioc Process File opened (read-only) \??\w: claslc.exe File opened (read-only) \??\a: claslc.exe File opened (read-only) \??\i: claslc.exe File opened (read-only) \??\j: claslc.exe File opened (read-only) \??\q: claslc.exe File opened (read-only) \??\s: claslc.exe File opened (read-only) \??\l: claslc.exe File opened (read-only) \??\p: claslc.exe File opened (read-only) \??\v: claslc.exe File opened (read-only) \??\y: claslc.exe File opened (read-only) \??\b: claslc.exe File opened (read-only) \??\h: claslc.exe File opened (read-only) \??\k: claslc.exe File opened (read-only) \??\m: claslc.exe File opened (read-only) \??\o: claslc.exe File opened (read-only) \??\u: claslc.exe File opened (read-only) \??\x: claslc.exe File opened (read-only) \??\z: claslc.exe File opened (read-only) \??\e: claslc.exe File opened (read-only) \??\g: claslc.exe File opened (read-only) \??\n: claslc.exe File opened (read-only) \??\r: claslc.exe File opened (read-only) \??\t: claslc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
claslc.exedescription ioc Process File opened for modification \??\PHYSICALDRIVE0 claslc.exe -
Drops file in Program Files directory 4 IoCs
Processes:
bzcnmjk.exedescription ioc Process File opened for modification \??\c:\Program Files\sejzgqxc\claslc.exe bzcnmjk.exe File opened for modification \??\c:\Program Files\sejzgqxc bzcnmjk.exe File created \??\c:\Program Files\sejzgqxc\claslc.dll bzcnmjk.exe File created \??\c:\Program Files\sejzgqxc\claslc.exe bzcnmjk.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exePING.EXEbzcnmjk.execlaslc.exe69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzcnmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language claslc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 2056 cmd.exe 3968 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
claslc.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 claslc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString claslc.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
claslc.exepid Process 4248 claslc.exe 4248 claslc.exe 4248 claslc.exe 4248 claslc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
claslc.exedescription pid Process Token: SeDebugPrivilege 4248 claslc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exebzcnmjk.exepid Process 3372 69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe 3932 bzcnmjk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.execmd.exebzcnmjk.exedescription pid Process procid_target PID 3372 wrote to memory of 2056 3372 69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe 85 PID 3372 wrote to memory of 2056 3372 69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe 85 PID 3372 wrote to memory of 2056 3372 69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe 85 PID 2056 wrote to memory of 3968 2056 cmd.exe 88 PID 2056 wrote to memory of 3968 2056 cmd.exe 88 PID 2056 wrote to memory of 3968 2056 cmd.exe 88 PID 2056 wrote to memory of 3932 2056 cmd.exe 89 PID 2056 wrote to memory of 3932 2056 cmd.exe 89 PID 2056 wrote to memory of 3932 2056 cmd.exe 89 PID 3932 wrote to memory of 4248 3932 bzcnmjk.exe 91 PID 3932 wrote to memory of 4248 3932 bzcnmjk.exe 91 PID 3932 wrote to memory of 4248 3932 bzcnmjk.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe"C:\Users\Admin\AppData\Local\Temp\69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\bzcnmjk.exe "C:\Users\Admin\AppData\Local\Temp\69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\bzcnmjk.exeC:\Users\Admin\AppData\Local\Temp\\bzcnmjk.exe "C:\Users\Admin\AppData\Local\Temp\69ed0a6930743edce0be39f74004f5879f884900bed231552a2cea310889bbef.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\Program Files\sejzgqxc\claslc.exe"c:\Program Files\sejzgqxc\claslc.exe" "c:\Program Files\sejzgqxc\claslc.dll",Compliance C:\Users\Admin\AppData\Local\Temp\bzcnmjk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
203KB
MD5f7af38afec05506f06755ef0acc87541
SHA1f58f9024dcac215304b753c875b84e65bdab656d
SHA256d68f36ec4802a40b136cb903bb8637ab5930188d44dc412c3c4ea45add197f52
SHA51256f6ebebca6fd15007bd807e7a22206ac9b8772ccf01463f6dbe24f9232335f80b5060694cdf7da069387dcd5a6206b80c84214aeb5b8f0718bcd256c47a3251
-
Filesize
141KB
MD5bdd2a893eeb1a044474436240d6721fe
SHA11ef6c55ee753f53ceefc1f43f9b72abcee7ad9c2
SHA25648d203684c4f16012af94e09b6f2a4b77674e9ab7b254f05beeff5489719caea
SHA5128333ddda16206b5496164f02f36a5f075a28a5de0185cb2f8988ac351b2ee19eb49ab5944a91e912305e4dd7142cb017cdadb687e5685b879e0f62675b10b114